private static byte[] initSecContext(final GSSContext gssContext, final byte[] inputBuf, final int offset, final int len) throws GSSException { final ClassLoader old = WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(GssapiClient.class); try { return gssContext.initSecContext(inputBuf, offset, len); } finally { WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(old); } }
private static byte[] initSecContext(final GSSContext gssContext, final byte[] inputBuf, final int offset, final int len) throws GSSException { final ClassLoader old = WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(Gs2SaslClient.class); try { return gssContext.initSecContext(inputBuf, offset, len); } finally { WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(old); } } }
private byte[] handleTokenFromServer(SSHPacket buf) throws UserAuthException { byte[] token; try { token = buf.readStringAsBytes(); } catch (BufferException e) { throw new UserAuthException("Failed to read string from message buffer", e); } try { return secContext.initSecContext(token, 0, token.length); } catch (GSSException e) { throw new UserAuthException("Exception during token exchange", e); } }
private String generateTicket() throws GSSException { final GSSManager manager = GSSManager.getInstance(); // Oid for kerberos principal name Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1"); Oid KERB_V5_OID = new Oid("1.2.840.113554.1.2.2"); final GSSName clientName = manager.createName(principal, krb5PrincipalOid); final GSSCredential clientCred = manager.createCredential(clientName, 8 * 3600, KERB_V5_OID, GSSCredential.INITIATE_ONLY); final GSSName serverName = manager.createName(principal, krb5PrincipalOid); final GSSContext context = manager.createContext(serverName, KERB_V5_OID, clientCred, GSSContext.DEFAULT_LIFETIME); context.requestMutualAuth(true); context.requestConf(false); context.requestInteg(true); final byte[] outToken = context.initSecContext(new byte[0], 0, 0); StringBuffer outputBuffer = new StringBuffer(); outputBuffer.append("Negotiate "); outputBuffer.append(Bytes.toString(Base64.getEncoder().encode(outToken))); System.out.print("Ticket is: " + outputBuffer); return outputBuffer.toString(); }
public static byte[] initiateSecurityContext(Subject subject, String servicePrincipalName) throws GSSException { GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE); final GSSContext context = manager.createContext(serverName, krb5Oid, null, GSSContext.DEFAULT_LIFETIME); // The GSS context initiation has to be performed as a privileged action. return Subject.doAs(subject, (PrivilegedAction<byte[]>)() -> { try { byte[] token = new byte[0]; // This is a one pass context initialization. context.requestMutualAuth(false); context.requestCredDeleg(false); return context.initSecContext(token, 0, token.length); } catch (GSSException e) { log.error(Util.getMessage("Krb5TokenKerberosContextProcessingException"),e); return null; } }); }
}); byte[] token = context.initSecContext(new byte[0], 0, 0); if (token == null) { throw new LoginException("No token generated from GSS context");
byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length); gssContext.dispose();
}); byte[] token = context.initSecContext(new byte[0], 0, 0); if (token == null) { throw new LoginException("No token generated from GSS context");
byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length); gssContext.dispose();
@Override public String run() throws Exception { // This Oid for Kerberos GSS-API mechanism. Oid mechOid = new Oid("1.2.840.113554.1.2.2"); // Oid for kerberos principal name Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1"); GSSManager manager = GSSManager.getInstance(); // GSS name for server GSSName serverName = manager.createName(serverPrincipal, krb5PrincipalOid); // Create a GSSContext for authentication with the service. // We're passing client credentials as null since we want them to be read from the Subject. GSSContext gssContext = manager.createContext(serverName, mechOid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(false); // Establish context byte[] inToken = new byte[0]; byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length); gssContext.dispose(); // Base64 encoded and stringified token for server return new String(base64codec.encode(outToken)); } }
public byte[] run() throws UnknownHostException, ClassNotFoundException, GSSException, IllegalAccessException, NoSuchFieldException { GSSManager gssManager = GSSManager.getInstance(); String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", authServer); Oid serviceOid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL"); GSSName serviceName = gssManager.createName(servicePrincipal, serviceOid); Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); GSSContext gssContext = gssManager.createContext(serviceName, mechOid, null, 0); gssContext.requestCredDeleg(true); gssContext.requestMutualAuth(true); return gssContext.initSecContext(input, 0, input.length); }
byte[] inToken = new byte[0]; try { byte[] outToken = secContext.initSecContext(inToken, 0, inToken.length); sendToken(outToken); } catch (GSSException e) {
token = gssContext.initSecContext(token, 0, token.length); if (token == null) { throw new SpnegoEngineException("GSS security context initialization failed");
public byte[] run() throws GSSException { return context.initSecContext(token, 0, token.length); } }
outToken = secContext.initSecContext(inToken, 0, inToken.length);
public GSSContext run() { try { GSSManager manager = GSSManager.getInstance(); GSSName peerName = manager.createName(servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE); GSSContext context = manager.createContext(peerName, null, null, GSSContext.DEFAULT_LIFETIME); // Loop while the context is still not established while (!context.isEstablished()) { context.initSecContext(socket.getInputStream(), socket.getOutputStream()); } return context; } catch (Exception e) { log.error("Unable to authenticate client against Kerberos", e); return null; } } });
outToken = secContext.initSecContext(inToken, 0, inToken.length);
@Override void configureRequest(HttpConnection conn) throws IOException { GSSManager gssManager = GSS_MANAGER_FACTORY.newInstance(conn .getURL()); String host = conn.getURL().getHost(); String peerName = "HTTP@" + host.toLowerCase(Locale.ROOT); //$NON-NLS-1$ try { GSSName gssName = gssManager.createName(peerName, GSSName.NT_HOSTBASED_SERVICE); GSSContext context = gssManager.createContext(gssName, OID, null, GSSContext.DEFAULT_LIFETIME); // Respect delegation policy in HTTP/SPNEGO. context.requestCredDeleg(true); byte[] token = context.initSecContext(prevToken, 0, prevToken.length); conn.setRequestProperty(HDR_AUTHORIZATION, getType().getSchemeName() + " " + Base64.encodeBytes(token)); //$NON-NLS-1$ } catch (GSSException e) { throw new IOException(e); } } }
GSSManager manager = GSSManager.getInstance(); GSSName clientName = manager.createName("clientUser", GSSName.NT_USER_NAME); GSSCredential clientCred = manager.createCredential(clientName, 8 * 3600, createKerberosOid(), GSSCredential.INITIATE_ONLY); GSSName serverName = manager.createName("http@server", GSSName.NT_HOSTBASED_SERVICE); GSSContext context = manager.createContext(serverName, createKerberosOid(), clientCred, GSSContext.DEFAULT_LIFETIME); context.requestMutualAuth(true); context.requestConf(false); context.requestInteg(true); byte[] outToken = context.initSecContext(new byte[0], 0, 0); System.out.println(new BASE64Encoder().encode(outToken)); context.dispose();
return context.initSecContext(token, 0, token.length);