Java Code Examples for org.ietf.jgss.GSSContext#requestConf()

The following examples show how to use org.ietf.jgss.GSSContext#requestConf() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: KerberizedClient.java    From elasticsearch-shield-kerberos-realm with Apache License 2.0 6 votes vote down vote up
GSSContext initGSS() throws Exception {
    final GSSManager MANAGER = GSSManager.getInstance();

    final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() {
        @Override
        public GSSCredential run() throws GSSException {
            return MANAGER.createCredential(null, GSSCredential.DEFAULT_LIFETIME, KrbConstants.SPNEGO, GSSCredential.INITIATE_ONLY);
        }
    };

    final GSSCredential clientcreds = Subject.doAs(initiatorSubject, action);

    final GSSContext context = MANAGER.createContext(MANAGER.createName(acceptorPrincipal, GSSName.NT_USER_NAME, KrbConstants.SPNEGO),
            KrbConstants.SPNEGO, clientcreds, GSSContext.DEFAULT_LIFETIME);

    //TODO make configurable
    context.requestMutualAuth(true);
    context.requestConf(true);
    context.requestInteg(true);
    context.requestReplayDet(true);
    context.requestSequenceDet(true);
    context.requestCredDeleg(false);

    return context;
}
 
Example 2
Source File: HttpDoAsClient.java    From hbase with Apache License 2.0 5 votes vote down vote up
private String generateTicket() throws GSSException {
  final GSSManager manager = GSSManager.getInstance();
  // Oid for kerberos principal name
  Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1");
  Oid KERB_V5_OID = new Oid("1.2.840.113554.1.2.2");
  final GSSName clientName = manager.createName(principal,
      krb5PrincipalOid);
  final GSSCredential clientCred = manager.createCredential(clientName,
      8 * 3600,
      KERB_V5_OID,
      GSSCredential.INITIATE_ONLY);

  final GSSName serverName = manager.createName(principal, krb5PrincipalOid);

  final GSSContext context = manager.createContext(serverName,
      KERB_V5_OID,
      clientCred,
      GSSContext.DEFAULT_LIFETIME);
  context.requestMutualAuth(true);
  context.requestConf(false);
  context.requestInteg(true);

  final byte[] outToken = context.initSecContext(new byte[0], 0, 0);
  StringBuffer outputBuffer = new StringBuffer();
  outputBuffer.append("Negotiate ");
  outputBuffer.append(Bytes.toString(Base64.getEncoder().encode(outToken)));
  System.out.print("Ticket is: " + outputBuffer);
  return outputBuffer.toString();
}
 
Example 3
Source File: Socks5LogicHandler.java    From neoscada with Eclipse Public License 1.0 4 votes vote down vote up
/**
 * Encodes the authentication packet for supported authentication methods.
 * 
 * @param request the socks proxy request data
 * @return the encoded buffer
 * @throws GSSException when something fails while using GSSAPI
 */
private IoBuffer encodeGSSAPIAuthenticationPacket(final SocksProxyRequest request) throws GSSException {
    GSSContext ctx = (GSSContext) getSession().getAttribute(GSS_CONTEXT);
    if (ctx == null) {
        // first step in the authentication process
        GSSManager manager = GSSManager.getInstance();
        GSSName serverName = manager.createName(request.getServiceKerberosName(), null);
        Oid krb5OID = new Oid(SocksProxyConstants.KERBEROS_V5_OID);

        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Available mechs:");
            for (Oid o : manager.getMechs()) {
                if (o.equals(krb5OID)) {
                    LOGGER.debug("Found Kerberos V OID available");
                }
                LOGGER.debug("{} with oid = {}", manager.getNamesForMech(o), o);
            }
        }

        ctx = manager.createContext(serverName, krb5OID, null, GSSContext.DEFAULT_LIFETIME);

        ctx.requestMutualAuth(true); // Mutual authentication
        ctx.requestConf(false);
        ctx.requestInteg(false);

        getSession().setAttribute(GSS_CONTEXT, ctx);
    }

    byte[] token = (byte[]) getSession().getAttribute(GSS_TOKEN);
    if (token != null) {
        LOGGER.debug("  Received Token[{}] = {}", token.length, ByteUtilities.asHex(token));
    }
    IoBuffer buf = null;

    if (!ctx.isEstablished()) {
        // token is ignored on the first call
        if (token == null) {
            token = new byte[32];
        }

        token = ctx.initSecContext(token, 0, token.length);

        // Send a token to the server if one was generated by
        // initSecContext
        if (token != null) {
            LOGGER.debug("  Sending Token[{}] = {}", token.length, ByteUtilities.asHex(token));

            getSession().setAttribute(GSS_TOKEN, token);
            buf = IoBuffer.allocate(4 + token.length);
            buf.put(new byte[] { SocksProxyConstants.GSSAPI_AUTH_SUBNEGOTIATION_VERSION,
                    SocksProxyConstants.GSSAPI_MSG_TYPE });

            buf.put(ByteUtilities.intToNetworkByteOrder(token.length, 2));
            buf.put(token);
        }
    }

    return buf;
}