/** * Obtains the caller principal from the specified {@link Subject}. This method looks for a group called {@code * CallerPrincipal} and if it finds one it returns the first {@link java.security.Principal} in the group. * * @param subject the {@link javax.security.auth.Subject} to be inspected. * @return the first {@link java.security.Principal} found in the {@code CallerPrincipal} group or {@code null} if * a caller principal couldn't be found. */ private Principal getCallerPrincipal(Subject subject) { Principal callerPrincipal = null; if (subject != null) { Set<Principal> principals = subject.getPrincipals(); if (principals != null && !principals.isEmpty()) { for (Principal principal : principals) { if (principal instanceof Group && principal.getName().equals(CALLER_PRINCIPAL_GROUP)) { Enumeration<? extends Principal> enumeration = ((Group) principal).members(); if (enumeration.hasMoreElements()) { callerPrincipal = enumeration.nextElement(); break; } } } } } return callerPrincipal; } }
public Subject getSubject() { Subject subject = new Subject(false, ImmutableSet.of(principal), emptySet(), emptySet()); try { LoginContext loginContext = new LoginContext("", subject, null, configuration); loginContext.login(); return loginContext.getSubject(); } catch (LoginException e) { throw new RuntimeException(e); } }
String principal = config.getProperty(PRINCIPAL); if (principal == null || principal.trim().length() == 0) { throw new ServletException("Principal not defined in configuration"); throw new ServletException("Keytab not defined in configuration"); throw new ServletException("Keytab does not exist: " + keytab); new KerberosAuthenticator.DruidKerberosConfiguration(keytab, spnegoPrincipal); final LoginContext loginContext = new LoginContext("", serverSubject, null, kerberosConfiguration); try { loginContext.login(); gssManager = Subject.doAs(serverSubject, new PrivilegedExceptionAction<GSSManager>() throw ex.getException();
@Override public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { String username = (String) options.get(USERNAME_CONFIG); if (username != null) subject.getPublicCredentials().add(username); String password = (String) options.get(PASSWORD_CONFIG); if (password != null) subject.getPrivateCredentials().add(password); }
public static Subject getNimbusSubject() { Subject subject = new Subject(); subject.getPrincipals().add(new NimbusPrincipal()); return subject; }
private void handleCallback(OAuthBearerTokenCallback callback) throws IOException { if (callback.token() != null) throw new IllegalArgumentException("Callback had a token already"); Subject subject = Subject.getSubject(AccessController.getContext()); Set<OAuthBearerToken> privateCredentials = subject != null ? subject.getPrivateCredentials(OAuthBearerToken.class) : Collections.emptySet(); if (privateCredentials.size() != 1) throw new IOException( String.format("Unable to find OAuth Bearer token in Subject's private credentials (size=%d)", privateCredentials.size())); callback.token(privateCredentials.iterator().next()); }
final Subject subject = new Subject(); final LoginContext lc; try { lc = new LoginContext("KDC", subject, (c) -> { throw new FastUnsupportedCallbackException(c[0]); }, configuration); lc.login(); log.tracef("Logging in using LoginContext and subject [%s] succeed", subject); Set<KerberosTicket> kerberosTickets = doPrivileged((PrivilegedAction<Set<KerberosTicket>>) () -> subject.getPrivateCredentials(KerberosTicket.class)); if (kerberosTickets.size() > 1) { throw log.tooManyKerberosTicketsFound(); return Subject.doAs(subject, (PrivilegedExceptionAction<GSSKerberosCredential>) () -> { Set<KerberosPrincipal> principals = subject.getPrincipals(KerberosPrincipal.class); if (principals.size() < 1) { throw log.noKerberosPrincipalsFound(); GSSName name = manager.createName(principal.getName(), GSSName.NT_USER_NAME, KERBEROS_V5); if (e.getCause() instanceof GeneralSecurityException) { throw (GeneralSecurityException) e.getCause(); throw new GeneralSecurityException(e.getCause());
private void doAs(final ServletRequest request, final ServletResponse response, final FilterChain chain, Subject subject) throws IOException, ServletException { try { Subject.doAs( subject, new PrivilegedExceptionAction<Object>() { public Object run() throws Exception { doFilterInternal(request, response, chain); return null; } }); } catch (PrivilegedActionException e) { Throwable t = e.getCause(); if (t instanceof IOException) { throw (IOException) t; } else if (t instanceof ServletException) { throw (ServletException) t; } else { throw new ServletException(t); } } }
@GetMapping("/username") public String username() { Subject subject = Subject.getSubject(AccessController.getContext()); return subject.getPrincipals().iterator().next().getName(); } }
public TUGIAssumingTransportFactory(TTransportFactory wrapped, Subject subject) { this.wrapped = wrapped; this.subject = subject; Set<Principal> principals = (Set<Principal>) subject.getPrincipals(); if (principals.size() > 0) { LOG.info("Service principal:" + ((Principal) (principals.toArray()[0])).getName()); } }
LoginContext loginContext = new LoginContext("", null, null, new Configuration() loginContext.login(); Subject subject = loginContext.getSubject(); Principal clientPrincipal = subject.getPrincipals().iterator().next(); GSSCredential clientCredential = doAs(subject, () -> GSS_MANAGER.createCredential( GSS_MANAGER.createName(clientPrincipal.getName(), NT_USER_NAME), DEFAULT_LIFETIME, KERBEROS_OID,
Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); loginContext = new LoginContext("", subject, null, KerberosConfiguration.createClientConfig(principal, keytab)); loginContext.login(); subject = loginContext.getSubject(); Assert.assertEquals(1, subject.getPrincipals().size()); Assert.assertEquals(KerberosPrincipal.class, subject.getPrincipals().iterator().next().getClass()); Assert.assertEquals(principal + "@" + kdc.getRealm(), subject.getPrincipals().iterator().next().getName()); loginContext.logout(); subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); loginContext = new LoginContext("", subject, null, loginContext.login(); subject = loginContext.getSubject(); Assert.assertEquals(1, subject.getPrincipals().size()); Assert.assertEquals(KerberosPrincipal.class, subject.getPrincipals().iterator().next().getClass()); Assert.assertEquals(principal + "@" + kdc.getRealm(), subject.getPrincipals().iterator().next().getName()); loginContext.logout(); if (loginContext != null && loginContext.getSubject() != null && !loginContext.getSubject().getPrincipals().isEmpty()) {
protected<T> Set<T> getPrivateCredentials(Class<T> credentialClass) { if (!WildFlySecurityManager.isChecking()) { return this.authenticatedSubject.getPrivateCredentials(credentialClass); } else { return AccessController.doPrivileged((PrivilegedAction<Set<T>>) () -> this.authenticatedSubject.getPrivateCredentials(credentialClass)); } }
try { LoginContext loginCOntext = new LoginContext("KrbLogin", new KerberosCallBackHandler(user, password)); loginCOntext.login(); try { Subject current = Subject.getSubject(AccessController.getContext()); System.out.println("----------------------------------------"); Set<Principal> principals = current.getPrincipals(); for (Principal next : principals) { System.out.println("DOAS Principal: " + next.getName()); Subject.doAs(loginCOntext.getSubject(), sendAction);
@Override public byte[] generateToken(byte[] input, String authServer, Credentials credentials) { Set<Principal> principals = new HashSet<>(); principals.add(credentials.getUserPrincipal()); Subject subject = new Subject(false, principals, new HashSet<>(), new HashSet<>()); try { LoginContext loginContext = new LoginContext("", subject, null, new KerberosConfiguration(credentials.getUserPrincipal().getName(), ((KerberosKeytabCredentials) credentials).getKeytab())); loginContext.login(); Subject loggedInSubject = loginContext.getSubject(); return Subject.doAs(loggedInSubject, new PrivilegedExceptionAction<byte[]>() { public byte[] run() throws UnknownHostException, ClassNotFoundException, GSSException, IllegalAccessException, NoSuchFieldException { GSSManager gssManager = GSSManager.getInstance(); String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", authServer); Oid serviceOid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL"); GSSName serviceName = gssManager.createName(servicePrincipal, serviceOid); Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); GSSContext gssContext = gssManager.createContext(serviceName, mechOid, null, 0); gssContext.requestCredDeleg(true); gssContext.requestMutualAuth(true); return gssContext.initSecContext(input, 0, input.length); } }); } catch (PrivilegedActionException | LoginException e) { throw new RuntimeException(e); } }
private void initializeKerberosLogin() throws ServletException { String keytab; try { if (serverPrincipal == null || serverPrincipal.trim().length() == 0) { throw new ServletException("Principal not defined in configuration"); } keytab = serverKeytab; if (keytab == null || keytab.trim().length() == 0) { throw new ServletException("Keytab not defined in configuration"); } if (!new File(keytab).exists()) { throw new ServletException("Keytab does not exist: " + keytab); } Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(serverPrincipal)); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); DruidKerberosConfiguration kerberosConfiguration = new DruidKerberosConfiguration(keytab, serverPrincipal); log.info("Login using keytab " + keytab + ", for principal " + serverPrincipal); loginContext = new LoginContext("", subject, null, kerberosConfiguration); loginContext.login(); log.info("Initialized, principal %s from keytab %s", serverPrincipal, keytab); } catch (Exception ex) { throw new ServletException(ex); } }
/** * This method is responsible for getting the client principal name from the * subject's principal set * * @return String the Kerberos principal name populated in the subject * @throws IllegalStateException * if there is more than 0 or more than 1 principal is present */ private String getClientPrincipalName() { final Set<Principal> principalSet = loginContext.getSubject().getPrincipals(); if (principalSet.size() != 1) throw new IllegalStateException( "Only one principal per subject is expected. Found 0 or more than one principals :" + principalSet); return principalSet.iterator().next().getName(); }
CallbackHandler callbackHandler = getUsernamePasswordHandler( authPolicy.getUserName(), authPolicy.getPassword()); LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig); lc.login(); subject = lc.getSubject(); return Subject.doAs(subject, new CreateServiceTicketAction(context, token)); } catch (PrivilegedActionException e) { if (e.getCause() instanceof GSSException) { throw (GSSException) e.getCause();
@Override public String run() { Subject subject = Subject.getSubject(acc); if (subject == null) { return null; } Set<Principal> principals = subject.getPrincipals(); if (principals == null) { return null; } for (Principal p : principals) { return p.getName(); } return null; } });
public RemotingConnectionCredential(final RemoteConnection connection, final SecurityIdentity securityIdentity) { Assert.checkNotNullParam("connection", connection); Assert.checkNotNullParam("securityIdentity", securityIdentity); this.connection = connection; this.securityIdentity = securityIdentity; Subject subject = new Subject(); Set<Principal> principals = subject.getPrincipals(); principals.add(new RealmUser(securityIdentity.getPrincipal().getName())); for (String role : securityIdentity.getRoles()) { principals.add(new RealmGroup(role)); principals.add(new RealmRole(role)); } this.subject = subject; }