List of usage examples for javax.security.sasl Sasl SERVER_AUTH
String SERVER_AUTH
To view the source code for javax.security.sasl Sasl SERVER_AUTH.
Click Source Link
From source file:org.apache.hadoop.security.WhitelistBasedResolver.java
static Map<String, String> getSaslProperties(Configuration conf) { Map<String, String> saslProps = new TreeMap<String, String>(); String[] qop = conf.getStrings(HADOOP_RPC_PROTECTION_NON_WHITELIST, QualityOfProtection.PRIVACY.toString()); for (int i = 0; i < qop.length; i++) { qop[i] = QualityOfProtection.valueOf(StringUtils.toUpperCase(qop[i])).getSaslQop(); }// w ww . ja va2 s . c om saslProps.put(Sasl.QOP, StringUtils.join(",", qop)); saslProps.put(Sasl.SERVER_AUTH, "true"); return saslProps; }
From source file:org.apache.hive.jdbc.HiveConnection.java
/** * Create transport per the connection options * Supported transport options are:/* w w w. j a v a2 s. c o m*/ * - SASL based transports over * + Kerberos * + Delegation token * + SSL * + non-SSL * - Raw (non-SASL) socket * * Kerberos and Delegation token supports SASL QOP configurations * @throws SQLException, TTransportException */ private TTransport createBinaryTransport() throws SQLException, TTransportException { try { TTransport socketTransport = createUnderlyingTransport(); // handle secure connection if specified if (!JdbcConnectionParams.AUTH_SIMPLE.equals(sessConfMap.get(JdbcConnectionParams.AUTH_TYPE))) { // If Kerberos Map<String, String> saslProps = new HashMap<String, String>(); SaslQOP saslQOP = SaslQOP.AUTH; if (sessConfMap.containsKey(JdbcConnectionParams.AUTH_QOP)) { try { saslQOP = SaslQOP.fromString(sessConfMap.get(JdbcConnectionParams.AUTH_QOP)); } catch (IllegalArgumentException e) { throw new SQLException( "Invalid " + JdbcConnectionParams.AUTH_QOP + " parameter. " + e.getMessage(), "42000", e); } saslProps.put(Sasl.QOP, saslQOP.toString()); } else { // If the client did not specify qop then just negotiate the one supported by server saslProps.put(Sasl.QOP, "auth-conf,auth-int,auth"); } saslProps.put(Sasl.SERVER_AUTH, "true"); if (sessConfMap.containsKey(JdbcConnectionParams.AUTH_PRINCIPAL)) { transport = KerberosSaslHelper.getKerberosTransport( sessConfMap.get(JdbcConnectionParams.AUTH_PRINCIPAL), host, socketTransport, saslProps, assumeSubject); } else { // If there's a delegation token available then use token based connection String tokenStr = getClientDelegationToken(sessConfMap); if (tokenStr != null) { transport = KerberosSaslHelper.getTokenTransport(tokenStr, host, socketTransport, saslProps); } else { // we are using PLAIN Sasl connection with user/password String userName = getUserName(); String passwd = getPassword(); // Overlay the SASL transport on top of the base socket transport (SSL or non-SSL) transport = PlainSaslHelper.getPlainTransport(userName, passwd, socketTransport); } } } else { // Raw socket connection (non-sasl) transport = socketTransport; } } catch (SaslException e) { throw new SQLException("Could not create secure connection to " + jdbcUriString + ": " + e.getMessage(), " 08S01", e); } return transport; }
From source file:org.apache.hive.service.auth.HiveAuthFactory.java
public Map<String, String> getSaslProperties() { Map<String, String> saslProps = new HashMap<String, String>(); SaslQOP saslQOP = SaslQOP.fromString(conf.getVar(ConfVars.HIVE_SERVER2_THRIFT_SASL_QOP)); saslProps.put(Sasl.QOP, saslQOP.toString()); saslProps.put(Sasl.SERVER_AUTH, "true"); return saslProps; }
From source file:org.apache.hive.spark.client.rpc.RpcConfiguration.java
/** * SASL options are namespaced under "hive.spark.client.rpc.sasl.*"; each option is the * lower-case version of the constant in the "javax.security.sasl.Sasl" class (e.g. "strength" * for cipher strength).//from www . j a va 2 s . c o m */ Map<String, String> getSaslOptions() { Map<String, String> opts = new HashMap<String, String>(); Map<String, String> saslOpts = ImmutableMap.<String, String>builder().put(Sasl.CREDENTIALS, "credentials") .put(Sasl.MAX_BUFFER, "max_buffer").put(Sasl.POLICY_FORWARD_SECRECY, "policy_forward_secrecy") .put(Sasl.POLICY_NOACTIVE, "policy_noactive").put(Sasl.POLICY_NOANONYMOUS, "policy_noanonymous") .put(Sasl.POLICY_NODICTIONARY, "policy_nodictionary") .put(Sasl.POLICY_NOPLAINTEXT, "policy_noplaintext") .put(Sasl.POLICY_PASS_CREDENTIALS, "policy_pass_credentials").put(Sasl.QOP, "qop") .put(Sasl.RAW_SEND_SIZE, "raw_send_size").put(Sasl.REUSE, "reuse") .put(Sasl.SERVER_AUTH, "server_auth").put(Sasl.STRENGTH, "strength").build(); for (Map.Entry<String, String> e : saslOpts.entrySet()) { String value = config.get(RPC_SASL_OPT_PREFIX + e.getValue()); if (value != null) { opts.put(e.getKey(), value); } } return opts; }
From source file:org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin.java
public TTransportFactory getServerTransportFactory() throws IOException { //create an authentication callback handler CallbackHandler server_callback_handler = new ServerCallbackHandler(login_conf, topoConf); //login our principal Subject subject = null;/*from www .j av a2 s . co m*/ try { //specify a configuration object to be used Configuration.setConfiguration(login_conf); //now login Login login = new Login(AuthUtils.LOGIN_CONTEXT_SERVER, server_callback_handler); subject = login.getSubject(); login.startThreadIfNeeded(); } catch (LoginException ex) { LOG.error("Server failed to login in principal:" + ex, ex); throw new RuntimeException(ex); } //check the credential of our principal if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) { throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + login_conf); } String principal = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_SERVER, "principal"); LOG.debug("principal:" + principal); KerberosName serviceKerberosName = new KerberosName(principal); String serviceName = serviceKerberosName.getServiceName(); String hostName = serviceKerberosName.getHostName(); Map<String, String> props = new TreeMap<String, String>(); props.put(Sasl.QOP, "auth"); props.put(Sasl.SERVER_AUTH, "false"); //create a transport factory that will invoke our auth callback for digest TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory(); factory.addServerDefinition(KERBEROS, serviceName, hostName, props, server_callback_handler); //create a wrap transport factory so that we could apply user credential during connections TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject); LOG.info("SASL GSSAPI transport factory will be used"); return wrapFactory; }
From source file:org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin.java
@Override public TTransport connect(TTransport transport, String serverHost, String asUser) throws TTransportException, IOException { //create an authentication callback handler ClientCallbackHandler client_callback_handler = new ClientCallbackHandler(login_conf); //login our user LoginCacheKey key = new LoginCacheKey(login_conf, AuthUtils.LOGIN_CONTEXT_CLIENT); Login login = loginCache.get(key);//from www. ja v a 2 s . c om if (login == null) { LOG.debug("Kerberos Login was not found in the Login Cache, attempting to contact the Kerberos Server"); synchronized (loginCache) { login = loginCache.get(key); if (login == null) { try { //specify a configuration object to be used Configuration.setConfiguration(login_conf); //now login login = new Login(AuthUtils.LOGIN_CONTEXT_CLIENT, client_callback_handler); login.startThreadIfNeeded(); loginCache.put(key, login); } catch (LoginException ex) { LOG.error("Server failed to login in principal:" + ex, ex); throw new RuntimeException(ex); } } } } final Subject subject = login.getSubject(); if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) { //error throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_CLIENT + "\" in login configuration file " + login_conf); } final String principal = StringUtils.isBlank(asUser) ? getPrincipal(subject) : asUser; String serviceName = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_CLIENT, "serviceName"); if (serviceName == null) { serviceName = AuthUtils.SERVICE; } Map<String, String> props = new TreeMap<String, String>(); props.put(Sasl.QOP, "auth"); props.put(Sasl.SERVER_AUTH, "false"); LOG.debug("SASL GSSAPI client transport is being established"); final TTransport sasalTransport = new TSaslClientTransport(KERBEROS, principal, serviceName, serverHost, props, null, transport); //open Sasl transport with the login credential try { Subject.doAs(subject, new PrivilegedExceptionAction<Void>() { public Void run() { try { LOG.debug("do as:" + principal); sasalTransport.open(); } catch (Exception e) { LOG.error( "Client failed to open SaslClientTransport to interact with a server during session initiation: " + e, e); } return null; } }); } catch (PrivilegedActionException e) { throw new RuntimeException(e); } return sasalTransport; }
From source file:org.wildfly.security.sasl.entity.EntityTest.java
@Test public void testServerAuthIndirect_Server() throws Exception { Map<String, Object> props = new HashMap<String, Object>(); // No properties are set, an appropriate EntitySaslServer should be returned SaslServer server = Sasl.createSaslServer(SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, "TestProtocol", "TestServer", props, null); assertEquals(EntitySaslServer.class, server.getClass()); assertEquals(SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, server.getMechanismName()); // If we set SERVER_AUTH to true even though a unilateral mechanism is specified, no server should be returned props.put(Sasl.SERVER_AUTH, Boolean.toString(true)); server = Sasl.createSaslServer(SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, "TestProtocol", "TestServer", props, null); assertNull(server);/*w w w.j a v a2 s . co m*/ }
From source file:org.wildfly.security.sasl.entity.EntityTest.java
@Test public void testServerAuthDirect_Server() { SaslServerFactory factory = obtainSaslServerFactory(EntitySaslServerFactory.class); assertNotNull("SaslServerFactory not registered", factory); String[] mechanisms;/*from w w w .jav a 2 s. co m*/ Map<String, Object> props = new HashMap<String, Object>(); // No properties set mechanisms = factory.getMechanismNames(props); assertMechanisms(new String[] { SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_U_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_U_ECDSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_M_ECDSA_SHA1 }, mechanisms); // Request server auth props.put(Sasl.SERVER_AUTH, Boolean.toString(true)); mechanisms = factory.getMechanismNames(props); assertMechanisms(new String[] { SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_M_ECDSA_SHA1 }, mechanisms); }
From source file:org.wildfly.security.sasl.entity.EntityTest.java
@Test public void testServerAuthIndirect_Client() throws Exception { Map<String, Object> props = new HashMap<String, Object>(); // No properties are set, an appropriate EntitySaslClient should be returned SaslClient client = Sasl.createSaslClient( new String[] { SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC }, "TestUser", "TestProtocol", "TestServer", props, null); assertEquals(EntitySaslClient.class, client.getClass()); assertEquals(SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, client.getMechanismName()); // If we set SERVER_AUTH to true even though only unilateral mechanisms are specified, no client should be returned props.put(Sasl.SERVER_AUTH, Boolean.toString(true)); client = Sasl.createSaslClient( new String[] { SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_U_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_U_ECDSA_SHA1 }, "TestUser", "TestProtocol", "TestServer", props, null); assertNull(client);//from w w w . jav a2 s . com // If we set SERVER_AUTH to true, an appropriate EntitySaslClient should be returned props.put(Sasl.SERVER_AUTH, Boolean.toString(true)); client = Sasl.createSaslClient( new String[] { SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_U_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_U_ECDSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_M_ECDSA_SHA1 }, "TestUser", "TestProtocol", "TestServer", props, null); assertEquals(EntitySaslClient.class, client.getClass()); assertEquals(SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC, client.getMechanismName()); }
From source file:org.wildfly.security.sasl.entity.EntityTest.java
@Test public void testServerAuthDirect_Client() { SaslClientFactory factory = obtainSaslClientFactory(EntitySaslClientFactory.class); assertNotNull("SaslClientFactory not registered", factory); String[] mechanisms;//w ww . j a v a 2 s. c o m Map<String, Object> props = new HashMap<String, Object>(); // No properties set mechanisms = factory.getMechanismNames(props); assertMechanisms(new String[] { SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_U_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_U_ECDSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_M_ECDSA_SHA1 }, mechanisms); // Request server auth props.put(Sasl.SERVER_AUTH, Boolean.toString(true)); mechanisms = factory.getMechanismNames(props); assertMechanisms(new String[] { SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_M_ECDSA_SHA1 }, mechanisms); }