Java Code Examples for sun.security.jgss.GSSUtil#useSubjectCredsOnly()

The following examples show how to use sun.security.jgss.GSSUtil#useSubjectCredsOnly() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: Krb5Util.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Retrieves the ServiceCreds for the specified server principal from
 * the Subject in the specified AccessControlContext. If not found, and if
 * useSubjectCredsOnly is false, then obtain from a LoginContext.
 *
 * NOTE: This method is also used by JSSE Kerberos Cipher Suites
 */
public static ServiceCreds getServiceCreds(GSSCaller caller,
    String serverPrincipal, AccessControlContext acc)
            throws LoginException {

    Subject accSubj = Subject.getSubject(acc);
    ServiceCreds sc = null;
    if (accSubj != null) {
        sc = ServiceCreds.getInstance(accSubj, serverPrincipal);
    }
    if (sc == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
        sc = ServiceCreds.getInstance(subject, serverPrincipal);
    }
    return sc;
}
 
Example 2
Source File: NativeGSSFactory.java    From hottub with GNU General Public License v2.0 6 votes vote down vote up
private GSSCredElement getCredFromSubject(GSSNameElement name,
                                          boolean initiate)
    throws GSSException {
    Oid mech = cStub.getMech();
    Vector<GSSCredElement> creds = GSSUtil.searchSubject
        (name, mech, initiate, GSSCredElement.class);

    // If Subject is present but no native creds available
    if (creds != null && creds.isEmpty()) {
        if (GSSUtil.useSubjectCredsOnly(caller)) {
            throw new GSSException(GSSException.NO_CRED);
        }
    }

    GSSCredElement result = ((creds == null || creds.isEmpty()) ?
                             null : creds.firstElement());
    // Force permission check before returning the cred to caller
    if (result != null) {
        result.doServicePermCheck();
    }
    return result;
}
 
Example 3
Source File: Krb5Util.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Retrieves the ticket corresponding to the client/server principal
 * pair from the Subject in the specified AccessControlContext.
 * If the ticket can not be found in the Subject, and if
 * useSubjectCredsOnly is false, then obtain ticket from
 * a LoginContext.
 */
static KerberosTicket getTicket(GSSCaller caller,
    String clientPrincipal, String serverPrincipal,
    AccessControlContext acc) throws LoginException {

    // Try to get ticket from acc's Subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket =
        SubjectComber.find(accSubj, serverPrincipal, clientPrincipal,
              KerberosTicket.class);

    // Try to get ticket from Subject obtained from GSSUtil
    if (ticket == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
        ticket = SubjectComber.find(subject,
            serverPrincipal, clientPrincipal, KerberosTicket.class);
    }
    return ticket;
}
 
Example 4
Source File: NativeGSSFactory.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 6 votes vote down vote up
private GSSCredElement getCredFromSubject(GSSNameElement name,
                                          boolean initiate)
    throws GSSException {
    Oid mech = cStub.getMech();
    Vector<GSSCredElement> creds = GSSUtil.searchSubject
        (name, mech, initiate, GSSCredElement.class);

    // If Subject is present but no native creds available
    if (creds != null && creds.isEmpty()) {
        if (GSSUtil.useSubjectCredsOnly(caller)) {
            throw new GSSException(GSSException.NO_CRED);
        }
    }

    GSSCredElement result = ((creds == null || creds.isEmpty()) ?
                             null : creds.firstElement());
    // Force permission check before returning the cred to caller
    if (result != null) {
        result.doServicePermCheck();
    }
    return result;
}
 
Example 5
Source File: NativeGSSFactory.java    From TencentKona-8 with GNU General Public License v2.0 6 votes vote down vote up
private GSSCredElement getCredFromSubject(GSSNameElement name,
                                          boolean initiate)
    throws GSSException {
    Oid mech = cStub.getMech();
    Vector<GSSCredElement> creds = GSSUtil.searchSubject
        (name, mech, initiate, GSSCredElement.class);

    // If Subject is present but no native creds available
    if (creds != null && creds.isEmpty()) {
        if (GSSUtil.useSubjectCredsOnly(caller)) {
            throw new GSSException(GSSException.NO_CRED);
        }
    }

    GSSCredElement result = ((creds == null || creds.isEmpty()) ?
                             null : creds.firstElement());
    // Force permission check before returning the cred to caller
    if (result != null) {
        result.doServicePermCheck();
    }
    return result;
}
 
Example 6
Source File: Krb5Util.java    From jdk8u_jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Retrieves the ServiceCreds for the specified server principal from
 * the Subject in the specified AccessControlContext. If not found, and if
 * useSubjectCredsOnly is false, then obtain from a LoginContext.
 *
 * NOTE: This method is also used by JSSE Kerberos Cipher Suites
 */
public static ServiceCreds getServiceCreds(GSSCaller caller,
    String serverPrincipal, AccessControlContext acc)
            throws LoginException {

    Subject accSubj = Subject.getSubject(acc);
    ServiceCreds sc = null;
    if (accSubj != null) {
        sc = ServiceCreds.getInstance(accSubj, serverPrincipal);
    }
    if (sc == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
        sc = ServiceCreds.getInstance(subject, serverPrincipal);
    }
    return sc;
}
 
Example 7
Source File: NativeGSSFactory.java    From openjdk-8 with GNU General Public License v2.0 6 votes vote down vote up
private GSSCredElement getCredFromSubject(GSSNameElement name,
                                          boolean initiate)
    throws GSSException {
    Oid mech = cStub.getMech();
    Vector<GSSCredElement> creds = GSSUtil.searchSubject
        (name, mech, initiate, GSSCredElement.class);

    // If Subject is present but no native creds available
    if (creds != null && creds.isEmpty()) {
        if (GSSUtil.useSubjectCredsOnly(caller)) {
            throw new GSSException(GSSException.NO_CRED);
        }
    }

    GSSCredElement result = ((creds == null || creds.isEmpty()) ?
                             null : creds.firstElement());
    // Force permission check before returning the cred to caller
    if (result != null) {
        result.doServicePermCheck();
    }
    return result;
}
 
Example 8
Source File: Krb5Util.java    From TencentKona-8 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Retrieves the ServiceCreds for the specified server principal from
 * the Subject in the specified AccessControlContext. If not found, and if
 * useSubjectCredsOnly is false, then obtain from a LoginContext.
 *
 * NOTE: This method is also used by JSSE Kerberos Cipher Suites
 */
public static ServiceCreds getServiceCreds(GSSCaller caller,
    String serverPrincipal, AccessControlContext acc)
            throws LoginException {

    Subject accSubj = Subject.getSubject(acc);
    ServiceCreds sc = null;
    if (accSubj != null) {
        sc = ServiceCreds.getInstance(accSubj, serverPrincipal);
    }
    if (sc == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
        sc = ServiceCreds.getInstance(subject, serverPrincipal);
    }
    return sc;
}
 
Example 9
Source File: NativeGSSFactory.java    From jdk8u60 with GNU General Public License v2.0 6 votes vote down vote up
private GSSCredElement getCredFromSubject(GSSNameElement name,
                                          boolean initiate)
    throws GSSException {
    Oid mech = cStub.getMech();
    Vector<GSSCredElement> creds = GSSUtil.searchSubject
        (name, mech, initiate, GSSCredElement.class);

    // If Subject is present but no native creds available
    if (creds != null && creds.isEmpty()) {
        if (GSSUtil.useSubjectCredsOnly(caller)) {
            throw new GSSException(GSSException.NO_CRED);
        }
    }

    GSSCredElement result = ((creds == null || creds.isEmpty()) ?
                             null : creds.firstElement());
    // Force permission check before returning the cred to caller
    if (result != null) {
        result.doServicePermCheck();
    }
    return result;
}
 
Example 10
Source File: Krb5Util.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Retrieves the ServiceCreds for the specified server principal from
 * the Subject in the specified AccessControlContext. If not found, and if
 * useSubjectCredsOnly is false, then obtain from a LoginContext.
 *
 * NOTE: This method is also used by JSSE Kerberos Cipher Suites
 */
public static ServiceCreds getServiceCreds(GSSCaller caller,
    String serverPrincipal, AccessControlContext acc)
            throws LoginException {

    Subject accSubj = Subject.getSubject(acc);
    ServiceCreds sc = null;
    if (accSubj != null) {
        sc = ServiceCreds.getInstance(accSubj, serverPrincipal);
    }
    if (sc == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
        sc = ServiceCreds.getInstance(subject, serverPrincipal);
    }
    return sc;
}
 
Example 11
Source File: Krb5Util.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Retrieves the ServiceCreds for the specified server principal from
 * the Subject in the specified AccessControlContext. If not found, and if
 * useSubjectCredsOnly is false, then obtain from a LoginContext.
 *
 * NOTE: This method is also used by JSSE Kerberos Cipher Suites
 */
public static ServiceCreds getServiceCreds(GSSCaller caller,
    String serverPrincipal, AccessControlContext acc)
            throws LoginException {

    Subject accSubj = Subject.getSubject(acc);
    ServiceCreds sc = null;
    if (accSubj != null) {
        sc = ServiceCreds.getInstance(accSubj, serverPrincipal);
    }
    if (sc == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
        sc = ServiceCreds.getInstance(subject, serverPrincipal);
    }
    return sc;
}
 
Example 12
Source File: Krb5Util.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Retrieves the caller's Subject, or Subject obtained by logging in
 * via the specified caller.
 *
 * Caller must have permission to:
 *    - access the Subject
 *    - create LoginContext
 *    - read the auth.login.defaultCallbackHandler security property
 *
 * NOTE: This method is used by JSSE Kerberos Cipher Suites
 */
public static Subject getSubject(GSSCaller caller,
    AccessControlContext acc) throws LoginException {

    // Try to get the Subject from acc
    Subject subject = Subject.getSubject(acc);

    // Try to get Subject obtained from GSSUtil
    if (subject == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
    }
    return subject;
}
 
Example 13
Source File: Krb5Util.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Retrieves the caller's Subject, or Subject obtained by logging in
 * via the specified caller.
 *
 * Caller must have permission to:
 *    - access the Subject
 *    - create LoginContext
 *    - read the auth.login.defaultCallbackHandler security property
 *
 * NOTE: This method is used by JSSE Kerberos Cipher Suites
 */
public static Subject getSubject(GSSCaller caller,
    AccessControlContext acc) throws LoginException {

    // Try to get the Subject from acc
    Subject subject = Subject.getSubject(acc);

    // Try to get Subject obtained from GSSUtil
    if (subject == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
    }
    return subject;
}
 
Example 14
Source File: Krb5Util.java    From openjdk-8-source with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Retrieves the caller's Subject, or Subject obtained by logging in
 * via the specified caller.
 *
 * Caller must have permission to:
 *    - access the Subject
 *    - create LoginContext
 *    - read the auth.login.defaultCallbackHandler security property
 *
 * NOTE: This method is used by JSSE Kerberos Cipher Suites
 */
public static Subject getSubject(GSSCaller caller,
    AccessControlContext acc) throws LoginException {

    // Try to get the Subject from acc
    Subject subject = Subject.getSubject(acc);

    // Try to get Subject obtained from GSSUtil
    if (subject == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
    }
    return subject;
}
 
Example 15
Source File: Krb5Util.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Retrieves the caller's Subject, or Subject obtained by logging in
 * via the specified caller.
 *
 * Caller must have permission to:
 *    - access the Subject
 *    - create LoginContext
 *    - read the auth.login.defaultCallbackHandler security property
 *
 * NOTE: This method is used by JSSE Kerberos Cipher Suites
 */
public static Subject getSubject(GSSCaller caller,
    AccessControlContext acc) throws LoginException {

    // Try to get the Subject from acc
    Subject subject = Subject.getSubject(acc);

    // Try to get Subject obtained from GSSUtil
    if (subject == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
    }
    return subject;
}
 
Example 16
Source File: Krb5Util.java    From openjdk-8 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieve the service ticket for serverPrincipal from caller's Subject
 * or from Subject obtained by logging in, or if not found, via the
 * Ticket Granting Service using the TGT obtained from the Subject.
 *
 * Caller must have permission to:
 *    - access and update Subject's private credentials
 *    - create LoginContext
 *    - read the auth.login.defaultCallbackHandler security property
 *
 * NOTE: This method is used by JSSE Kerberos Cipher Suites
 */
public static KerberosTicket getTicketFromSubjectAndTgs(GSSCaller caller,
    String clientPrincipal, String serverPrincipal, String tgsPrincipal,
    AccessControlContext acc)
    throws LoginException, KrbException, IOException {

    // 1. Try to find service ticket in acc subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket = SubjectComber.find(accSubj,
        serverPrincipal, clientPrincipal, KerberosTicket.class);

    if (ticket != null) {
        return ticket;  // found it
    }

    Subject loginSubj = null;
    if (!GSSUtil.useSubjectCredsOnly(caller)) {
        // 2. Try to get ticket from login
        try {
            loginSubj = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
            ticket = SubjectComber.find(loginSubj,
                serverPrincipal, clientPrincipal, KerberosTicket.class);
            if (ticket != null) {
                return ticket; // found it
            }
        } catch (LoginException e) {
            // No login entry to use
            // ignore and continue
        }
    }

    // Service ticket not found in subject or login
    // Try to get TGT to acquire service ticket

    // 3. Try to get TGT from acc subject
    KerberosTicket tgt = SubjectComber.find(accSubj,
        tgsPrincipal, clientPrincipal, KerberosTicket.class);

    boolean fromAcc;
    if (tgt == null && loginSubj != null) {
        // 4. Try to get TGT from login subject
        tgt = SubjectComber.find(loginSubj,
            tgsPrincipal, clientPrincipal, KerberosTicket.class);
        fromAcc = false;
    } else {
        fromAcc = true;
    }

    // 5. Try to get service ticket using TGT
    if (tgt != null) {
        Credentials tgtCreds = ticketToCreds(tgt);
        Credentials serviceCreds = Credentials.acquireServiceCreds(
                    serverPrincipal, tgtCreds);
        if (serviceCreds != null) {
            ticket = credsToTicket(serviceCreds);

            // Store service ticket in acc's Subject
            if (fromAcc && accSubj != null && !accSubj.isReadOnly()) {
                accSubj.getPrivateCredentials().add(ticket);
            }
        }
    }
    return ticket;
}
 
Example 17
Source File: Krb5Util.java    From openjdk-jdk8u with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieve the service ticket for serverPrincipal from caller's Subject
 * or from Subject obtained by logging in, or if not found, via the
 * Ticket Granting Service using the TGT obtained from the Subject.
 *
 * Caller must have permission to:
 *    - access and update Subject's private credentials
 *    - create LoginContext
 *    - read the auth.login.defaultCallbackHandler security property
 *
 * NOTE: This method is used by JSSE Kerberos Cipher Suites
 */
public static KerberosTicket getTicketFromSubjectAndTgs(GSSCaller caller,
    String clientPrincipal, String serverPrincipal, String tgsPrincipal,
    AccessControlContext acc)
    throws LoginException, KrbException, IOException {

    // 1. Try to find service ticket in acc subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket = SubjectComber.find(accSubj,
        serverPrincipal, clientPrincipal, KerberosTicket.class);

    if (ticket != null) {
        return ticket;  // found it
    }

    Subject loginSubj = null;
    if (!GSSUtil.useSubjectCredsOnly(caller)) {
        // 2. Try to get ticket from login
        try {
            loginSubj = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
            ticket = SubjectComber.find(loginSubj,
                serverPrincipal, clientPrincipal, KerberosTicket.class);
            if (ticket != null) {
                return ticket; // found it
            }
        } catch (LoginException e) {
            // No login entry to use
            // ignore and continue
        }
    }

    // Service ticket not found in subject or login
    // Try to get TGT to acquire service ticket

    // 3. Try to get TGT from acc subject
    KerberosTicket tgt = SubjectComber.find(accSubj,
        tgsPrincipal, clientPrincipal, KerberosTicket.class);

    boolean fromAcc;
    if (tgt == null && loginSubj != null) {
        // 4. Try to get TGT from login subject
        tgt = SubjectComber.find(loginSubj,
            tgsPrincipal, clientPrincipal, KerberosTicket.class);
        fromAcc = false;
    } else {
        fromAcc = true;
    }

    // 5. Try to get service ticket using TGT
    if (tgt != null) {
        Credentials tgtCreds = ticketToCreds(tgt);
        Credentials serviceCreds = Credentials.acquireServiceCreds(
                    serverPrincipal, tgtCreds);
        if (serviceCreds != null) {
            ticket = credsToTicket(serviceCreds);

            // Store service ticket in acc's Subject
            if (fromAcc && accSubj != null && !accSubj.isReadOnly()) {
                accSubj.getPrivateCredentials().add(ticket);
            }
        }
    }
    return ticket;
}
 
Example 18
Source File: Krb5Util.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieve the service ticket for serverPrincipal from caller's Subject
 * or from Subject obtained by logging in, or if not found, via the
 * Ticket Granting Service using the TGT obtained from the Subject.
 *
 * Caller must have permission to:
 *    - access and update Subject's private credentials
 *    - create LoginContext
 *    - read the auth.login.defaultCallbackHandler security property
 *
 * NOTE: This method is used by JSSE Kerberos Cipher Suites
 */
public static KerberosTicket getTicketFromSubjectAndTgs(GSSCaller caller,
    String clientPrincipal, String serverPrincipal, String tgsPrincipal,
    AccessControlContext acc)
    throws LoginException, KrbException, IOException {

    // 1. Try to find service ticket in acc subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket = SubjectComber.find(accSubj,
        serverPrincipal, clientPrincipal, KerberosTicket.class);

    if (ticket != null) {
        return ticket;  // found it
    }

    Subject loginSubj = null;
    if (!GSSUtil.useSubjectCredsOnly(caller)) {
        // 2. Try to get ticket from login
        try {
            loginSubj = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
            ticket = SubjectComber.find(loginSubj,
                serverPrincipal, clientPrincipal, KerberosTicket.class);
            if (ticket != null) {
                return ticket; // found it
            }
        } catch (LoginException e) {
            // No login entry to use
            // ignore and continue
        }
    }

    // Service ticket not found in subject or login
    // Try to get TGT to acquire service ticket

    // 3. Try to get TGT from acc subject
    KerberosTicket tgt = SubjectComber.find(accSubj,
        tgsPrincipal, clientPrincipal, KerberosTicket.class);

    boolean fromAcc;
    if (tgt == null && loginSubj != null) {
        // 4. Try to get TGT from login subject
        tgt = SubjectComber.find(loginSubj,
            tgsPrincipal, clientPrincipal, KerberosTicket.class);
        fromAcc = false;
    } else {
        fromAcc = true;
    }

    // 5. Try to get service ticket using TGT
    if (tgt != null) {
        Credentials tgtCreds = ticketToCreds(tgt);
        Credentials serviceCreds = Credentials.acquireServiceCreds(
                    serverPrincipal, tgtCreds);
        if (serviceCreds != null) {
            ticket = credsToTicket(serviceCreds);

            // Store service ticket in acc's Subject
            if (fromAcc && accSubj != null && !accSubj.isReadOnly()) {
                accSubj.getPrivateCredentials().add(ticket);
            }
        }
    }
    return ticket;
}
 
Example 19
Source File: Krb5Util.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieve the service ticket for serverPrincipal from caller's Subject
 * or from Subject obtained by logging in, or if not found, via the
 * Ticket Granting Service using the TGT obtained from the Subject.
 *
 * Caller must have permission to:
 *    - access and update Subject's private credentials
 *    - create LoginContext
 *    - read the auth.login.defaultCallbackHandler security property
 *
 * NOTE: This method is used by JSSE Kerberos Cipher Suites
 */
public static KerberosTicket getTicketFromSubjectAndTgs(GSSCaller caller,
    String clientPrincipal, String serverPrincipal, String tgsPrincipal,
    AccessControlContext acc)
    throws LoginException, KrbException, IOException {

    // 1. Try to find service ticket in acc subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket = SubjectComber.find(accSubj,
        serverPrincipal, clientPrincipal, KerberosTicket.class);

    if (ticket != null) {
        return ticket;  // found it
    }

    Subject loginSubj = null;
    if (!GSSUtil.useSubjectCredsOnly(caller)) {
        // 2. Try to get ticket from login
        try {
            loginSubj = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
            ticket = SubjectComber.find(loginSubj,
                serverPrincipal, clientPrincipal, KerberosTicket.class);
            if (ticket != null) {
                return ticket; // found it
            }
        } catch (LoginException e) {
            // No login entry to use
            // ignore and continue
        }
    }

    // Service ticket not found in subject or login
    // Try to get TGT to acquire service ticket

    // 3. Try to get TGT from acc subject
    KerberosTicket tgt = SubjectComber.find(accSubj,
        tgsPrincipal, clientPrincipal, KerberosTicket.class);

    boolean fromAcc;
    if (tgt == null && loginSubj != null) {
        // 4. Try to get TGT from login subject
        tgt = SubjectComber.find(loginSubj,
            tgsPrincipal, clientPrincipal, KerberosTicket.class);
        fromAcc = false;
    } else {
        fromAcc = true;
    }

    // 5. Try to get service ticket using TGT
    if (tgt != null) {
        Credentials tgtCreds = ticketToCreds(tgt);
        Credentials serviceCreds = Credentials.acquireServiceCreds(
                    serverPrincipal, tgtCreds);
        if (serviceCreds != null) {
            ticket = credsToTicket(serviceCreds);

            // Store service ticket in acc's Subject
            if (fromAcc && accSubj != null && !accSubj.isReadOnly()) {
                accSubj.getPrivateCredentials().add(ticket);
            }
        }
    }
    return ticket;
}
 
Example 20
Source File: Krb5Util.java    From dragonwell8_jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieve the service ticket for serverPrincipal from caller's Subject
 * or from Subject obtained by logging in, or if not found, via the
 * Ticket Granting Service using the TGT obtained from the Subject.
 *
 * Caller must have permission to:
 *    - access and update Subject's private credentials
 *    - create LoginContext
 *    - read the auth.login.defaultCallbackHandler security property
 *
 * NOTE: This method is used by JSSE Kerberos Cipher Suites
 */
public static KerberosTicket getTicketFromSubjectAndTgs(GSSCaller caller,
    String clientPrincipal, String serverPrincipal, String tgsPrincipal,
    AccessControlContext acc)
    throws LoginException, KrbException, IOException {

    // 1. Try to find service ticket in acc subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket = SubjectComber.find(accSubj,
        serverPrincipal, clientPrincipal, KerberosTicket.class);

    if (ticket != null) {
        return ticket;  // found it
    }

    Subject loginSubj = null;
    if (!GSSUtil.useSubjectCredsOnly(caller)) {
        // 2. Try to get ticket from login
        try {
            loginSubj = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
            ticket = SubjectComber.find(loginSubj,
                serverPrincipal, clientPrincipal, KerberosTicket.class);
            if (ticket != null) {
                return ticket; // found it
            }
        } catch (LoginException e) {
            // No login entry to use
            // ignore and continue
        }
    }

    // Service ticket not found in subject or login
    // Try to get TGT to acquire service ticket

    // 3. Try to get TGT from acc subject
    KerberosTicket tgt = SubjectComber.find(accSubj,
        tgsPrincipal, clientPrincipal, KerberosTicket.class);

    boolean fromAcc;
    if (tgt == null && loginSubj != null) {
        // 4. Try to get TGT from login subject
        tgt = SubjectComber.find(loginSubj,
            tgsPrincipal, clientPrincipal, KerberosTicket.class);
        fromAcc = false;
    } else {
        fromAcc = true;
    }

    // 5. Try to get service ticket using TGT
    if (tgt != null) {
        Credentials tgtCreds = ticketToCreds(tgt);
        Credentials serviceCreds = Credentials.acquireServiceCreds(
                    serverPrincipal, tgtCreds);
        if (serviceCreds != null) {
            ticket = credsToTicket(serviceCreds);

            // Store service ticket in acc's Subject
            if (fromAcc && accSubj != null && !accSubj.isReadOnly()) {
                accSubj.getPrivateCredentials().add(ticket);
            }
        }
    }
    return ticket;
}