org.springframework.security.kerberos.authentication.KerberosServiceRequestToken Java Examples

The following examples show how to use org.springframework.security.kerberos.authentication.KerberosServiceRequestToken. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: KerberosService.java    From localization_nifi with Apache License 2.0 6 votes vote down vote up 
public Authentication validateKerberosTicket(HttpServletRequest request) {
    // Only support Kerberos login when running securely
    if (!request.isSecure()) {
        return null;
    }

    String header = request.getHeader(AUTHORIZATION_HEADER_NAME);

    if (isValidKerberosHeader(header)) {
        if (logger.isDebugEnabled()) {
            logger.debug("Received Negotiate Header for request " + request.getRequestURL() + ": " + header);
        }
        byte[] base64Token = header.substring(header.indexOf(" ") + 1).getBytes(StandardCharsets.UTF_8);
        byte[] kerberosTicket = Base64.decode(base64Token);
        KerberosServiceRequestToken authenticationRequest = new KerberosServiceRequestToken(kerberosTicket);
        authenticationRequest.setDetails(authenticationDetailsSource.buildDetails(request));

        return kerberosServiceAuthenticationProvider.authenticate(authenticationRequest);
    } else {
        return null;
    }
}
Example #2
Source File: KerberosService.java    From nifi with Apache License 2.0 6 votes vote down vote up 
public Authentication validateKerberosTicket(HttpServletRequest request) {
    // Only support Kerberos login when running securely
    if (!request.isSecure()) {
        return null;
    }

    String header = request.getHeader(AUTHORIZATION_HEADER_NAME);

    if (isValidKerberosHeader(header)) {
        if (logger.isDebugEnabled()) {
            logger.debug("Received Negotiate Header for request " + request.getRequestURL() + ": " + header);
        }
        byte[] base64Token = header.substring(header.indexOf(" ") + 1).getBytes(StandardCharsets.UTF_8);
        byte[] kerberosTicket = Base64.decode(base64Token);
        KerberosServiceRequestToken authenticationRequest = new KerberosServiceRequestToken(kerberosTicket);
        authenticationRequest.setDetails(authenticationDetailsSource.buildDetails(request));

        return kerberosServiceAuthenticationProvider.authenticate(authenticationRequest);
    } else {
        return null;
    }
}
Example #3
Source File: KerberosSpnegoIdentityProvider.java    From nifi-registry with Apache License 2.0 4 votes vote down vote up 
@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {

    if (authenticationRequest == null) {
        logger.info("Cannot authenticate null authenticationRequest, returning null.");
        return null;
    }

    final Object credentials = authenticationRequest.getCredentials();
    byte[] kerberosTicket = credentials != null && credentials instanceof byte[] ? (byte[]) authenticationRequest.getCredentials() : null;

    if (credentials == null) {
        logger.info("Kerberos Ticket not found in authenticationRequest credentials, returning null.");
        return null;
    }

    if (kerberosServiceAuthenticationProvider == null) {
        throw new IdentityAccessException("The Kerberos authentication provider is not initialized.");
    }

    try {
        KerberosServiceRequestToken kerberosServiceRequestToken = new KerberosServiceRequestToken(kerberosTicket);
        kerberosServiceRequestToken.setDetails(authenticationRequest.getDetails());
        Authentication authentication = kerberosServiceAuthenticationProvider.authenticate(kerberosServiceRequestToken);
        if (authentication == null) {
            throw new InvalidCredentialsException("Kerberos credentials could not be authenticated.");
        }

        final String kerberosPrincipal = authentication.getName();

        return new AuthenticationResponse(kerberosPrincipal, kerberosPrincipal, expiration, issuer);

    } catch (AuthenticationException e) {
        String authFailedMessage = "Kerberos credentials could not be authenticated.";

        /* Kerberos uses encryption with up to AES-256, specifically AES256-CTS-HMAC-SHA1-96.
         * That is not available in every JRE, particularly if Unlimited Strength Encryption
         * policies are not installed in the Java home lib dir. The Kerberos lib does not
         * differentiate between failures due to decryption and those due to bad credentials
         * without walking the causes of the exception, so this check puts something
         * potentially useful in the logs for those troubleshooting Kerberos authentication. */
        if (!Boolean.FALSE.equals(CryptoUtils.isCryptoRestricted())) {
            authFailedMessage += " This Java Runtime does not support unlimited strength encryption. " +
                    "This could cause Kerberos authentication to fail as it can require AES-256.";
        }

        logger.info(authFailedMessage);
        throw new InvalidCredentialsException(authFailedMessage, e);
    }

}