LoginContext loginContext = new LoginContext("", null, null, new Configuration() loginContext.login(); Subject subject = loginContext.getSubject(); Principal clientPrincipal = subject.getPrincipals().iterator().next(); GSSCredential clientCredential = doAs(subject, () -> GSS_MANAGER.createCredential( GSS_MANAGER.createName(clientPrincipal.getName(), NT_USER_NAME), DEFAULT_LIFETIME, KERBEROS_OID,
/** * Re-login a principal. This method assumes that {@link #login()} has happened already. * @throws javax.security.auth.login.LoginException on a failure */ private void reLogin() throws LoginException { if (!isKrbTicket) { return; } if (loginContext == null) { throw new LoginException("Login must be done first"); } if (!hasSufficientTimeElapsed()) { return; } synchronized (KerberosLogin.class) { log.info("Initiating logout for {}", principal); // register most recent relogin attempt lastLogin = currentElapsedTime(); //clear up the kerberos state. But the tokens are not cleared! As per //the Java kerberos login module code, only the kerberos credentials //are cleared loginContext.logout(); //login and also update the subject field of this instance to //have the new credentials (pass it to the LoginContext constructor) loginContext = new LoginContext(contextName(), subject, null, configuration()); log.info("Initiating re-login for {}", principal); loginContext.login(); } }
@Override public LoginContext login() throws LoginException { loginContext = new LoginContext(contextName, null, loginCallbackHandler, configuration); loginContext.login(); log.info("Successfully logged in."); return loginContext; }
public Subject getSubject() { Subject subject = new Subject(false, ImmutableSet.of(principal), emptySet(), emptySet()); try { LoginContext loginContext = new LoginContext("", subject, null, configuration); loginContext.login(); return loginContext.getSubject(); } catch (LoginException e) { throw new RuntimeException(e); } }
private synchronized LoginContext login(final String loginContextName) throws LoginException { if (loginContextName == null) { throw new LoginException("loginContext name (JAAS file section header) was null. " + "Please check your java.security.login.auth.config (=" + System.getProperty("java.security.login.auth.config") + ") and your " + ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY + "(=" + System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client") + ")"); } LoginContext loginContext = new LoginContext(loginContextName, callbackHandler); loginContext.login(); LOG.info("successfully logged in."); return loginContext; }
public static <T> T doAs(String principal, final Callable<T> callable) throws Exception { LoginContext loginContext = null; try { Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(KerberosTestUtils.getClientPrincipal())); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); loginContext = new LoginContext("", subject, null, new KerberosConfiguration(principal)); loginContext.login(); subject = loginContext.getSubject(); return Subject.doAs(subject, new PrivilegedExceptionAction<T>() { @Override public T run() throws Exception { return callable.call(); } }); } catch (PrivilegedActionException ex) { throw ex.getException(); } finally { if (loginContext != null) { loginContext.logout(); } } }
Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); loginContext = new LoginContext("", subject, null, KerberosConfiguration.createClientConfig(principal, keytab)); loginContext.login(); subject = loginContext.getSubject(); Assert.assertEquals(1, subject.getPrincipals().size()); Assert.assertEquals(KerberosPrincipal.class, subject.getPrincipals().iterator().next().getClass()); Assert.assertEquals(principal + "@" + kdc.getRealm(), subject.getPrincipals().iterator().next().getName()); loginContext.logout(); subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); loginContext = new LoginContext("", subject, null, KerberosConfiguration.createServerConfig(principal, keytab)); loginContext.login(); subject = loginContext.getSubject(); Assert.assertEquals(1, subject.getPrincipals().size()); Assert.assertEquals(KerberosPrincipal.class, subject.getPrincipals().iterator().next().getClass()); Assert.assertEquals(principal + "@" + kdc.getRealm(), subject.getPrincipals().iterator().next().getName()); loginContext.logout(); if (loginContext != null && loginContext.getSubject() != null
CallbackHandler callbackHandler = getUsernamePasswordHandler( authPolicy.getUserName(), authPolicy.getPassword()); LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig); lc.login(); subject = lc.getSubject(); return Subject.doAs(subject, new CreateServiceTicketAction(context, token)); } catch (PrivilegedActionException e) { if (e.getCause() instanceof GSSException) { throw (GSSException) e.getCause();
@Override public byte[] generateToken(byte[] input, String authServer, Credentials credentials) { Set<Principal> principals = new HashSet<>(); principals.add(credentials.getUserPrincipal()); Subject subject = new Subject(false, principals, new HashSet<>(), new HashSet<>()); try { LoginContext loginContext = new LoginContext("", subject, null, new KerberosConfiguration(credentials.getUserPrincipal().getName(), ((KerberosKeytabCredentials) credentials).getKeytab())); loginContext.login(); Subject loggedInSubject = loginContext.getSubject(); return Subject.doAs(loggedInSubject, new PrivilegedExceptionAction<byte[]>() { public byte[] run() throws UnknownHostException, ClassNotFoundException, GSSException, IllegalAccessException, NoSuchFieldException { GSSManager gssManager = GSSManager.getInstance(); String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", authServer); Oid serviceOid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL"); GSSName serviceName = gssManager.createName(servicePrincipal, serviceOid); Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); GSSContext gssContext = gssManager.createContext(serviceName, mechOid, null, 0); gssContext.requestCredDeleg(true); gssContext.requestMutualAuth(true); return gssContext.initSecContext(input, 0, input.length); } }); } catch (PrivilegedActionException | LoginException e) { throw new RuntimeException(e); } }
try { LoginContext loginCOntext = new LoginContext("KrbLogin", new KerberosCallBackHandler(user, password)); loginCOntext.login(); try { Subject current = Subject.getSubject(AccessController.getContext()); System.out.println("----------------------------------------"); Set<Principal> principals = current.getPrincipals(); for (Principal next : principals) { System.out.println("DOAS Principal: " + next.getName()); Subject.doAs(loginCOntext.getSubject(), sendAction);
/** * This method is responsible for getting the client principal name from the * subject's principal set * * @return String the Kerberos principal name populated in the subject * @throws IllegalStateException * if there is more than 0 or more than 1 principal is present */ private String getClientPrincipalName() { final Set<Principal> principalSet = loginContext.getSubject().getPrincipals(); if (principalSet.size() != 1) throw new IllegalStateException( "Only one principal per subject is expected. Found 0 or more than one principals :" + principalSet); return principalSet.iterator().next().getName(); }
final Subject subject = new Subject(); final LoginContext lc; try { lc = new LoginContext("KDC", subject, (c) -> { throw new FastUnsupportedCallbackException(c[0]); }, configuration); lc.login(); log.tracef("Logging in using LoginContext and subject [%s] succeed", subject); Set<KerberosTicket> kerberosTickets = doPrivileged((PrivilegedAction<Set<KerberosTicket>>) () -> subject.getPrivateCredentials(KerberosTicket.class)); if (kerberosTickets.size() > 1) { throw log.tooManyKerberosTicketsFound(); return Subject.doAs(subject, (PrivilegedExceptionAction<GSSKerberosCredential>) () -> { Set<KerberosPrincipal> principals = subject.getPrincipals(KerberosPrincipal.class); if (principals.size() < 1) { GSSName name = manager.createName(principal.getName(), GSSName.NT_USER_NAME, KERBEROS_V5); if (e.getCause() instanceof GeneralSecurityException) { throw (GeneralSecurityException) e.getCause(); throw new GeneralSecurityException(e.getCause());
@Override public void logout(Subject subject) throws LoginException { if (ObjectHelper.isEmpty(getName())) { throw new LoginException("Realm has not been configured on this SecurityAuthenticator: " + this); } String username = ""; if (!subject.getPrincipals().isEmpty()) { username = subject.getPrincipals().iterator().next().getName(); } LOG.trace("Logging out username: {} using realm: {}", username, getName()); LoginContext context = new LoginContext(getName(), subject); context.logout(); LOG.debug("Logout username: {} successful", username); }
/** * This test verifies whether the simple login works in JAAS framework. * Simple mode login get the OS user and convert to Alluxio user. */ @Test public void simpleLogin() throws Exception { String clazzName = LoginModuleConfigurationUtils.OS_PRINCIPAL_CLASS_NAME; @SuppressWarnings("unchecked") Class<? extends Principal> clazz = (Class<? extends Principal>) ClassLoader .getSystemClassLoader().loadClass(clazzName); Subject subject = new Subject(); // login, add OS user into subject, and add corresponding Alluxio user into subject LoginContext loginContext = new LoginContext("simple", subject, null, new LoginModuleConfiguration()); loginContext.login(); // verify whether OS user and Alluxio user is added. assertFalse(subject.getPrincipals(clazz).isEmpty()); assertFalse(subject.getPrincipals(User.class).isEmpty()); // logout and verify the user is removed loginContext.logout(); assertTrue(subject.getPrincipals(User.class).isEmpty()); // logout twice should be no-op. loginContext.logout(); assertTrue(subject.getPrincipals(User.class).isEmpty()); }
new KerberosAuthenticator.DruidKerberosConfiguration(keytab, spnegoPrincipal); final LoginContext loginContext = new LoginContext("", serverSubject, null, kerberosConfiguration); try { loginContext.login(); gssManager = Subject.doAs(serverSubject, new PrivilegedExceptionAction<GSSManager>() throw ex.getException();
/** * Performs a login using the specified principal and keytab. * * @throws LoginException if the login fails */ @Override public synchronized void login() throws LoginException { if (isLoggedIn()) { return; } try { // If it's the first time ever calling login then we need to initialize a new context if (loginContext == null) { LOGGER.debug("Initializing new login context..."); this.subject = new Subject(); this.loginContext = createLoginContext(subject); } loginContext.login(); loggedIn.set(true); LOGGER.debug("Successful login for {}", new Object[]{principal}); } catch (LoginException le) { throw new LoginException("Unable to login with " + principal + " due to: " + le.getMessage()); } }
@Override public boolean login() throws LoginException { if (!options.containsKey(REALM_PROPERTY)) { logger.warn(REALM_PROPERTY + " is not set"); throw new LoginException("cannot authenticate through the delegating realm"); } context = new LoginContext((String) options.get(REALM_PROPERTY), this.subject, this.callbackHandler); context.login(); try { return Subject.doAs(context.getSubject(), (PrivilegedExceptionAction<Boolean>) this::doLogin); } catch (PrivilegedActionException pExcp) { logger.error("error with delegated authentication", pExcp); throw new LoginException(pExcp.getMessage()); } }
public String isTicketValid(String spn, byte[] ticket) { checkCreds(); LoginContext ctx = null; try { if (!config.getKeytab().exists()) { throw new LoginException(String.format("KeyTab does not exist: %s", config.getKeytab().getAbsolutePath())); } final Principal principal = new KerberosPrincipal(spn, KerberosPrincipal.KRB_NT_SRV_INST); Set<Principal> principals = new HashSet<>(); principals.add(principal); final Subject subject = new Subject(false, principals, new HashSet<>(), new HashSet<>()); ctx = new LoginContext(config.getContextName(), subject, null, getJaasKrb5TicketCfg(spn)); ctx.login(); final Krb5TicketValidateAction validateAction = new Krb5TicketValidateAction(ticket, spn); final String username = Subject.doAs(subject, validateAction); return username; } catch (java.security.PrivilegedActionException | LoginException e) { LOG.fatal(spn, e); } finally { try { if (ctx != null) { ctx.logout(); } } catch (LoginException e2) { LOG.fatal(spn, e2); } } return FAILED; }
@Override public String login(String username, String password) { LOG.debug("Trying to authenticate " + username + " with Kerberos"); String validatedUsername; try { LoginContext loginContext = new LoginContext("", null, new KerberosClientCallbackHandler(username, password), new LoginConfig(this.debug)); loginContext.login(); if (LOG.isDebugEnabled()) { LOG.debug("Kerberos authenticated user: "+loginContext.getSubject()); } validatedUsername = loginContext.getSubject().getPrincipals().iterator().next().toString(); loginContext.logout(); } catch (LoginException e) { throw new BadCredentialsException("Kerberos authentication failed", e); } return validatedUsername; }
@Override public SecurityContext authenticate(String username, String password, X509Certificate[] certificates) throws SecurityException { SecurityContext result = null; JassCredentialCallbackHandler callback = new JassCredentialCallbackHandler(username, password); try { LoginContext lc = new LoginContext(jassConfiguration, callback); lc.login(); Subject subject = lc.getSubject(); result = new JaasSecurityContext(username, subject); } catch (Exception ex) { throw new SecurityException("User name [" + username + "] or password is invalid.", ex); } return result; } }