java source code of HTTPSpnegoAuthenticator

deprecated-security-advanced-modules-master
- NOTICE.txt
- .github
  - workflows
    - ci.yml
- src
  - main
    - java
      - com
        amazon
        dlic
        util
        SettingsBasedSSLConfigurator.java
        auth
        ldap
        backend
        LDAPAuthenticationBackend.java
        LDAPAuthorizationBackend.java
        LdapUser.java
        util
        ConfigConstants.java
        Utils.java
        LdapHelper.java
        ldap2
        LDAPConnectionFactoryFactory.java
        LDAPAuthorizationBackend2.java
        LDAPAuthenticationBackend2.java
        PrivilegedProvider.java
        LDAPUserSearcher.java
        MakeJava9Happy.java
        http
        jwt
        oidc
        json
        OpenIdProviderConfiguration.java
        keybyoidc
        KeySetProvider.java
        SelfRefreshingKeySet.java
        KeyProvider.java
        HTTPJwtKeyByOpenIdConnectAuthenticator.java
        BadCredentialsException.java
        JwtVerifier.java
        KeySetRetriever.java
        AuthenticatorUnavailableException.java
        HTTPJwtAuthenticator.java
        AbstractHTTPJwtAuthenticator.java
        kerberos
        util
        KrbConstants.java
        JaasKrbUtil.java
        HTTPSpnegoAuthenticator.java
        saml
        SamlConfigException.java
        HTTPSamlAuthenticator.java
        SamlFilesystemMetadataResolver.java
        SamlHTTPMetadataResolver.java
        SamlNameIdFormat.java
        AuthTokenProcessorHandler.java
        Saml2SettingsProvider.java
        opendistroforelasticsearch
        security
        compliance
        FieldReadCallback.java
        ComplianceIndexingOperationListenerImpl.java
        configuration
        DlsFlsFilterLeafReader.java
        MaskedField.java
        PrivilegesInterceptorImpl.java
        DlsFlsValveImpl.java
        DlsQueryParser.java
        OpenDistroSecurityFlsDlsIndexSearcherWrapper.java
        dlic
        rest
        api
        RolesApiAction.java
        ActionGroupsApiAction.java
        InternalUsersApiAction.java
        RestApiPrivilegesEvaluator.java
        PermissionsInfoAction.java
        Endpoint.java
        OpenDistroSecurityConfigAction.java
        PatchableResourceApiAction.java
        RolesMappingApiAction.java
        OpenDistroSecurityRestApiActions.java
        FlushCacheApiAction.java
        AuthTokenProcessorAction.java
        AbstractApiAction.java
        TenantsApiAction.java
        support
        Utils.java
        validation
        NoOpValidator.java
        RolesValidator.java
        TenantValidator.java
        AbstractConfigurationValidator.java
        ActionGroupValidator.java
        SecurityConfigValidator.java
        RolesMappingValidator.java
        InternalUsersValidator.java
        auditlog
        impl
        AuditLogImpl.java
        RequestResolver.java
        AuditMessage.java
        AbstractAuditLog.java
        sink
        KafkaSink.java
        Log4JSink.java
        ExternalESSink.java
        SinkProvider.java
        WebhookSink.java
        NoopSink.java
        InternalESSink.java
        DebugSink.java
        AuditLogSink.java
        routing
        AsyncStoragePool.java
        AuditMessageRouter.java
        httpclient
        HttpClient.java
  - test
    - resources
      - ldap
        base.ldif
        roles_mapping.yml
        root-ca.pem
        kirk.key.pem
        internal_users.yml
        roles.yml
        base2.ldif
        spock.crtfull.pem
        chain-ca.pem
        truststore.jks
        action_groups.yml
        node-0.key.pem
        node-0-keystore.jks
        spock.crt.pem
        test1.yml
        kirk-keystore.jks
        config_ldap2.yml
        spock-keystore.jks
        node-0.crt.pem
        spock.key.pem
        roles_tenants.yml
        config.yml
      - jwt
        truststore.jks
        node-0-keystore.jks
        kirk-keystore.jks
        spock-keystore.jks
      - restapi
        roles_captains_tenants_malformed.json
        roles_mapping.yml
        actiongroup_not_parseable.json
        rolesmapping_users_picard_single_wrong_datatype.json
        kirk.key.pem
        rolesmapping_backendroles_captains_list.json
        rolesmapping_all_access.json
        roles_field_masks_valid.json
        rolesmapping_hosts_single_wrong_datatype.json
        roles_captains_different_content.json
        securityconfig.json
        roles_multiple_2.json
        security_config.json
        rolesmapping_not_parseable.json
        roles_invalid_keys.json
        internal_users.yml
        roles.yml
        invalid_config.json
        roles_captains_no_tenants.json
        rolesmapping_hosts_list.json
        rolesmapping_users_picard_list.json
        roles_starfleet.json
        roles_complete_invalid.json
        users_wrong_datatypes2.json
        actiongroup_read.json
        truststore.jks
        users_wrong_datatypes.json
        simple_role.json
        actiongroup_readonly.json
        action_groups.yml
        node-0-keystore.jks
        users_wrong_datatypes3.json
        rolesmapping_backendroles_captains_single_wrong_datatype.json
        users_key_not_quoted.json
        rolesmapping_backendroles_captains_single.json
        roles_field_masks_invalid.json
        actiongroup_crud.json
        rolesmapping_hosts_single.json
        roles_multiple.json
        kirk-keystore.jks
        roles_captains.json
        rolesmapping_all_noaccess.json
        spock-keystore.jks
        roles_not_parseable.json
        rolesmapping_users_picard_single.json
        roles_captains_tenants2.json
        roles_captains_tenants.json
        roles_wrong_datatype.json
        roles_tenants.yml
        config.yml
        rolesmapping_invalid_keys.json
      - auditlog
        spock.all.pem
        roles_mapping.yml
        root-ca.pem
        mapping4.json
        kirk.key.pem
        truststore_fail.jks
        data2.json
        mapping3.json
        roles_2_tenants.yml
        data3.json
        node-0-keystore.p12
        kirk.all.pem
        internal_users.yml
        roles.yml
        signing-ca.pem
        data1.json
        spock.crtfull.pem
        mapping1.json
        kirk.crt.pem
        chain-ca.pem
        truststore.jks
        action_groups.yml
        node-0.key.pem
        messageasjson.json
        node-0-keystore.jks
        roles_2.yml
        endpoints
        configuration_wrong_endpoint_names.yml
        sink
        configuration_all_variants.yml
        configuration_kafka.yml
        configuration_no_multiple_endpoints.yml
        configuration_no_default.yml
        configuration_tls.yml
        routing
        configuration_wrong_endpoint_names.yml
        configuration_valid.yml
        configuration_wrong_endpoint_types.yml
        routing.yml
        configuration_no_default.yml
        fallback.yml
        configuration_wrong_categories.yml
        perftest.yml
        spock.crt.pem
        kirk-keystore.jks
        spock-keystore.p12
        spock-keystore.jks
        node-0.crt.pem
        data1mod.json
        kirk-keystore.p12
        spock.key.pem
        mapping2.json
        roles_tenants.yml
        config.yml
        kirk.crtfull.pem
      - log4j2-test.properties
      - cache
        roles_mapping.yml
        internal_users.yml
        roles.yml
        truststore.jks
        action_groups.yml
        node-0-keystore.jks
        kirk-keystore.jks
        spock-keystore.jks
        roles_tenants.yml
        config.yml
      - sslConfigurator
        jks
        node1-keystore.jks
        truststore.jks
        other-root-ca.jks
        other-root-ca.pem
        pem
        spock.key
        node-wrong-hostname-keystore.jks
        root-ca.pem
        node1-keystore.jks
        kirk.pem
        kirk.key
        signing-ca.pem
        node-wrong-hostname.key
        truststore.jks
        node1.pem
        wrong-kirk.key
        wrong-kirk.pem
        spock.pem
        other-root-ca.pem
        node1.key
        node-wrong-hostname.pem
      - multitenancy
        roles_mapping.yml
        config_basic_auth.yml
        internal_users.yml
        roles.yml
        truststore.jks
        action_groups.yml
        node-0-keystore.jks
        kirk-keystore.jks
        spock-keystore.jks
        config_nodnfof.yml
        roles_tenants.yml
        config.yml
      - saml
        kirk-keystore.jks
        spock-keystore.jks
      - dlsfls
        roles_983.yml
        flsquery2.json
        roles_mapping.yml
        masked_field_mapping.json
        internal_users.yml
        roles.yml
        flsquery.json
        roles_983_tenants.yml
        truststore.jks
        action_groups.yml
        node-0-keystore.jks
        logs_bulk_data.json
        doc1.json
        kirk-keystore.jks
        roles_ccs2.yml
        spock-keystore.jks
        roles_ccs2_tenants.yml
        scenarios.txt
        roles_tenants.yml
        config.yml
    - java
      - com
        amazon
        dlic
        auth
        ldap
        LdapBackendTestNewStyleConfig.java
        LdapBackendTest.java
        srv
        LdapServer.java
        EmbeddedLDAPServer.java
        UtilsTest.java
        LdapBackendTestClientCert.java
        LdapBackendIntegTest.java
        ldap2
        LdapBackendIntegTest2.java
        LdapBackendTestClientCert2.java
        LdapBackendTestOldStyleConfig2.java
        LdapBackendTestNewStyleConfig2.java
        http
        jwt
        HTTPJwtAuthenticatorTest.java
        keybyoidc
        CxfTestTools.java
        HTTPJwtKeyByOpenIdConnectAuthenticatorTest.java
        TestJwts.java
        KeySetRetrieverTest.java
        TestJwk.java
        SingleKeyHTTPJwtKeyByOpenIdConnectAuthenticatorTest.java
        MockIpdServer.java
        SelfRefreshingKeySetTest.java
        saml
        HTTPSamlAuthenticatorTest.java
        MockSamlIdpServer.java
        opendistroforelasticsearch
        security
        dlic
        rest
        api
        IndexMissingTest.java
        RolesMappingApiTest.java
        ActionGroupsApiTest.java
        GetConfigurationApiTest.java
        UserApiTest.java
        OpenDistroSecurityApiAccessTest.java
        RolesApiTest.java
        RoleBasedAccessTest.java
        AbstractRestApiUnitTest.java
        FlushCacheApiTest.java
        SecurityConfigApiTest.java
        dlsfls
        FlsDlsTestMulti.java
        FlsPerfTest.java
        DlsTest.java
        FieldMaskedTest.java
        DlsScrollTest.java
        FlsDlsTestForbiddenField.java
        DlsDateMathTest.java
        FlsTest.java
        Fls983Test.java
        FlsFieldsTest.java
        FlsFieldsWcTest.java
        MFlsTest.java
        IndexPatternTest.java
        DlsFlsCrossClusterSearchTest.java
        CustomFieldMaskedTest.java
        CustomFieldMaskedComplexMappingTest.java
        FlsExistsFieldsTest.java
        DlsNestedTest.java
        DateMathTest.java
        DlsPropsReplaceTest.java
        FlsDlsTestAB.java
        AbstractDlsFlsTest.java
        auditlog
        impl
        DelegateTest.java
        DisabledCategoriesTest.java
        IgnoreAuditUsersTest.java
        AuditlogTest.java
        TracingTests.java
        compliance
        RestApiComplianceAuditlogTest.java
        ComplianceAuditlogTest.java
        integration
        TestAuditlogImpl.java
        BasicAuditlogTest.java
        SSLAuditlogTest.java
        sink
        KafkaSinkTest.java
        WebhookAuditLogTest.java
        MockWebhookAuditLog.java
        SinkProviderTest.java
        SinkProviderTLSTest.java
        AbstractAuditlogiUnitTest.java
        helper
        RetrySink.java
        FailingSink.java
        MockRestRequest.java
        TestHttpHandler.java
        ErroneousHttpHandler.java
        LoggingSink.java
        SlowSink.java
        MyOwnAuditLog.java
        MockAuditMessageFactory.java
        AuditLogTestSuite.java
        routing
        FallbackTest.java
        RoutingConfigurationTest.java
        ThreadPoolSettingsTest.java
        PerfTest.java
        RouterTest.java
        util
        FakeRestRequest.java
        SettingsBasedSSLConfiguratorTest.java
        httpclient
        HttpClientTest.java
        cache
        DummyAuthorizer.java
        DummyHTTPAuthenticator.java
        DummyAuthenticationBackend.java
        CachingTest.java
        multitenancy
        test
        MultitenancyTests.java
- output.txt
- pom.xml
- LICENSE
- CONTRIBUTING.md
- opendistro-elasticsearch-security-advanced-modules.release-notes
- THIRD-PARTY.txt
- README.md
- CODE_OF_CONDUCT.md
- .gitignore

/*
 * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 *
 *  Licensed under the Apache License, Version 2.0 (the "License").
 *  You may not use this file except in compliance with the License.
 *  A copy of the License is located at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  or in the "license" file accompanying this file. This file is distributed
 *  on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
 *  express or implied. See the License for the specific language governing
 *  permissions and limitations under the License.
 */

package com.amazon.dlic.auth.http.kerberos;

import java.io.Serializable;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Base64;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;


import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.common.xcontent.XContentFactory;
import org.elasticsearch.env.Environment;
//import org.elasticsearch.env.Environment;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

import com.amazon.dlic.auth.http.kerberos.util.JaasKrbUtil;
import com.amazon.dlic.auth.http.kerberos.util.KrbConstants;
import com.amazon.opendistroforelasticsearch.security.auth.HTTPAuthenticator;
import com.amazon.opendistroforelasticsearch.security.user.AuthCredentials;
import com.google.common.base.Strings;

public class HTTPSpnegoAuthenticator implements HTTPAuthenticator {

    private static final String EMPTY_STRING = "";
    private static final Oid[] KRB_OIDS = new Oid[] {KrbConstants.SPNEGO, KrbConstants.KRB5MECH};

    protected final Logger log = LogManager.getLogger(this.getClass());

    private boolean stripRealmFromPrincipalName;
    private Set<String> acceptorPrincipal;
    private Path acceptorKeyTabPath;

    public HTTPSpnegoAuthenticator(final Settings settings, final Path configPath) {
        super();
        try {
            final Path configDir = new Environment(settings, configPath).configFile();
            final String krb5PathSetting = settings.get("opendistro_security.kerberos.krb5_filepath");

            final SecurityManager sm = System.getSecurityManager();

            if (sm != null) {
                sm.checkPermission(new SpecialPermission());
            }

            AccessController.doPrivileged(new PrivilegedAction<Void>() {

                @Override
                public Void run() {

                    try {
                        if (settings.getAsBoolean("krb_debug", false)) {
                            JaasKrbUtil.setDebug(true);
                            System.setProperty("sun.security.krb5.debug", "true");
                            System.setProperty("java.security.debug", "gssloginconfig,logincontext,configparser,configfile");
                            System.setProperty("sun.security.spnego.debug", "true");
                            System.out.println("Kerberos debug is enabled");
                            System.err.println("Kerberos debug is enabled");
                            log.info("Kerberos debug is enabled on stdout");
                        } else {
                            log.debug("Kerberos debug is NOT enabled");
                        }
                    } catch (Throwable e) {
                        log.error("Unable to enable krb_debug due to ", e);
                        System.err.println("Unable to enable krb_debug due to "+ExceptionsHelper.stackTrace(e));
                        System.out.println("Unable to enable krb_debug due to "+ExceptionsHelper.stackTrace(e));
                    }

                    System.setProperty(KrbConstants.USE_SUBJECT_CREDS_ONLY_PROP, "false");

                    String krb5Path = krb5PathSetting;

                    if(!Strings.isNullOrEmpty(krb5Path)) {

                        if(Paths.get(krb5Path).isAbsolute()) {
                            log.debug("krb5_filepath: {}", krb5Path);
                            System.setProperty(KrbConstants.KRB5_CONF_PROP, krb5Path);
                        } else {
                            krb5Path = configDir.resolve(krb5Path).toAbsolutePath().toString();
                            log.debug("krb5_filepath (resolved from {}): {}", configDir, krb5Path);
                        }

                        System.setProperty(KrbConstants.KRB5_CONF_PROP, krb5Path);
                    } else {
                        if(Strings.isNullOrEmpty(System.getProperty(KrbConstants.KRB5_CONF_PROP))) {
                            System.setProperty(KrbConstants.KRB5_CONF_PROP, "/etc/krb5.conf");
                            log.debug("krb5_filepath (was not set or configured, set to default): /etc/krb5.conf");
                        }
                    }

                    stripRealmFromPrincipalName = settings.getAsBoolean("strip_realm_from_principal", true);
                    acceptorPrincipal = new HashSet<>(settings.getAsList("opendistro_security.kerberos.acceptor_principal", Collections.emptyList()));
                    final String _acceptorKeyTabPath = settings.get("opendistro_security.kerberos.acceptor_keytab_filepath");

                    if(acceptorPrincipal == null || acceptorPrincipal.size() == 0) {
                        log.error("acceptor_principal must not be null or empty. Kerberos authentication will not work");
                        acceptorPrincipal = null;
                    }

                    if(_acceptorKeyTabPath == null || _acceptorKeyTabPath.length() == 0) {
                        log.error("opendistro_security.kerberos.acceptor_keytab_filepath must not be null or empty. Kerberos authentication will not work");
                        acceptorKeyTabPath = null;
                    } else {
                        acceptorKeyTabPath = configDir.resolve(settings.get("opendistro_security.kerberos.acceptor_keytab_filepath"));

                        if(!Files.exists(acceptorKeyTabPath)) {
                            log.error("Unable to read keytab from {} - Maybe the file does not exist or is not readable. Kerberos authentication will not work", acceptorKeyTabPath);
                            acceptorKeyTabPath = null;
                        }
                    }

                    return null;
                }
            });

            log.debug("strip_realm_from_principal {}", stripRealmFromPrincipalName);
            log.debug("acceptor_principal {}", acceptorPrincipal);
            log.debug("acceptor_keytab_filepath {}", acceptorKeyTabPath);

        } catch (Throwable e) {
            log.error("Cannot construct HTTPSpnegoAuthenticator due to {}", e.getMessage(), e);
            log.error("Please make sure you configured 'opendistro_security.kerberos.acceptor_keytab_filepath' realtive to the ES config/ dir!");
            throw e;
        }

    }

    @Override
    public AuthCredentials extractCredentials(final RestRequest request, ThreadContext threadContext) {
        final SecurityManager sm = System.getSecurityManager();

        if (sm != null) {
            sm.checkPermission(new SpecialPermission());
        }

        AuthCredentials creds = AccessController.doPrivileged(new PrivilegedAction<AuthCredentials>() {
            @Override
            public AuthCredentials run() {
                return extractCredentials0(request);
            }
        });

        return creds;
    }

    private AuthCredentials extractCredentials0(final RestRequest request) {

        if (acceptorPrincipal == null || acceptorKeyTabPath == null) {
            log.error("Missing acceptor principal or keytab configuration. Kerberos authentication will not work");
            return null;
        }

        Principal principal = null;
        final String authorizationHeader = request.header("Authorization");

        if (authorizationHeader != null) {
            if (!authorizationHeader.trim().toLowerCase().startsWith("negotiate ")) {
                log.warn("No 'Negotiate Authorization' header, send 401 and 'WWW-Authenticate Negotiate'");
                return null;
            } else {
                final byte[] decodedNegotiateHeader = Base64.getDecoder().decode(authorizationHeader.substring(10));

                GSSContext gssContext = null;
                byte[] outToken = null;

                try {

                    final Subject subject = JaasKrbUtil.loginUsingKeytab(acceptorPrincipal, acceptorKeyTabPath, false);

                    final GSSManager manager = GSSManager.getInstance();
                    final int credentialLifetime = GSSCredential.INDEFINITE_LIFETIME;

                    final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() {
                        @Override
                        public GSSCredential run() throws GSSException {
                            return manager.createCredential(null, credentialLifetime, KRB_OIDS, GSSCredential.ACCEPT_ONLY);
                        }
                    };
                    gssContext = manager.createContext(Subject.doAs(subject, action));

                    outToken = Subject.doAs(subject, new AcceptAction(gssContext, decodedNegotiateHeader));

                    if (outToken == null) {
                        log.warn("Ticket validation not successful, outToken is null");
                        return null;
                    }

                    principal = Subject.doAs(subject, new AuthenticateAction(log, gssContext, stripRealmFromPrincipalName));

                } catch (final LoginException e) {
                    log.error("Login exception due to", e);
                    return null;
                } catch (final GSSException e) {
                    log.error("Ticket validation not successful due to", e);
                    return null;
                } catch (final PrivilegedActionException e) {
                    final Throwable cause = e.getCause();
                    if (cause instanceof GSSException) {
                        log.info("Service login not successful due to", e);
                    } else {
                        log.error("Service login not successful due to", e);
                    }
                    return null;
                } finally {
                    if (gssContext != null) {
                        try {
                            gssContext.dispose();
                        } catch (final GSSException e) {
                            // Ignore
                        }
                    }
                }

                if (principal == null) {
                    return new AuthCredentials("_incomplete_", (Object) outToken);
                }


                final String username = ((SimpleUserPrincipal) principal).getName();

                if(username == null || username.length() == 0) {
                    log.error("Got empty or null user from kerberos. Normally this means that you acceptor principal {} does not match the server hostname", acceptorPrincipal);
                }

                return new AuthCredentials(username, (Object) outToken).markComplete();

            }
        } else {
            log.trace("No 'Authorization' header, send 401 and 'WWW-Authenticate Negotiate'");
            return null;
        }

    }

    @Override
    public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) {

    	final BytesRestResponse wwwAuthenticateResponse;
    	XContentBuilder response = getNegotiateResponseBody();

    	if (response != null) {
        	wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, response);
        } else {
        	wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, EMPTY_STRING);
        }

        if(creds == null || creds.getNativeCredentials() == null) {
            wwwAuthenticateResponse.addHeader("WWW-Authenticate", "Negotiate");
        } else {
            wwwAuthenticateResponse.addHeader("WWW-Authenticate", "Negotiate "+Base64.getEncoder().encodeToString((byte[]) creds.getNativeCredentials()));
        }
        channel.sendResponse(wwwAuthenticateResponse);
        return true;
    }

    @Override
    public String getType() {
        return "spnego";
    }

    /**
     * This class gets a gss credential via a privileged action.
     */
    //borrowed from Apache Tomcat 8 http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
    private static class AcceptAction implements PrivilegedExceptionAction<byte[]> {

        GSSContext gssContext;

        byte[] decoded;

        AcceptAction(final GSSContext context, final byte[] decodedToken) {
            this.gssContext = context;
            this.decoded = decodedToken;
        }

        @Override
        public byte[] run() throws GSSException {
            return gssContext.acceptSecContext(decoded, 0, decoded.length);
        }
    }

    //borrowed from Apache Tomcat 8 http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
    private static class AuthenticateAction implements PrivilegedAction<Principal> {

        private final Logger logger;
        private final GSSContext gssContext;
        private final boolean strip;

        private AuthenticateAction(final Logger logger, final GSSContext gssContext, final boolean strip) {
            super();
            this.logger = logger;
            this.gssContext = gssContext;
            this.strip = strip;
        }

        @Override
        public Principal run() {
            return new SimpleUserPrincipal(getUsernameFromGSSContext(gssContext, strip, logger));
        }
    }

    //borrowed from Apache Tomcat 8 http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
    private static String getUsernameFromGSSContext(final GSSContext gssContext, final boolean strip, final Logger logger) {
        if (gssContext.isEstablished()) {
            GSSName gssName = null;
            try {
                gssName = gssContext.getSrcName();
            } catch (final GSSException e) {
                logger.error("Unable to get src name from gss context", e);
            }

            if (gssName != null) {
                String name = gssName.toString();
                return stripRealmName(name, strip);
            } else {
                logger.error("GSS name is null");
            }
        } else {
            logger.error("GSS context not established");
        }

        return null;
    }

	private XContentBuilder getNegotiateResponseBody() {
		try {
			XContentBuilder negotiateResponseBody = XContentFactory.jsonBuilder();
			negotiateResponseBody.startObject();
			negotiateResponseBody.field("error");
			negotiateResponseBody.startObject();
			negotiateResponseBody.field("header");
			negotiateResponseBody.startObject();
			negotiateResponseBody.field("WWW-Authenticate", "Negotiate");
			negotiateResponseBody.endObject();
			negotiateResponseBody.endObject();
			negotiateResponseBody.endObject();
			return negotiateResponseBody;
		} catch (Exception ex) {
			log.error("Can't construct response body", ex);
			return null;
		}
	}

    private static String stripRealmName(String name, boolean strip){
        if (strip && name != null) {
            final int i = name.indexOf('@');
            if (i > 0) {
                // Zero so we don;t leave a zero length name
                name = name.substring(0, i);
            }
        }

        return name;
    }

    private static class SimpleUserPrincipal implements Principal, Serializable {

        private static final long serialVersionUID = -1;
        private final String username;

        SimpleUserPrincipal(final String username) {
            super();
            this.username = username;
        }

        @Override
        public int hashCode() {
            final int prime = 31;
            int result = 1;
            result = prime * result + ((username == null) ? 0 : username.hashCode());
            return result;
        }

        @Override
        public boolean equals(final Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null) {
                return false;
            }
            if (getClass() != obj.getClass()) {
                return false;
            }
            final SimpleUserPrincipal other = (SimpleUserPrincipal) obj;
            if (username == null) {
                if (other.username != null) {
                    return false;
                }
            } else if (!username.equals(other.username)) {
                return false;
            }
            return true;
        }

        @Override
        public String getName() {
            return this.username;
        }

        @Override
        public String toString() {
            final StringBuilder buffer = new StringBuilder();
            buffer.append("[principal: ");
            buffer.append(this.username);
            buffer.append("]");
            return buffer.toString();
        }
    }

}