Examples of org.ietf.jgss.GSSContext

• org.ietf.jgss.GSSContext
  te a context using default credentials // and the implementation specific default mechanism GSSManager manager ... GSSName targetName ... GSSContext context = manager.createContext(targetName, null, null, GSSContext.INDEFINITE_LIFETIME); // set desired context options prior to context establishment context.requestConf(true); context.requestMutualAuth(true); context.requestReplayDet(true); context.requestSequenceDet(true); // establish a context between peers byte []inToken = new byte[0]; // Loop while there still is a token to be processed while (!context.isEstablished()) { byte[] outToken = context.initSecContext(inToken, 0, inToken.length); // send the output token if generated if (outToken != null) sendToken(outToken); if (!context.isEstablished()) { inToken = readToken(); } // display context information System.out.println("Remaining lifetime in seconds = " + context.getLifetime()); System.out.println("Context mechanism = " + context.getMech()); System.out.println("Initiator = " + context.getSrcName()); System.out.println("Acceptor = " + context.getTargName()); if (context.getConfState()) System.out.println("Confidentiality (i.e., privacy) is available"); if (context.getIntegState()) System.out.println("Integrity is available"); // perform wrap on an application supplied message, appMsg, // using QOP = 0, and requesting privacy service byte [] appMsg ... MessageProp mProp = new MessageProp(0, true); byte []tok = context.wrap(appMsg, 0, appMsg.length, mProp); sendToken(tok); // release the local-end of the context context.dispose(); @author Mayank Upadhyay @version 1.10, 11/17/05 @since 1.4

      }
      Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
          GSSContext gssContext = null;
          try {
            GSSManager gssManager = GSSManager.getInstance();
            String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP",
                KerberosAuthenticator.this.url.getHost());
            Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
            GSSName serviceName = gssManager.createName(servicePrincipal,
                                                        oid);
            oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
            gssContext = gssManager.createContext(serviceName, oid, null,
                                                  GSSContext.DEFAULT_LIFETIME);
            gssContext.requestCredDeleg(true);
            gssContext.requestMutualAuth(true);

            byte[] inToken = new byte[0];
            byte[] outToken;
            boolean established = false;

            // Loop while the context is still not established
            while (!established) {
              outToken = gssContext.initSecContext(inToken, 0, inToken.length);
              if (outToken != null) {
                sendToken(outToken);
              }

              if (!gssContext.isEstablished()) {
                inToken = readToken();
              } else {
                established = true;
              }
            }
          } finally {
            if (gssContext != null) {
              gssContext.dispose();
              gssContext = null;
            }
          }
          return null;
        }

        GSSName serverName = manager.createName(spn, null);

        // TODO Is it correct to use kerberos oid instead of spnego here?
        Oid oid = new Oid(KERBEROS_OID);

        GSSContext context = manager
                .createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
        // TODO Do we need mutual auth. Will the code we have really work with
        // mutual auth?
        context.requestMutualAuth(true);
        // TODO Credential delegation could be a security hole if it was not
        // intended. Both settings should be configurable
        context.requestCredDeleg(true);

        return getToken(proxyAuthPolicy, context);
    }

            }
            final Oid negotiationOid = new Oid(SPNEGO_OID);

            final GSSManager manager = GSSManager.getInstance();
            final GSSName serverName = manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);
            final GSSContext gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null,
                    DEFAULT_LIFETIME);
            gssContext.requestMutualAuth(true);
            gssContext.requestCredDeleg(true);

            if (token == null) {
                token = new byte[0];
            }
            token = gssContext.initSecContext(token, 0, token.length);
            if (token == null) {
                state = State.FAILED;
                throw new AuthenticationException("GSS security context initialization failed");
            }

                serverStarted = true;

                do {
                    Socket socket = null;
                    GSSContext gssContext = null;
                    try {
                        LOGGER.debug("Waiting for client connection");
                        socket = serverSocket.accept();
                        LOGGER.debug("Client connected");
                        gssContext = gssManager.createContext((GSSCredential) null);
                        final DataInputStream dataInputStream = new DataInputStream(socket.getInputStream());
                        final DataOutputStream dataOutputStream = new DataOutputStream(socket.getOutputStream());

                        command = dataInputStream.readInt();
                        LOGGER.debug("Command code: " + command);
                        if (command == GSSTestConstants.CMD_NAME) {
                            while (!gssContext.isEstablished()) {
                                final byte[] inToken = new byte[dataInputStream.readInt()];
                                dataInputStream.readFully(inToken);
                                final byte[] outToken = gssContext.acceptSecContext(inToken, 0, inToken.length);

                                if (outToken != null) {
                                    dataOutputStream.writeInt(outToken.length);
                                    dataOutputStream.write(outToken);
                                    dataOutputStream.flush();
                                }
                            }
                            final String clientName = gssContext.getSrcName().toString();
                            LOGGER.info("Context Established with Client " + clientName);

                            //encrypt
                            final MessageProp msgProp = new MessageProp(true);
                            final byte[] clientNameBytes = clientName.getBytes(GSSTestConstants.CHAR_ENC);
                            final byte[] outToken = gssContext.wrap(clientNameBytes, 0, clientNameBytes.length, msgProp);

                            dataOutputStream.writeInt(outToken.length);
                            dataOutputStream.write(outToken);
                            dataOutputStream.flush();
                            LOGGER.info("Client name was returned as the token value.");
                        }
                    } catch (EOFException e) {
                        LOGGER.info("Client didn't send a correct message.");
                    } catch (IOException e) {
                        LOGGER.error("IOException occurred", e);
                    } catch (GSSException e) {
                        LOGGER.error("GSSException occurred", e);
                    } finally {
                        if (gssContext != null) {
                            try {
                                gssContext.dispose();
                            } catch (GSSException e) {
                                LOGGER.error("Problem occurred during disposing GSS context", e);
                            }
                        }
                        if (socket != null) {

     */
    public String getName(final GSSCredential gssCredential) throws IOException, GSSException {
        LOGGER.info("getName() called with GSSCredential:\n" + gssCredential);
        // Create an unbound socket
        final Socket socket = new Socket();
        GSSContext gssContext = null;
        try {
            socket.connect(new InetSocketAddress(host, port), GSSTestConstants.SOCKET_TIMEOUT);
            DataOutputStream dos = new DataOutputStream(socket.getOutputStream());
            DataInputStream dis = new DataInputStream(socket.getInputStream());
            LOGGER.debug("Sending NAME command.");
            dos.writeInt(GSSTestConstants.CMD_NAME);
            dos.flush();

            GSSManager manager = GSSManager.getInstance();
            gssContext = manager.createContext(manager.createName(spn, null), Constants.KERBEROS_V5, gssCredential,
                    GSSContext.DEFAULT_LIFETIME);

            //            gssContext.requestCredDeleg(true);
            gssContext.requestMutualAuth(true);
            gssContext.requestConf(true);
            gssContext.requestInteg(true);

            byte[] token = new byte[0];
            while (!gssContext.isEstablished()) {
                token = gssContext.initSecContext(token, 0, token.length);
                if (token != null) {
                    dos.writeInt(token.length);
                    dos.write(token);
                    dos.flush();
                }
                if (!gssContext.isEstablished()) {
                    token = new byte[dis.readInt()];
                    dis.readFully(token);
                }
            }

            token = new byte[dis.readInt()];
            dis.readFully(token);
            MessageProp msgProp = new MessageProp(false);
            final byte[] nameBytes = gssContext.unwrap(token, 0, token.length, msgProp);
            return new String(nameBytes, GSSTestConstants.CHAR_ENC);
        } catch (IOException e) {
            LOGGER.error("IOException occurred.", e);
            throw e;
        } finally {
            try {
                socket.close();
            } catch (IOException e) {
                LOGGER.error("IOException occurred", e);
            }
            if (gssContext != null) {
                try {
                    gssContext.dispose();
                } catch (GSSException e) {
                    LOGGER.error("GSSException occurred", e);
                }
            }
        }

            response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
            return false;
        }

        LoginContext lc = null;
        GSSContext gssContext = null;
        byte[] outToken = null;
        try {
            try {
                lc = new LoginContext(loginConfigName);
                lc.login();
            } catch (LoginException e) {
                log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"),
                        e);
                response.sendError(
                        HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                return false;
            }
            // Assume the GSSContext is stateless
            // TODO: Confirm this assumption
            GSSManager manager = GSSManager.getInstance();
            gssContext = manager.createContext(manager.createCredential(null,
                    GSSCredential.DEFAULT_LIFETIME,
                    new Oid("1.3.6.1.5.5.2"),
                    GSSCredential.ACCEPT_ONLY));

            outToken = gssContext.acceptSecContext(decoded.getBytes(),
                    decoded.getOffset(), decoded.getLength());

            if (outToken == null) {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString(
                            "spnegoAuthenticator.ticketValidateFail"));
                }
                // Start again
                response.setHeader("WWW-Authenticate", "Negotiate");
                response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
                return false;
            }

            principal = context.getRealm().authenticate(gssContext,
                    storeDelegatedCredential);
        } catch (GSSException e) {
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail",
                        e));
            }
            response.setHeader("WWW-Authenticate", "Negotiate");
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
            return false;
        } finally {
            if (gssContext != null) {
                try {
                    gssContext.dispose();
                } catch (GSSException e) {
                    // Ignore
                }
            }
            if (lc != null) {

        } catch (PrivilegedActionException e) {
            throw new HttpException("PrivilegedActionException", e);
        } catch (GSSException e) {
            throw new HttpException("GSSException", e);
        }
        GSSContext gssContext = credentials.getGSSContext();
        try {
            // hack because HttpClient preemtive auth is broken wrt spnego as at 3.0.1
            if (getParams().isAuthenticationPreemptive()) {
                LOGGER.log(Level.INFO, "Using preemptive SPNego authentication");
                byte[] token = new Base64().encode(gssContext.initSecContext(new byte[0], 0, 0));
                LOGGER.log(Level.INFO, "Sending \"{0}\" {1} header", new String[]{TOKEN_PREFIX, AUTHORIZATION_HEADER});
                method.setRequestHeader(AUTHORIZATION_HEADER, MessageFormat.format("{0} {1}", TOKEN_PREFIX, new String(token)));
                getParams().setAuthenticationPreemptive(false);
            }
            gssContext.requestMutualAuth(mutualAuth);
            gssContext.requestConf(MESSAGE_CONFIDENTIALITY);
            gssContext.requestInteg(MESSAGE_INTEGRITY);
        } catch (GSSException e) {
            LOGGER.log(Level.SEVERE, "Caught GSSException setting options on GSSContext", e);
        }
        AuthScope authScope = new AuthScope(uri.getHost(), uri.getPort(), credentials.getRealm());
        getState().setCredentials(authScope, credentials);

        try
        {
            GSSName acceptorName = manager.createName(service,
                GSSName.NT_HOSTBASED_SERVICE, KRB5_OID);

            GSSContext secCtx = manager.createContext(acceptorName,
                                                      KRB5_OID,
                                                      null,
                                                      GSSContext.INDEFINITE_LIFETIME);

            secCtx.initSecContext(new byte[0], 0, 1);

            if (secCtx.getSrcName() != null)
            {
                return secCtx.getSrcName().toString();
            }

        }
        catch (GSSException e)
        {

        try
        {
            GSSName acceptorName = manager.createName(service,
                GSSName.NT_HOSTBASED_SERVICE, KRB5_OID);

            GSSContext secCtx = manager.createContext(acceptorName,
                                                      KRB5_OID,
                                                      null,
                                                      GSSContext.INDEFINITE_LIFETIME);

            secCtx.initSecContext(new byte[0], 0, 1);

            if (secCtx.getSrcName() != null)
            {
                return secCtx.getSrcName().toString();
            }

        }
        catch (GSSException e)
        {

     * @return the encoded buffer
     * @throws GSSException when something fails while using GSSAPI
     */
    private IoBuffer encodeGSSAPIAuthenticationPacket(
            final SocksProxyRequest request) throws GSSException {
        GSSContext ctx = (GSSContext) getSession().getAttribute(GSS_CONTEXT);
        if (ctx == null) {
            // first step in the authentication process
            GSSManager manager = GSSManager.getInstance();
            GSSName serverName = manager.createName(request
                    .getServiceKerberosName(), null);
            Oid krb5OID = new Oid(SocksProxyConstants.KERBEROS_V5_OID);

            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Available mechs:");
                for (Oid o : manager.getMechs()) {
                    if (o.equals(krb5OID)) {
                        LOGGER.debug("Found Kerberos V OID available");
                    }
                    LOGGER.debug("{} with oid = {}",
                            manager.getNamesForMech(o), o);
                }
            }

            ctx = manager.createContext(serverName, krb5OID, null,
                    GSSContext.DEFAULT_LIFETIME);

            ctx.requestMutualAuth(true); // Mutual authentication
            ctx.requestConf(false);
            ctx.requestInteg(false);

            getSession().setAttribute(GSS_CONTEXT, ctx);
        }

        byte[] token = (byte[]) getSession().getAttribute(GSS_TOKEN);
        if (token != null) {
            LOGGER.debug("  Received Token[{}] = {}", token.length,
                    ByteUtilities.asHex(token));
        }
        IoBuffer buf = null;

        if (!ctx.isEstablished()) {
            // token is ignored on the first call
            if (token == null) {
                token = new byte[32];
            }

            token = ctx.initSecContext(token, 0, token.length);

            // Send a token to the server if one was generated by
            // initSecContext
            if (token != null) {
                LOGGER.debug("  Sending Token[{}] = {}", token.length,