Examples of org.ietf.jgss.GSSContext

• org.ietf.jgss.GSSContext
  te a context using default credentials // and the implementation specific default mechanism GSSManager manager ... GSSName targetName ... GSSContext context = manager.createContext(targetName, null, null, GSSContext.INDEFINITE_LIFETIME); // set desired context options prior to context establishment context.requestConf(true); context.requestMutualAuth(true); context.requestReplayDet(true); context.requestSequenceDet(true); // establish a context between peers byte []inToken = new byte[0]; // Loop while there still is a token to be processed while (!context.isEstablished()) { byte[] outToken = context.initSecContext(inToken, 0, inToken.length); // send the output token if generated if (outToken != null) sendToken(outToken); if (!context.isEstablished()) { inToken = readToken(); } // display context information System.out.println("Remaining lifetime in seconds = " + context.getLifetime()); System.out.println("Context mechanism = " + context.getMech()); System.out.println("Initiator = " + context.getSrcName()); System.out.println("Acceptor = " + context.getTargName()); if (context.getConfState()) System.out.println("Confidentiality (i.e., privacy) is available"); if (context.getIntegState()) System.out.println("Integrity is available"); // perform wrap on an application supplied message, appMsg, // using QOP = 0, and requesting privacy service byte [] appMsg ... MessageProp mProp = new MessageProp(0, true); byte []tok = context.wrap(appMsg, 0, appMsg.length, mProp); sendToken(tok); // release the local-end of the context context.dispose(); @author Mayank Upadhyay @version 1.10, 11/17/05 @since 1.4

      }
      Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
          GSSContext gssContext = null;
          try {
            GSSManager gssManager = GSSManager.getInstance();
            String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP",
                KerberosAuthenticator.this.url.getHost());
            Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
            GSSName serviceName = gssManager.createName(servicePrincipal,
                                                        oid);
            oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
            gssContext = gssManager.createContext(serviceName, oid, null,
                                                  GSSContext.DEFAULT_LIFETIME);
            gssContext.requestCredDeleg(true);
            gssContext.requestMutualAuth(true);

            byte[] inToken = new byte[0];
            byte[] outToken;
            boolean established = false;

            // Loop while the context is still not established
            while (!established) {
              outToken = gssContext.initSecContext(inToken, 0, inToken.length);
              if (outToken != null) {
                sendToken(outToken);
              }

              if (!gssContext.isEstablished()) {
                inToken = readToken();
              } else {
                established = true;
              }
            }
          } finally {
            if (gssContext != null) {
              gssContext.dispose();
              gssContext = null;
            }
          }
          return null;
        }

        try
        {
            GSSName acceptorName = manager.createName(service,
                GSSName.NT_HOSTBASED_SERVICE, KRB5_OID);

            GSSContext secCtx = manager.createContext(acceptorName,
                                                      KRB5_OID,
                                                      null,
                                                      GSSContext.INDEFINITE_LIFETIME);

            secCtx.initSecContext(new byte[0], 0, 1);

            if (secCtx.getSrcName() != null)
            {
                return secCtx.getSrcName().toString();
            }

        }
        catch (GSSException e)
        {

            Oid krb5Oid = new Oid(KRB5MechOID.value.substring(4));
            GSSManager gssManager = GSSManager.getInstance();
            GSSName myPeer = gssManager.createName(target, null, krb5Oid);
            if (clientCreds == null) clientCreds = gssManager.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.INITIATE_ONLY);
            GSSContext myContext = gssManager.createContext(myPeer, krb5Oid, clientCreds, GSSContext.INDEFINITE_LIFETIME);
            contextToken = myContext.initSecContext(contextToken, 0, contextToken.length);
        } catch (Exception e) {
            logger.error("Error creating Kerberos context: "+e);
        }
        return contextToken;
    }

            if (schemeContext != null && schemeContext instanceof GSSContext == false)
            {
               throw new IllegalStateException("The schemeContext is not a GSSContext");
            }

            GSSContext gssContext = (GSSContext) schemeContext;
            if (gssContext == null)
            {
               log.debug("Creating new GSSContext.");
               GSSManager manager = GSSManager.getInstance();
               gssContext = manager.createContext((GSSCredential) null);

               negotiationContext.setSchemeContext(gssContext);
            }

            if (gssContext.isEstablished())
            {
               log.warn("Authentication was performed despite already being authenticated!");

               // TODO - Refactor to only do this once.
               identity = new KerberosPrincipal(gssContext.getSrcName().toString());

               log.debug("context.getCredDelegState() = " + gssContext.getCredDelegState());
               log.debug("context.getMutualAuthState() = " + gssContext.getMutualAuthState());
               log.debug("context.getSrcName() = " + gssContext.getSrcName().toString());

               negotiationContext.setAuthenticationMethod(SPNEGO);
               negotiationContext.setAuthenticated(true);

               return Boolean.TRUE;
            }

            byte[] respToken = gssContext.acceptSecContext(gssToken, 0, gssToken.length);

            if (respToken != null)
            {
               NegTokenTarg negTokenTarg = new NegTokenTarg();
               negTokenTarg.setResponseToken(respToken);

               negotiationContext.setResponseMessage(negTokenTarg);
            }

            if (gssContext.isEstablished() == false)
            {
               return Boolean.FALSE;
            }
            else
            {
               identity = new KerberosPrincipal(gssContext.getSrcName().toString());

               log.debug("context.getCredDelegState() = " + gssContext.getCredDelegState());
               log.debug("context.getMutualAuthState() = " + gssContext.getMutualAuthState());
               log.debug("context.getSrcName() = " + gssContext.getSrcName().toString());

               // TODO - Get these two in synch - maybe isAuthenticated based on an authentication method been set?
               negotiationContext.setAuthenticationMethod(SPNEGO);
               negotiationContext.setAuthenticated(true);
               return Boolean.TRUE;

            @Override
            public Void run() throws Exception {
                GSSManager gssManager = GSSManager.getInstance();
                GSSName serverName = gssManager.createName("HTTP/" + DefaultServer.getDefaultServerAddress().getHostString(), null);

                GSSContext context = gssManager.createContext(serverName, SPNEGO, null, GSSContext.DEFAULT_LIFETIME);

                byte[] token = new byte[0];

                boolean gotOur200 = false;
                while (!context.isEstablished()) {
                    token = context.initSecContext(token, 0, token.length);

                    if (token != null && token.length > 0) {
                        HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
                        get.addHeader(AUTHORIZATION.toString(), NEGOTIATE + " " + FlexBase64.encodeString(token, false));
                        HttpResponse result = client.execute(get);

                        Header[] headers = result.getHeaders(WWW_AUTHENTICATE.toString());
                        if (headers.length > 0) {
                            String header = getAuthHeader(NEGOTIATE, headers);

                            byte[] headerBytes = header.getBytes("UTF-8");
                            token = FlexBase64.decode(headerBytes, NEGOTIATE.toString().length() + 1, headerBytes.length).array();
                        }

                        if (result.getStatusLine().getStatusCode() == StatusCodes.OK) {
                            Header[] values = result.getHeaders("ProcessedBy");
                            assertEquals(1, values.length);
                            assertEquals("ResponseHandler", values[0].getValue());
                            HttpClientUtils.readResponse(result);
                            assertSingleNotificationType(EventType.AUTHENTICATED);
                            gotOur200 = true;
                        } else if (result.getStatusLine().getStatusCode() == StatusCodes.UNAUTHORIZED) {
                            assertTrue("We did get a header.", headers.length > 0);

                            HttpClientUtils.readResponse(result);

                        } else {
                            fail(String.format("Unexpected status code %d", result.getStatusLine().getStatusCode()));
                        }
                    }
                }

                assertTrue(gotOur200);
                assertTrue(context.isEstablished());
                return null;
            }
        });
    }

    }

    if (username != null) {

      final GSSContext context =  initGSS(new URL(serverUri), "spnego-client", username,password);
      final byte[] data = context.initSecContext(new byte[0], 0, 0);

      final List<Header> dh = new ArrayList<Header>();
      dh.add(new BasicHeader("Authorization","Negotiate "
          + org.apache.tomcat.util.codec.binary.Base64
          .encodeBase64String(data)));

      }
    };

    final GSSCredential clientcreds = Subject.doAs(subject, action);

    final GSSContext context = MANAGER.createContext(MANAGER.createName(
        "HTTP@" + url.getHost(), GSSName.NT_HOSTBASED_SERVICE, new Oid(
            "1.3.6.1.5.5.2")), new Oid("1.3.6.1.5.5.2"),
            clientcreds, GSSContext.DEFAULT_LIFETIME);

    context.requestMutualAuth(true);
    context.requestConf(true);
    context.requestInteg(true);
    context.requestReplayDet(true);
    context.requestSequenceDet(true);
    context.requestCredDeleg(false);

    return context;

    /*byte[] data = context.initSecContext(new byte[0], 0, 0);

                exchange.putAttachment(NegotiationContext.ATTACHMENT_KEY, negContext);
                // Also cache it on the connection for future calls.
                exchange.getConnection().putAttachment(NegotiationContext.ATTACHMENT_KEY, negContext);
            }

            GSSContext gssContext = negContext.getGssContext();
            if (gssContext == null) {
                GSSManager manager = GSSManager.getInstance();
                gssContext = manager.createContext((GSSCredential) null);

                negContext.setGssContext(gssContext);
            }

            byte[] respToken = gssContext.acceptSecContext(challenge.array(), challenge.arrayOffset(), challenge.limit());
            negContext.setResponseToken(respToken);

            if (negContext.isEstablished()) {

                if (respToken != null) {

        try
        {
            Oid krb5Oid = new Oid("1.3.6.1.5.5.2"); // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
            GSSName gssName = manager.createName(_targetName,null);
            GSSCredential serverCreds = manager.createCredential(gssName,GSSCredential.INDEFINITE_LIFETIME,krb5Oid,GSSCredential.ACCEPT_ONLY);
            GSSContext gContext = manager.createContext(serverCreds);

            if (gContext == null)
            {
                LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
            }
            else
            {
                while (!gContext.isEstablished())
                {
                    authToken = gContext.acceptSecContext(authToken,0,authToken.length);
                }
                if (gContext.isEstablished())
                {
                    String clientName = gContext.getSrcName().toString();
                    String role = clientName.substring(clientName.indexOf('@') + 1);

                    LOG.debug("SpnegoUserRealm: established a security context");
                    LOG.debug("Client Principal is: " + gContext.getSrcName());
                    LOG.debug("Server Principal is: " + gContext.getTargName());
                    LOG.debug("Client Default Role: " + role);

                    SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName,authToken);

                    Subject subject = new Subject();

      String host = conn.getURL().getHost();
      String peerName = "HTTP@" + host.toLowerCase(); //$NON-NLS-1$
      try {
        GSSName gssName = gssManager.createName(peerName,
            GSSName.NT_HOSTBASED_SERVICE);
        GSSContext context = gssManager.createContext(gssName, OID,
            null, GSSContext.DEFAULT_LIFETIME);
        // Respect delegation policy in HTTP/SPNEGO.
        context.requestCredDeleg(true);

        byte[] token = context.initSecContext(prevToken, 0,
            prevToken.length);

        conn.setRequestProperty(HDR_AUTHORIZATION, getType().getSchemeName()
            + " " + Base64.encodeBytes(token)); //$NON-NLS-1$
      } catch (GSSException e) {