Java Code Examples for javax.security.auth.callback.CallbackHandler

@Override
public void initialize(Subject subject,
        CallbackHandler handler,
        Map<String, ?> sharedState,
        Map<String, ?> options) {
    this.subject = subject;
    this.handler = handler;
    this.options = options;

    String debugOption = (String) this.options.get("debug");
    if (debugOption != null && "true".equalsIgnoreCase(debugOption)) {
        debug = true;
    }

    attributes = new HashMap<String, Set<String>>();

    if (debug) {
        logger.debug("login module initialised: {}", this.getClass().getName());
    }
}
 

/**
 * Initialize this <code>LoginModule</code> with the specified
 * configuration information.
 *
 * @param subject The <code>Subject</code> to be authenticated
 * @param callbackHandler A <code>CallbackHandler</code> for communicating
 *  with the end user as necessary
 * @param sharedState State information shared with other
 *  <code>LoginModule</code> instances
 * @param options Configuration information for this specific
 *  <code>LoginModule</code> instance
 */
public void initialize(Subject subject, CallbackHandler callbackHandler,
                       Map sharedState, Map options) {
    log.debug("Init");

    // Save configuration values
    this.subject = subject;
    this.callbackHandler = callbackHandler;
    this.sharedState = sharedState;
    this.options = options;

    // Perform instance-specific initialization
    if (options.get("pathname") != null)
        this.pathname = (String) options.get("pathname");

    // Load our defined Principals
    load();

}
 

/**
 * Authenticate using the login module from the specified
 * configuration entry.
 *
 * @param caller the caller of JAAS Login
 * @param mech the mech to be used
 * @return the authenticated subject
 */
public static Subject login(GSSCaller caller, Oid mech) throws LoginException {

    CallbackHandler cb = null;
    if (caller instanceof HttpCaller) {
        cb = new sun.net.www.protocol.http.spnego.NegotiateCallbackHandler(
                ((HttpCaller)caller).info());
    } else {
        String defaultHandler =
                java.security.Security.getProperty(DEFAULT_HANDLER);
        // get the default callback handler
        if ((defaultHandler != null) && (defaultHandler.length() != 0)) {
            cb = null;
        } else {
            cb = new ConsoleCallbackHandler();
        }
    }

    // New instance of LoginConfigImpl must be created for each login,
    // since the entry name is not passed as the first argument, but
    // generated with caller and mech inside LoginConfigImpl
    LoginContext lc = new LoginContext("", null, cb,
            new LoginConfigImpl(caller, mech));
    lc.login();
    return lc.getSubject();
}
 

/**
 * Returns a new instance of the DIGEST-MD5 SASL client mechanism.
 *
 * @throws SaslException If there is an error creating the DigestMD5
 * SASL client.
 * @returns a new SaslClient ; otherwise null if unsuccessful.
 */
public SaslClient createSaslClient(String[] mechs,
     String authorizationId, String protocol, String serverName,
     Map<String,?> props, CallbackHandler cbh)
     throws SaslException {

     for (int i=0; i<mechs.length; i++) {
        if (mechs[i].equals(myMechs[DIGEST_MD5]) &&
            PolicyUtils.checkPolicy(mechPolicies[DIGEST_MD5], props)) {

            if (cbh == null) {
                throw new SaslException(
                    "Callback handler with support for RealmChoiceCallback, " +
                    "RealmCallback, NameCallback, and PasswordCallback " +
                    "required");
            }

            return new DigestMD5Client(authorizationId,
                protocol, serverName, props, cbh);
        }
    }
    return null;
}
 

@Override
protected Document process(Document document) throws WSSecurityException {
    WSSecurityEngine secEngine = new WSSecurityEngine();

    WSHandlerResult results = secEngine.processSecurityHeader(document, null, 
        new CallbackHandler() {
            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbacks) {
                    if (callback instanceof WSPasswordCallback) {
                        ((WSPasswordCallback)callback).setPassword(getCertPassword());
                    }
                }
            }
        }, getCrypto());

    return document;
}
 

public static void testLogin(String confName, char[] passwd,
        Configuration cf, boolean expectException) {
    try {
        CallbackHandler ch = new MyCallbackHandler("testUser", passwd);
        LoginContext lc = new LoginContext(confName, new Subject(),
                ch, cf);
        lc.login();
        if (expectException) {
            throw new RuntimeException("Login Test failed: "
                    + "expected LoginException not thrown");
        }
    } catch (LoginException le) {
        if (!expectException) {
            System.out.println("Login Test failed: "
                    + "received Unexpected exception.");
            throw new RuntimeException(le);
        }
    }
}
 

/**
 * Initialize this {@code LoginModule}.
 *
 * @param subject the {@code Subject} to be authenticated.
 *
 * @param callbackHandler a {@code CallbackHandler} for communicating
 *                  with the end user (prompting for usernames and
 *                  passwords, for example),
 *                  which may be {@code null}.
 *
 * @param sharedState shared {@code LoginModule} state.
 *
 * @param options options specified in the login
 *                  {@code Configuration} for this particular
 *                  {@code LoginModule}.
 */
// Unchecked warning from (Map<String, Object>)sharedState is safe
// since javax.security.auth.login.LoginContext passes a raw HashMap.
@SuppressWarnings("unchecked")
public void initialize(Subject subject,
                       CallbackHandler callbackHandler,
                       Map<String,?> sharedState,
                       Map<String,?> options)
{
    this.subject = subject;
    this.callbackHandler = callbackHandler;
    this.sharedState = (Map<String, Object>)sharedState;
    this.options = options;

    processOptions();
    status = INITIALIZED;
}
 

static void login(CallbackHandler callback, Object... options)
        throws Exception {
    Krb5LoginModule krb5 = new Krb5LoginModule();
    Subject subject = new Subject();
    Map<String, String> map = new HashMap<>();
    Map<String, Object> shared = new HashMap<>();

    int count = options.length / 2;
    for (int i = 0; i < count; i++) {
        String key = (String) options[2 * i];
        Object value = options[2 * i + 1];
        if (key.startsWith("javax")) {
            shared.put(key, value);
        } else {
            map.put(key, (String) value);
        }
    }
    krb5.initialize(subject, callback, shared, map);
    krb5.login();
    krb5.commit();
    if (!subject.getPrincipals().iterator().next()
            .getName().startsWith(OneKDC.USER)) {
        throw new Exception("The authenticated is not " + OneKDC.USER);
    }
}
 

/**
 * Initialize this <code>LoginModule</code> with the specified
 * configuration information.
 *
 * @param subject The <code>Subject</code> to be authenticated
 * @param callbackHandler A <code>CallbackHandler</code> for communicating
 *  with the end user as necessary
 * @param sharedState State information shared with other
 *  <code>LoginModule</code> instances
 * @param options Configuration information for this specific
 *  <code>LoginModule</code> instance
 */
@Override
public void initialize(Subject subject, CallbackHandler callbackHandler,
                       Map<String,?> sharedState, Map<String,?> options) {
    log.debug("Init");

    // Save configuration values
    this.subject = subject;
    this.callbackHandler = callbackHandler;
    this.sharedState = sharedState;
    this.options = options;

    // Perform instance-specific initialization
    if (options.get("pathname") != null)
        this.pathname = (String) options.get("pathname");

    // Load our defined Principals
    load();

}
 

/**
 * Returns a new instance of the DIGEST-MD5 SASL server mechanism.
 *
 * @throws SaslException If there is an error creating the DigestMD5
 * SASL server.
 * @returns a new SaslServer ; otherwise null if unsuccessful.
 */
public SaslServer createSaslServer(String mech,
     String protocol, String serverName, Map<String,?> props, CallbackHandler cbh)
     throws SaslException {

     if (mech.equals(myMechs[DIGEST_MD5]) &&
         PolicyUtils.checkPolicy(mechPolicies[DIGEST_MD5], props)) {

            if (cbh == null) {
                throw new SaslException(
                    "Callback handler with support for AuthorizeCallback, "+
                    "RealmCallback, NameCallback, and PasswordCallback " +
                    "required");
            }

            return new DigestMD5Server(protocol, serverName, props, cbh);
     }
     return null;
}
 

/**
   * Constructor for DIGEST-MD5 mechanism.
   *
   * @param authzid A non-null String representing the principal
   * for which authorization is being granted..
   * @param digestURI A non-null String representing detailing the
   * combined protocol and host being used for authentication.
   * @param props The possibly null properties to be used by the SASL
   * mechanism to configure the authentication exchange.
   * @param cbh The non-null CallbackHanlder object for callbacks
   * @throws SaslException if no authentication ID or password is supplied
   */
 DigestMD5Client(String authzid, String protocol, String serverName,
     Map<String, ?> props, CallbackHandler cbh) throws SaslException {

     super(props, MY_CLASS_NAME, 2, protocol + "/" + serverName, cbh);

     // authzID can only be encoded in UTF8 - RFC 2222
     if (authzid != null) {
         this.authzid = authzid;
         try {
             authzidBytes = authzid.getBytes("UTF8");

         } catch (UnsupportedEncodingException e) {
             throw new SaslException(
                 "DIGEST-MD5: Error encoding authzid value into UTF-8", e);
         }
     }

     if (props != null) {
         specifiedCipher = (String)props.get(CIPHER_PROPERTY);

         logger.log(Level.FINE, "DIGEST60:Explicitly specified cipher: {0}",
             specifiedCipher);
     }
}
 

/**
 * Returns a new instance of the DIGEST-MD5 SASL client mechanism.
 *
 * @throws SaslException If there is an error creating the DigestMD5
 * SASL client.
 * @return a new SaslClient; otherwise null if unsuccessful.
 */
public SaslClient createSaslClient(String[] mechs,
     String authorizationId, String protocol, String serverName,
     Map<String,?> props, CallbackHandler cbh)
     throws SaslException {

     for (int i=0; i<mechs.length; i++) {
        if (mechs[i].equals(myMechs[DIGEST_MD5]) &&
            PolicyUtils.checkPolicy(mechPolicies[DIGEST_MD5], props)) {

            if (cbh == null) {
                throw new SaslException(
                    "Callback handler with support for RealmChoiceCallback, " +
                    "RealmCallback, NameCallback, and PasswordCallback " +
                    "required");
            }

            return new DigestMD5Client(authorizationId,
                protocol, serverName, props, cbh);
        }
    }
    return null;
}
 

/**
   * Constructor for DIGEST-MD5 mechanism.
   *
   * @param authzid A non-null String representing the principal
   * for which authorization is being granted..
   * @param digestURI A non-null String representing detailing the
   * combined protocol and host being used for authentication.
   * @param props The possibly null properties to be used by the SASL
   * mechanism to configure the authentication exchange.
   * @param cbh The non-null CallbackHanlder object for callbacks
   * @throws SaslException if no authentication ID or password is supplied
   */
 DigestMD5Client(String authzid, String protocol, String serverName,
     Map<String, ?> props, CallbackHandler cbh) throws SaslException {

     super(props, MY_CLASS_NAME, 2, protocol + "/" + serverName, cbh);

     // authzID can only be encoded in UTF8 - RFC 2222
     if (authzid != null) {
         this.authzid = authzid;
         try {
             authzidBytes = authzid.getBytes("UTF8");

         } catch (UnsupportedEncodingException e) {
             throw new SaslException(
                 "DIGEST-MD5: Error encoding authzid value into UTF-8", e);
         }
     }

     if (props != null) {
         specifiedCipher = (String)props.get(CIPHER_PROPERTY);

         logger.log(Level.FINE, "DIGEST60:Explicitly specified cipher: {0}",
             specifiedCipher);
     }
}
 

/**
 * Returns a new instance of the NTLM SASL server mechanism.
 * Argument checks are performed in SaslServer's constructor.
 * @returns a new SaslServer ; otherwise null if unsuccessful.
 * @throws SaslException If there is an error creating the NTLM
 * SASL server.
 */
public SaslServer createSaslServer(String mech,
     String protocol, String serverName, Map<String,?> props, CallbackHandler cbh)
     throws SaslException {

     if (mech.equals("NTLM") &&
             PolicyUtils.checkPolicy(mechPolicies[0], props)) {
         if (props != null) {
             String qop = (String)props.get(Sasl.QOP);
             if (qop != null && !qop.equals("auth")) {
                 throw new SaslException("NTLM only support auth");
             }
         }
         if (cbh == null) {
             throw new SaslException(
                 "Callback handler with support for " +
                 "RealmCallback, NameCallback, and PasswordCallback " +
                 "required");
         }
         return new NTLMServer(mech, protocol, serverName, props, cbh);
     }
     return null;
}
 

public SaslClient createSaslClient(String[] mechs,
    String authorizationId,
    String protocol,
    String serverName,
    Map<String,?> props,
    CallbackHandler cbh) throws SaslException {

        for (int i = 0; i < mechs.length; i++) {
            if (mechs[i].equals(myMechs[GSS_KERB_V5])
                && PolicyUtils.checkPolicy(mechPolicies[GSS_KERB_V5], props)) {
                return new GssKrb5Client(
                    authorizationId,
                    protocol,
                    serverName,
                    props,
                    cbh);
            }
        }
        return null;
}
 

private void login(CallbackHandler handler) throws LoginException {
    if ((token.tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) == 0) {
        token.provider.login(null, handler);
    } else {
        // token supports protected authentication path
        // (external pin-pad, for example)
        if (handler != null &&
            !token.config.getKeyStoreCompatibilityMode()) {
            throw new LoginException("can not specify password if token " +
                            "supports protected authentication path");
        }

        // must rely on application-set or default handler
        // if one is necessary
        token.provider.login(null, null);
    }
}
 

/**
   * Constructor for DIGEST-MD5 mechanism.
   *
   * @param authzid A non-null String representing the principal
   * for which authorization is being granted..
   * @param digestURI A non-null String representing detailing the
   * combined protocol and host being used for authentication.
   * @param props The possibly null properties to be used by the SASL
   * mechanism to configure the authentication exchange.
   * @param cbh The non-null CallbackHanlder object for callbacks
   * @throws SaslException if no authentication ID or password is supplied
   */
 DigestMD5Client(String authzid, String protocol, String serverName,
     Map<String, ?> props, CallbackHandler cbh) throws SaslException {

     super(props, MY_CLASS_NAME, 2, protocol + "/" + serverName, cbh);

     // authzID can only be encoded in UTF8 - RFC 2222
     if (authzid != null) {
         this.authzid = authzid;
         try {
             authzidBytes = authzid.getBytes("UTF8");

         } catch (UnsupportedEncodingException e) {
             throw new SaslException(
                 "DIGEST-MD5: Error encoding authzid value into UTF-8", e);
         }
     }

     if (props != null) {
         specifiedCipher = (String)props.get(CIPHER_PROPERTY);

         logger.log(Level.FINE, "DIGEST60:Explicitly specified cipher: {0}",
             specifiedCipher);
     }
}
 

/**
 * Returns a new instance of the DIGEST-MD5 SASL client mechanism.
 *
 * @throws SaslException If there is an error creating the DigestMD5
 * SASL client.
 * @returns a new SaslClient ; otherwise null if unsuccessful.
 */
public SaslClient createSaslClient(String[] mechs,
     String authorizationId, String protocol, String serverName,
     Map<String,?> props, CallbackHandler cbh)
     throws SaslException {

     for (int i=0; i<mechs.length; i++) {
        if (mechs[i].equals(myMechs[DIGEST_MD5]) &&
            PolicyUtils.checkPolicy(mechPolicies[DIGEST_MD5], props)) {

            if (cbh == null) {
                throw new SaslException(
                    "Callback handler with support for RealmChoiceCallback, " +
                    "RealmCallback, NameCallback, and PasswordCallback " +
                    "required");
            }

            return new DigestMD5Client(authorizationId,
                protocol, serverName, props, cbh);
        }
    }
    return null;
}
 

/**
 * Initialize this <code>LoginModule</code> with the specified configuration
 * information.
 *
 * @param subject
 *            The <code>Subject</code> to be authenticated
 * @param callbackHandler
 *            A <code>CallbackHandler</code> for communicating with the end
 *            user as necessary
 * @param sharedState
 *            State information shared with other <code>LoginModule</code>
 *            instances
 * @param options
 *            Configuration information for this specific
 *            <code>LoginModule</code> instance
 */
@Override
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
		Map<String, ?> options) {
	log.debug("Init");

	// Save configuration values
	this.subject = subject;
	this.callbackHandler = callbackHandler;
	this.sharedState = sharedState;
	this.options = options;

	// Perform instance-specific initialization
	if (options.get("pathname") != null)
		this.pathname = (String) options.get("pathname");

	// Load our defined Principals
	load();

}
 

/**
 * Returns a new instance of the NTLM SASL client mechanism.
 * Argument checks are performed in SaslClient's constructor.
 * @return a new SaslClient; otherwise null if unsuccessful.
 * @throws SaslException If there is an error creating the NTLM
 * SASL client.
 */
public SaslClient createSaslClient(String[] mechs,
     String authorizationId, String protocol, String serverName,
     Map<String,?> props, CallbackHandler cbh)
     throws SaslException {

     for (int i=0; i<mechs.length; i++) {
        if (mechs[i].equals("NTLM") &&
                PolicyUtils.checkPolicy(mechPolicies[0], props)) {

            if (cbh == null) {
                throw new SaslException(
                    "Callback handler with support for " +
                    "RealmCallback, NameCallback, and PasswordCallback " +
                    "required");
            }
            return new NTLMClient(mechs[i], authorizationId,
                protocol, serverName, props, cbh);
        }
    }
    return null;
}
 

public static void testLogin(String confName, char[] passwd,
        Configuration cf, boolean expectException) {
    try {
        CallbackHandler ch = new MyCallbackHandler("testUser", passwd);
        LoginContext lc = new LoginContext(confName, new Subject(),
                ch, cf);
        lc.login();
        if (expectException) {
            throw new RuntimeException("Login Test failed: "
                    + "expected LoginException not thrown");
        }
    } catch (LoginException le) {
        if (!expectException) {
            System.out.println("Login Test failed: "
                    + "received Unexpected exception.");
            throw new RuntimeException(le);
        }
    }
}
 

/**
 * Initialize this <code>LoginModule</code> with the specified
 * configuration information.
 *
 * @param subject The <code>Subject</code> to be authenticated
 * @param callbackHandler A <code>CallbackHandler</code> for communicating
 *  with the end user as necessary
 * @param sharedState State information shared with other
 *  <code>LoginModule</code> instances
 * @param options Configuration information for this specific
 *  <code>LoginModule</code> instance
 */
@Override
public void initialize(Subject subject, CallbackHandler callbackHandler,
                       Map<String,?> sharedState, Map<String,?> options) {
    log.debug("Init");

    // Save configuration values
    this.subject = subject;
    this.callbackHandler = callbackHandler;
    this.sharedState = sharedState;
    this.options = options;

    // Perform instance-specific initialization
    if (options.get("pathname") != null)
        this.pathname = (String) options.get("pathname");

    // Load our defined Principals
    load();

}
 

/**
 * Sends client SASL negotiation for specialized encrypted handshake.
 *
 * @param underlyingOut connection output stream
 * @param underlyingIn connection input stream
 * @param encryptionKey for an encrypted SASL handshake
 * @return new pair of streams, wrapped after SASL negotiation
 * @throws IOException for any error
 */
private IOStreamPair getEncryptedStreams(OutputStream underlyingOut,
    InputStream underlyingIn, DataEncryptionKey encryptionKey)
    throws IOException {
  Map<String, String> saslProps = createSaslPropertiesForEncryption(
    encryptionKey.encryptionAlgorithm);

  LOG.debug("Client using encryption algorithm {}",
    encryptionKey.encryptionAlgorithm);

  String userName = getUserNameFromEncryptionKey(encryptionKey);
  char[] password = encryptionKeyToPassword(encryptionKey.encryptionKey);
  CallbackHandler callbackHandler = new SaslClientCallbackHandler(userName,
    password);
  return doSaslHandshake(underlyingOut, underlyingIn, userName, saslProps,
    callbackHandler);
}
 

public SaslServer createSaslServer(String mech,
    String protocol,
    String serverName,
    Map<String,?> props,
    CallbackHandler cbh) throws SaslException {
        if (mech.equals(myMechs[GSS_KERB_V5])
            && PolicyUtils.checkPolicy(mechPolicies[GSS_KERB_V5], props)) {
            if (cbh == null) {
                throw new SaslException(
            "Callback handler with support for AuthorizeCallback required");
            }
            return new GssKrb5Server(
                protocol,
                serverName,
                props,
                cbh);
        }
        return null;
}
 

@Override
public SaslServer createSaslServer(String mechanism, String protocol,
    String serverName, Map<String,?> props, CallbackHandler cbh)
    throws SaslException {
  SaslServer saslServer = null;
  List<SaslServerFactory> factories = factoryCache.get(mechanism);
  if (factories != null) {
    for (SaslServerFactory factory : factories) {
      saslServer = factory.createSaslServer(
          mechanism, protocol, serverName, props, cbh);
      if (saslServer != null) {
        break;
      }
    }
  }
  return saslServer;
}
 

private void runNegotiation(CallbackHandler clientCbh,
                            CallbackHandler serverCbh)
                                throws SaslException {
  String mechanism = AuthMethod.PLAIN.getMechanismName();

  SaslClient saslClient = Sasl.createSaslClient(
      new String[]{ mechanism }, null, null, null, null, clientCbh);
  assertNotNull(saslClient);

  SaslServer saslServer = Sasl.createSaslServer(
      mechanism, null, "localhost", null, serverCbh);
  assertNotNull("failed to find PLAIN server", saslServer);
  
  byte[] response = saslClient.evaluateChallenge(new byte[0]);
  assertNotNull(response);
  assertTrue(saslClient.isComplete());

  response = saslServer.evaluateResponse(response);
  assertNull(response);
  assertTrue(saslServer.isComplete());
  assertNotNull(saslServer.getAuthorizationID());
}
 

@Override
public SaslClient createSaslClient(String[] mechanisms,
        String authorizationId,
        String protocol,
        String serverName,
        Map<String, ?> props,
        CallbackHandler cbh) throws SaslException {

    ScramMechanism mechanism = null;
    for (String mech : mechanisms) {
        mechanism = ScramMechanism.forMechanismName(mech);
        if (mechanism != null)
            break;
    }
    if (mechanism == null)
        throw new SaslException(String.format("Requested mechanisms '%s' not supported. Supported mechanisms are '%s'.",
                Arrays.asList(mechanisms), ScramMechanism.mechanismNames()));

    try {
        return new ScramSaslClient(mechanism, cbh);
    } catch (NoSuchAlgorithmException e) {
        throw new SaslException("Hash algorithm not supported for mechanism " + mechanism, e);
    }
}
 

private void login(CallbackHandler handler) throws LoginException {
    if ((token.tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) == 0) {
        token.provider.login(null, handler);
    } else {
        // token supports protected authentication path
        // (external pin-pad, for example)
        if (handler != null &&
            !token.config.getKeyStoreCompatibilityMode()) {
            throw new LoginException("can not specify password if token " +
                            "supports protected authentication path");
        }

        // must rely on application-set or default handler
        // if one is necessary
        token.provider.login(null, null);
    }
}
 

/**
 * Returns a new instance of the NTLM SASL client mechanism.
 * Argument checks are performed in SaslClient's constructor.
 * @returns a new SaslClient ; otherwise null if unsuccessful.
 * @throws SaslException If there is an error creating the NTLM
 * SASL client.
 */
public SaslClient createSaslClient(String[] mechs,
     String authorizationId, String protocol, String serverName,
     Map<String,?> props, CallbackHandler cbh)
     throws SaslException {

     for (int i=0; i<mechs.length; i++) {
        if (mechs[i].equals("NTLM") &&
                PolicyUtils.checkPolicy(mechPolicies[0], props)) {

            if (cbh == null) {
                throw new SaslException(
                    "Callback handler with support for " +
                    "RealmCallback, NameCallback, and PasswordCallback " +
                    "required");
            }
            return new NTLMClient(mechs[i], authorizationId,
                protocol, serverName, props, cbh);
        }
    }
    return null;
}
 

public SaslClient createSaslClient(String[] mechs,
    String authorizationId,
    String protocol,
    String serverName,
    Map<String,?> props,
    CallbackHandler cbh) throws SaslException {

        for (int i = 0; i < mechs.length; i++) {
            if (mechs[i].equals(myMechs[GSS_KERB_V5])
                && PolicyUtils.checkPolicy(mechPolicies[GSS_KERB_V5], props)) {
                return new GssKrb5Client(
                    authorizationId,
                    protocol,
                    serverName,
                    props,
                    cbh);
            }
        }
        return null;
}
 

/** Construye una tarjeta FNMT TIF (variante del DNIe).
    * @param conn Conexión con la tarjeta.
    * @param pwc <i>PasswordCallback</i> para obtener el PIN de la TIF.
    * @param cryptoHelper Funcionalidades criptogr&aacute;ficas de utilidad que pueden variar entre m&aacute;quinas virtuales.
    * @param ch Gestor de <i>callbacks</i> para la solicitud de datos al usuario.
    * @throws ApduConnectionException Si la conexi&oacute;n con la tarjeta se proporciona cerrada y no es posible abrirla.*/
public Tif(final ApduConnection conn,
		   final PasswordCallback pwc,
		   final CryptoHelper cryptoHelper,
		   final CallbackHandler ch) throws ApduConnectionException {
	super(conn, pwc, cryptoHelper, ch);
}
 

public static void loginAndAction(String name, PrivilegedExceptionAction action)
    throws LoginException, PrivilegedActionException {

  // Create a callback handler
  CallbackHandler callbackHandler = new TextCallbackHandler();

  LoginContext context = null;

  try {
    // Create a LoginContext with a callback handler
    context = new LoginContext(name, callbackHandler);

    // Perform authentication
    context.login();
  } catch (LoginException e) {
    System.err.println("Login failed");
    e.printStackTrace();
    System.exit(-1);
  }

  // Perform action as authenticated user
  Subject subject = context.getSubject();
  if (verbose) {
    System.out.println(subject.toString());
  } else {
    System.out.println("Authenticated principal: " + subject.getPrincipals());
  }

  Subject.doAs(subject, action);

  context.logout();
}
 

@SuppressWarnings ( "rawtypes" )
@Override
public void initialize ( final Subject subject, final CallbackHandler callbackHandler, final Map sharedState, final Map options )
{
    this.subject = subject;
    this.callbackHandler = callbackHandler;
}
 

@Override
public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props,
        CallbackHandler cbh) throws SaslException {
    if (!(cbh instanceof PlainSaslCallbackHandler)) {
        throw new SaslException(
                "CallbackHandler must be of type of PlainSaslCallbackHandler, but received  : " + cbh
                        .getClass());
    }
    return (PlainSaslServer.PLAIN_MECHANISM.equals(mechanism)) ?
            new PlainSaslServer((PlainSaslCallbackHandler) cbh) :
            null;
}
 

@Override
public void initialize(Subject subject, CallbackHandler callbackHandler,
        Map<String, ?> sharedState, Map<String, ?> options) {
    this.subject = subject;
    this.callbackHandler = callbackHandler;

    // check if custom parameter is passed from comfiguration
    if (options == null) {
        throw new RuntimeException("options is null");
    }

    // read username/password from configuration
    Object o = options.get("username");
    if (o == null) {
        throw new RuntimeException("Custom parameter not passed");
    }
    if (!(o instanceof String)) {
        throw new RuntimeException("Password is not a string");
    }
    username = (String) o;

    o = options.get("password");
    if (o == null) {
        throw new RuntimeException("Custom parameter not passed");
    }
    if (!(o instanceof String)) {
        throw new RuntimeException("Password is not a string");
    }
    password = ((String) o).toCharArray();
}
 

DnieNFC(final ApduConnection conn,
		final PasswordCallback pwc,
		final CryptoHelper cryptoHelper,
		final CallbackHandler ch) throws ApduConnectionException,
                                    PaceException {
	super(paceConnection(conn, ch), pwc, cryptoHelper, ch);
}
 

public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
		Map<String, ?> options) {

	try {
		NameCallback nameCallback = new NameCallback("prompt");
		PasswordCallback passwordCallback = new PasswordCallback("prompt", false);

		callbackHandler.handle(new Callback[] { nameCallback, passwordCallback });
	} catch (Exception e) {
		throw new RuntimeException(e);
	}
}
 

@Override
public void afterPropertiesSet() throws Exception {
    Assert.notNull(this.servicePrincipal, "servicePrincipal must be specified");
    LoginConfig loginConfig = new LoginConfig(this.servicePrincipal, this.debug, isInitiator);
    Set<Principal> princ = new HashSet<>(1);
    princ.add(new KerberosPrincipal(this.servicePrincipal));
    Subject sub = new Subject(false, princ, new HashSet<>(), new HashSet<>());

    final CallbackHandler handler = getUsernamePasswordHandler(servicePrincipal, password);

    LoginContext lc = new LoginContext("", sub, handler, loginConfig);
    lc.login();
    this.serviceSubject = lc.getSubject();
}
 

private static CallbackHandler getUsernamePasswordHandler(final String username, final String password) {
    return callbacks -> {
        for (Callback callback : callbacks) {
            if (callback instanceof NameCallback) {
                final NameCallback nameCallback = (NameCallback) callback;
                nameCallback.setName(username);
            } else if (callback instanceof PasswordCallback) {
                final PasswordCallback passCallback = (PasswordCallback) callback;
                passCallback.setPassword(password.toCharArray());
            } else {
                System.err.println("Unsupported Callback: " + callback.getClass().getName());
            }
        }
    };
}
 

public void initialize(Subject s, CallbackHandler ch,
        Map<String,?> state, Map<String,?> options) {
    if (s == ConfigConstructor.s ||
        ch != null) {
        throw new SecurityException("Module 2 failed");
    }
}
 

public SaslServer createSaslServer( String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh ) throws SaslException
{
    // Do not return an instance when the provided properties contain Policy settings that disallow our implementations.
    final Set<String> mechanismNames = getMechanismNamesSet( props );

    if ( mechanismNames.contains( mechanism ) && mechanism.equalsIgnoreCase( OfMeetSaslServer.MECHANISM_NAME ) )
    {
        return new OfMeetSaslServer( TokenManager.getInstance() );
    }

    return null;
}
 

void go() throws Exception {
    Krb5LoginModule krb5 = new Krb5LoginModule();

    final String name = OneKDC.USER;
    final char[] password = OneKDC.PASS;
    char[] badpassword = "hellokitty".toCharArray();

    Map<String,String> map = new HashMap<>();
    map.put("useTicketCache", "false");
    map.put("doNotPrompt", "false");
    map.put("tryFirstPass", "true");
    Map<String,Object> shared = new HashMap<>();
    shared.put("javax.security.auth.login.name", name);
    shared.put("javax.security.auth.login.password", badpassword);

    krb5.initialize(new Subject(), new CallbackHandler() {
        @Override
        public void handle(Callback[] callbacks) {
            for(Callback callback: callbacks) {
                if (callback instanceof NameCallback) {
                    ((NameCallback)callback).setName(name);
                }
                if (callback instanceof PasswordCallback) {
                    ((PasswordCallback)callback).setPassword(password);
                }
            }
        }
    }, shared, map);
    krb5.login();
}
 

public void initialize(Subject subject, CallbackHandler callbackHandler,
		Map sharedState, Map options) {
	setSubject(subject);
	setCallbackHandler(callbackHandler);
	setSharedState(sharedState);
	setOptions(options);

	setUser(null);
	setAuthSucceeded(false);
	setCommitSucceeded(false);
}
 

/**
 * Initialize
 */
public void initialize(Subject subject, CallbackHandler callbackHandler,
		Map sharedState, Map options) {

	super.initialize(subject, callbackHandler, sharedState, options);
	iExternalUid = null;
}
 

@Override
public void initialize(Subject subject, CallbackHandler callbackHandler,
                    Map<String,?> sharedState, Map<String,?> options) {
    // check shared object
    Object shared = sharedState.get(NAME);
    if (!VALUE.equals(shared)) {
        throw new RuntimeException("Unexpected shared object: "
                + shared);
    }
}
 

void go() throws Exception {
    Krb5LoginModule krb5 = new Krb5LoginModule();

    final String name = OneKDC.USER;
    final char[] password = OneKDC.PASS;
    char[] badpassword = "hellokitty".toCharArray();

    Map<String,String> map = new HashMap<>();
    map.put("useTicketCache", "false");
    map.put("doNotPrompt", "false");
    map.put("tryFirstPass", "true");
    Map<String,Object> shared = new HashMap<>();
    shared.put("javax.security.auth.login.name", name);
    shared.put("javax.security.auth.login.password", badpassword);

    krb5.initialize(new Subject(), new CallbackHandler() {
        @Override
        public void handle(Callback[] callbacks) {
            for(Callback callback: callbacks) {
                if (callback instanceof NameCallback) {
                    ((NameCallback)callback).setName(name);
                }
                if (callback instanceof PasswordCallback) {
                    ((PasswordCallback)callback).setPassword(password);
                }
            }
        }
    }, shared, map);
    krb5.login();
}
 

@Override
public final void initialize(final Subject subject, final CallbackHandler callbackHandler,
                             final Map<String, ?> sharedState, final Map<String, ?> options) {
    this.subject = subject;
    this.callbackHandler = callbackHandler;
    this.sharedState = sharedState;
    this.options = options;

    loggedIn = false;
    committed = false;
    principals = null;
}
 

/**
 * @return the principals configured in the {@link StaticConfiguration}
 */
@SuppressWarnings("unchecked")
@Override
protected List<Principal> login(final Subject subject, final CallbackHandler callbackHandler,
                                final Map<String, ?> sharedState, final Map<String, ?> options) throws LoginException {
    return (List<Principal>) options.get(StaticConfiguration.PRINCIPALS);
}
 

@Override
protected List<Principal> login(final Subject subject, final CallbackHandler callbackHandler,
                                final Map<String, ?> sharedState, final Map<String, ?> options) throws LoginException {
    // Retrieve username and password
    if (callbackHandler == null) {
        throw new LoginException("Could not retrieve credentials: no callback handler");
    }

    final Callback[] callbacks = new Callback[2];
    callbacks[0] = new NameCallback("username");
    callbacks[1] = new PasswordCallback("password", false);

    final String username;
    final char[] password;
    try {
        callbackHandler.handle(callbacks);
        username = ((NameCallback) callbacks[0]).getName();
        final char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
        password = new char[tmpPassword.length];
        System.arraycopy(tmpPassword, 0,
                password, 0, tmpPassword.length);
        ((PasswordCallback) callbacks[1]).clearPassword();

    } catch (final UnsupportedCallbackException | IOException e) {
        final LoginException le = new LoginException("Could not retrieve credentials");
        le.initCause(e);
        throw le;
    }

    // Validate username and password
    final Properties properties = loadProperties(options);
    if (validateCredentials(properties, username, password)) {
        final Principal userPrincipal = new JMXPrincipal(username);
        return Collections.singletonList(userPrincipal);
    } else {
        throw new FailedLoginException("Invalid credentials");
    }
}
 

/**
 * Sends client SASL negotiation for general-purpose handshake.
 *
 * @param addr connection address
 * @param underlyingOut connection output stream
 * @param underlyingIn connection input stream
 * @param accessToken connection block access token
 * @param datanodeId ID of destination DataNode
 * @return new pair of streams, wrapped after SASL negotiation
 * @throws IOException for any error
 */
private IOStreamPair getSaslStreams(InetAddress addr,
    OutputStream underlyingOut, InputStream underlyingIn,
    Token<BlockTokenIdentifier> accessToken, DatanodeID datanodeId)
    throws IOException {
  Map<String, String> saslProps = saslPropsResolver.getClientProperties(addr);

  String userName = buildUserName(accessToken);
  char[] password = buildClientPassword(accessToken);
  CallbackHandler callbackHandler = new SaslClientCallbackHandler(userName,
    password);
  return doSaslHandshake(underlyingOut, underlyingIn, userName, saslProps,
    callbackHandler);
}
 

@Override
public void initialize(Subject subject, CallbackHandler callbackHandler,
                    Map<String,?> sharedState, Map<String,?> options) {
    // check shared object
    Object shared = sharedState.get(NAME);
    if (!VALUE.equals(shared)) {
        throw new RuntimeException("Unexpected shared object: "
                + shared);
    }
}
 

@Override
public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh)
    throws SaslException {

    if (!ScramMechanism.isScram(mechanism)) {
        throw new SaslException(String.format("Requested mechanism '%s' is not supported. Supported mechanisms are '%s'.",
                mechanism, ScramMechanism.mechanismNames()));
    }
    try {
        return new ScramSaslServer(ScramMechanism.forMechanismName(mechanism), props, cbh);
    } catch (NoSuchAlgorithmException e) {
        throw new SaslException("Hash algorithm not supported for mechanism " + mechanism, e);
    }
}
 

@Override
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
    String username = (String) options.get(USERNAME_CONFIG);
    if (username != null)
        subject.getPublicCredentials().add(username);
    String password = (String) options.get(PASSWORD_CONFIG);
    if (password != null)
        subject.getPrivateCredentials().add(password);
}
 

@Override
public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh)
    throws SaslException {

    if (!PLAIN_MECHANISM.equals(mechanism))
        throw new SaslException(String.format("Mechanism \'%s\' is not supported. Only PLAIN is supported.", mechanism));

    if (!(cbh instanceof SaslServerCallbackHandler))
        throw new SaslException("CallbackHandler must be of type SaslServerCallbackHandler, but it is: " + cbh.getClass());

    return new PlainSaslServer(((SaslServerCallbackHandler) cbh).jaasContext());
}
 

public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options) {
    if (options.containsKey("username")) {
        // Zookeeper client: get username and password from JAAS conf (only used if using DIGEST-MD5).
        this.subject = subject;
        String username = (String)options.get("username");
        this.subject.getPublicCredentials().add((Object)username);
        String password = (String)options.get("password");
        this.subject.getPrivateCredentials().add((Object)password);
    }
    return;
}
 

@Override
public void initialize(Subject subject, CallbackHandler callbackHandler,
        Map<String, ?> sharedState, Map<String, ?> options) {

    this.subject = subject;
    this.callbackHandler = callbackHandler;
    System.out.println(String.format(
            "'%s' login module initialized", this.getClass()));
}
 

public void initialize(final Subject subject, final CallbackHandler handler, final Map<String, ?> arg2,
        final Map<String, ?> arg3) {
    this.callbackHandler = handler;
}
 

/**
 * Try to create a SaslClient for an authentication type.  May return
 * null if the type isn't supported or the client lacks the required
 * credentials.
 * 
 * @param authType - the requested authentication method
 * @return SaslClient for the authType or null
 * @throws SaslException - error instantiating client
 * @throws IOException - misc errors
 */
private SaslClient createSaslClient(SaslAuth authType)
    throws SaslException, IOException {
  String saslUser = null;
  // SASL requires the client and server to use the same proto and serverId
  // if necessary, auth types below will verify they are valid
  final String saslProtocol = authType.getProtocol();
  final String saslServerName = authType.getServerId();
  Map<String, String> saslProperties =
    saslPropsResolver.getClientProperties(serverAddr.getAddress());  
  CallbackHandler saslCallback = null;
  
  final AuthMethod method = AuthMethod.valueOf(authType.getMethod());
  switch (method) {
    case TOKEN: {
      Token<?> token = getServerToken(authType);
      if (token == null) {
        LOG.debug("tokens aren't supported for this protocol" +
            " or user doesn't have one");
        return null;
      }
      saslCallback = new SaslClientCallbackHandler(token);
      break;
    }
    case KERBEROS: {
      if (ugi.getRealAuthenticationMethod().getAuthMethod() !=
          AuthMethod.KERBEROS) {
        LOG.debug("client isn't using kerberos");
        return null;
      }
      String serverPrincipal = getServerPrincipal(authType);
      if (serverPrincipal == null) {
        LOG.debug("protocol doesn't use kerberos");
        return null;
      }
      if (LOG.isDebugEnabled()) {
        LOG.debug("RPC Server's Kerberos principal name for protocol="
            + protocol.getCanonicalName() + " is " + serverPrincipal);
      }
      break;
    }
    default:
      throw new IOException("Unknown authentication method " + method);
  }

  String mechanism = method.getMechanismName();
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating SASL " + mechanism + "(" + method + ") "
        + " client to authenticate to service at " + saslServerName);
  }
  return Sasl.createSaslClient(
      new String[] { mechanism }, saslUser, saslProtocol, saslServerName,
      saslProperties, saslCallback);
}
 

@InterfaceAudience.Private
@InterfaceStability.Unstable
public SaslServer create(final Connection connection,
                         final Map<String,?> saslProperties,
                         SecretManager<TokenIdentifier> secretManager
    ) throws IOException, InterruptedException {
  UserGroupInformation ugi = null;
  final CallbackHandler callback;
  switch (authMethod) {
    case TOKEN: {
      callback = new SaslDigestCallbackHandler(secretManager, connection);
      break;
    }
    case KERBEROS: {
      ugi = UserGroupInformation.getCurrentUser();
      if (serverId.isEmpty()) {
        throw new AccessControlException(
            "Kerberos principal name does NOT have the expected "
                + "hostname part: " + ugi.getUserName());
      }
      callback = new SaslGssCallbackHandler();
      break;
    }
    default:
      // we should never be able to get here
      throw new AccessControlException(
          "Server does not support SASL " + authMethod);
  }
  
  final SaslServer saslServer;
  if (ugi != null) {
    saslServer = ugi.doAs(
      new PrivilegedExceptionAction<SaslServer>() {
        @Override
        public SaslServer run() throws SaslException  {
          return saslFactory.createSaslServer(mechanism, protocol, serverId,
              saslProperties, callback);
        }
      });
  } else {
    saslServer = saslFactory.createSaslServer(mechanism, protocol, serverId,
        saslProperties, callback);
  }
  if (saslServer == null) {
    throw new AccessControlException(
        "Unable to find SASL server implementation for " + mechanism);
  }
  if (LOG.isDebugEnabled()) {
    LOG.debug("Created SASL server with mechanism = " + mechanism);
  }
  return saslServer;
}
 

@Override
public void initialize(Subject subject, CallbackHandler callbackHandler,
        Map<String, ?> sharedState, Map<String, ?> options) {
    this.subject = subject;
    this.callbackHandler = callbackHandler;
}