author | weijun |
Wed, 28 Sep 2011 14:21:10 +0800 | |
changeset 10695 | 08c28770f82b |
parent 10336 | 0bb1999251f8 |
child 13590 | f7f85d7f7a82 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
9499 | 2 |
* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
||
27 |
package com.sun.security.auth.module; |
|
28 |
||
29 |
import java.io.*; |
|
30 |
import java.text.MessageFormat; |
|
31 |
import java.util.*; |
|
32 |
||
33 |
import javax.security.auth.*; |
|
34 |
import javax.security.auth.kerberos.*; |
|
35 |
import javax.security.auth.callback.*; |
|
36 |
import javax.security.auth.login.*; |
|
37 |
import javax.security.auth.spi.*; |
|
38 |
||
39 |
import sun.security.krb5.*; |
|
40 |
import sun.security.jgss.krb5.Krb5Util; |
|
41 |
import sun.security.krb5.Credentials; |
|
42 |
import sun.misc.HexDumpEncoder; |
|
43 |
||
44 |
/** |
|
45 |
* <p> This <code>LoginModule</code> authenticates users using |
|
46 |
* Kerberos protocols. |
|
47 |
* |
|
48 |
* <p> The configuration entry for <code>Krb5LoginModule</code> has |
|
49 |
* several options that control the authentication process and |
|
50 |
* additions to the <code>Subject</code>'s private credential |
|
51 |
* set. Irrespective of these options, the <code>Subject</code>'s |
|
52 |
* principal set and private credentials set are updated only when |
|
53 |
* <code>commit</code> is called. |
|
54 |
* When <code>commit</code> is called, the <code>KerberosPrincipal</code> |
|
55 |
* is added to the <code>Subject</code>'s |
|
56 |
* principal set and <code>KerberosTicket</code> is |
|
57 |
* added to the <code>Subject</code>'s private credentials. |
|
58 |
* |
|
59 |
* <p> If the configuration entry for <code>KerberosLoginModule</code> |
|
60 |
* has the option <code>storeKey</code> set to true, then |
|
61 |
* <code>KerberosKey</code> will also be added to the |
|
62 |
* subject's private credentials. <code>KerberosKey</code>, the principal's |
|
63 |
* key will be either obtained from the keytab or |
|
64 |
* derived from user's password. |
|
65 |
* |
|
66 |
* <p> This <code>LoginModule</code> recognizes the <code>doNotPrompt</code> |
|
67 |
* option. If set to true the user will not be prompted for the password. |
|
68 |
* |
|
69 |
* <p> The user can specify the location of the ticket cache by using |
|
70 |
* the option <code>ticketCache</code> in the configuration entry. |
|
71 |
* |
|
72 |
* <p>The user can specify the keytab location by using |
|
73 |
* the option <code>keyTab</code> |
|
74 |
* in the configuration entry. |
|
75 |
* |
|
76 |
* <p> The principal name can be specified in the configuration entry |
|
77 |
* by using the option <code>principal</code>. The principal name |
|
78 |
* can either be a simple user name or a service name such as |
|
79 |
* <code>host/mission.eng.sun.com</code>. The principal can also |
|
80 |
* be set using the system property <code>sun.security.krb5.principal</code>. |
|
81 |
* This property is checked during login. If this property is not set, then |
|
82 |
* the principal name from the configuration is used. In the |
|
83 |
* case where the principal property is not set and the principal |
|
84 |
* entry also does not exist, the user is prompted for the name. |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
85 |
* When this property of entry is set, and <code>useTicketCache</code> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
86 |
* is set to true, only TGT belonging to this principal is used. |
2 | 87 |
* |
88 |
* <p> The following is a list of configuration options supported |
|
89 |
* for <code>Krb5LoginModule</code>: |
|
90 |
* <dl> |
|
91 |
* <blockquote><dt><b><code>refreshKrb5Config</code></b>:</dt> |
|
92 |
* <dd> Set this to true, if you want the configuration |
|
93 |
* to be refreshed before the <code>login</code> method is called.</dd> |
|
94 |
* <P> |
|
95 |
* <dt><b><code>useTicketCache</code></b>:</dt> |
|
96 |
* <dd>Set this to true, if you want the |
|
97 |
* TGT to be obtained |
|
98 |
* from the ticket cache. Set this option |
|
99 |
* to false if you do not want this module to use the ticket cache. |
|
100 |
* (Default is False). |
|
101 |
* This module will |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
102 |
* search for the ticket |
2 | 103 |
* cache in the following locations: |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
104 |
* On Solaris and Linux |
2 | 105 |
* it will look for the ticket cache in /tmp/krb5cc_<code>uid</code> |
106 |
* where the uid is numeric user |
|
107 |
* identifier. If the ticket cache is |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
108 |
* not available in the above location, or if we are on a |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
109 |
* Windows platform, it will look for the cache as |
2 | 110 |
* {user.home}{file.separator}krb5cc_{user.name}. |
111 |
* You can override the ticket cache location by using |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
112 |
* <code>ticketCache</code>. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
113 |
* For Windows, if a ticket cannot be retrieved from the file ticket cache, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
114 |
* it will use Local Security Authority (LSA) API to get the TGT. |
2 | 115 |
* <P> |
116 |
* <dt><b><code>ticketCache</code></b>:</dt> |
|
117 |
* <dd>Set this to the name of the ticket |
|
118 |
* cache that contains user's TGT. |
|
119 |
* If this is set, <code>useTicketCache</code> |
|
120 |
* must also be set to true; Otherwise a configuration error will |
|
121 |
* be returned.</dd> |
|
122 |
* <P> |
|
123 |
* <dt><b><code>renewTGT</code></b>:</dt> |
|
124 |
* <dd>Set this to true, if you want to renew |
|
125 |
* the TGT. If this is set, <code>useTicketCache</code> must also be |
|
126 |
* set to true; otherwise a configuration error will be returned.</dd> |
|
127 |
* <p> |
|
128 |
* <dt><b><code>doNotPrompt</code></b>:</dt> |
|
129 |
* <dd>Set this to true if you do not want to be |
|
130 |
* prompted for the password |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
131 |
* if credentials can not be obtained from the cache, the keytab, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
132 |
* or through shared state.(Default is false) |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
133 |
* If set to true, credential must be obtained through cache, keytab, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
134 |
* or shared state. Otherwise, authentication will fail.</dd> |
2 | 135 |
* <P> |
136 |
* <dt><b><code>useKeyTab</code></b>:</dt> |
|
137 |
* <dd>Set this to true if you |
|
138 |
* want the module to get the principal's key from the |
|
139 |
* the keytab.(default value is False) |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
140 |
* If <code>keytab</code> |
2 | 141 |
* is not set then |
142 |
* the module will locate the keytab from the |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
143 |
* Kerberos configuration file. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
144 |
* If it is not specified in the Kerberos configuration file |
2 | 145 |
* then it will look for the file |
146 |
* <code>{user.home}{file.separator}</code>krb5.keytab.</dd> |
|
147 |
* <P> |
|
148 |
* <dt><b><code>keyTab</code></b>:</dt> |
|
149 |
* <dd>Set this to the file name of the |
|
150 |
* keytab to get principal's secret key.</dd> |
|
151 |
* <P> |
|
152 |
* <dt><b><code>storeKey</code></b>:</dt> |
|
153 |
* <dd>Set this to true to if you want the |
|
154 |
* principal's key to be stored in the Subject's private credentials. </dd> |
|
155 |
* <p> |
|
156 |
* <dt><b><code>principal</code></b>:</dt> |
|
157 |
* <dd>The name of the principal that should |
|
158 |
* be used. The principal can be a simple username such as |
|
159 |
* "<code>testuser</code>" or a service name such as |
|
160 |
* "<code>host/testhost.eng.sun.com</code>". You can use the |
|
161 |
* <code>principal</code> option to set the principal when there are |
|
162 |
* credentials for multiple principals in the |
|
163 |
* <code>keyTab</code> or when you want a specific ticket cache only. |
|
164 |
* The principal can also be set using the system property |
|
165 |
* <code>sun.security.krb5.principal</code>. In addition, if this |
|
166 |
* system property is defined, then it will be used. If this property |
|
167 |
* is not set, then the principal name from the configuration will be |
|
168 |
* used.</dd> |
|
169 |
* <P> |
|
170 |
* <dt><b><code>isInitiator</code></b>:</dt> |
|
171 |
* <dd>Set this to true, if initiator. Set this to false, if acceptor only. |
|
172 |
* (Default is true). |
|
173 |
* Note: Do not set this value to false for initiators.</dd> |
|
174 |
* </dl></blockquote> |
|
175 |
* |
|
176 |
* <p> This <code>LoginModule</code> also recognizes the following additional |
|
177 |
* <code>Configuration</code> |
|
178 |
* options that enable you to share username and passwords across different |
|
179 |
* authentication modules: |
|
180 |
* <pre> |
|
181 |
* |
|
182 |
* useFirstPass if, true, this LoginModule retrieves the |
|
183 |
* username and password from the module's shared state, |
|
184 |
* using "javax.security.auth.login.name" and |
|
185 |
* "javax.security.auth.login.password" as the respective |
|
186 |
* keys. The retrieved values are used for authentication. |
|
187 |
* If authentication fails, no attempt for a retry |
|
188 |
* is made, and the failure is reported back to the |
|
189 |
* calling application. |
|
190 |
* |
|
191 |
* tryFirstPass if, true, this LoginModule retrieves the |
|
192 |
* the username and password from the module's shared |
|
193 |
* state using "javax.security.auth.login.name" and |
|
194 |
* "javax.security.auth.login.password" as the respective |
|
195 |
* keys. The retrieved values are used for |
|
196 |
* authentication. |
|
197 |
* If authentication fails, the module uses the |
|
198 |
* CallbackHandler to retrieve a new username |
|
199 |
* and password, and another attempt to authenticate |
|
200 |
* is made. If the authentication fails, |
|
201 |
* the failure is reported back to the calling application |
|
202 |
* |
|
203 |
* storePass if, true, this LoginModule stores the username and |
|
204 |
* password obtained from the CallbackHandler in the |
|
205 |
* modules shared state, using |
|
206 |
* "javax.security.auth.login.name" and |
|
207 |
* "javax.security.auth.login.password" as the respective |
|
208 |
* keys. This is not performed if existing values already |
|
209 |
* exist for the username and password in the shared |
|
210 |
* state, or if authentication fails. |
|
211 |
* |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
212 |
* clearPass if, true, this LoginModule clears the |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
213 |
* username and password stored in the module's shared |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
214 |
* state after both phases of authentication |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
215 |
* (login and commit) have completed. |
2 | 216 |
* </pre> |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
217 |
* <p>If the principal system property or key is already provided, the value of |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
218 |
* "javax.security.auth.login.name" in the shared state is ignored. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
219 |
* <p>When multiple mechanisms to retrieve a ticket or key is provided, the |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
220 |
* preference order looks like this: |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
221 |
* <ol> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
222 |
* <li>ticket cache |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
223 |
* <li>keytab |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
224 |
* <li>shared state |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
225 |
* <li>user prompt |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
226 |
* </ol> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
227 |
* <p>Note that if any step fails, it will fallback to the next step. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
228 |
* There's only one exception, it the shared state step fails and |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
229 |
* <code>useFirstPass</code>=true, no user prompt is made. |
2 | 230 |
* <p>Examples of some configuration values for Krb5LoginModule in |
231 |
* JAAS config file and the results are: |
|
232 |
* <ul> |
|
233 |
* <p> <code>doNotPrompt</code>=true; |
|
234 |
* </ul> |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
235 |
* <p> This is an illegal combination since none of <code>useTicketCache</code>, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
236 |
* <code>useKeyTab</code>, <code>useFirstPass</code> and <code>tryFirstPass</code> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
237 |
* is set and the user can not be prompted for the password. |
2 | 238 |
*<ul> |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
239 |
* <p> <code>ticketCache</code> = <filename>; |
2 | 240 |
*</ul> |
241 |
* <p> This is an illegal combination since <code>useTicketCache</code> |
|
242 |
* is not set to true and the ticketCache is set. A configuration error |
|
243 |
* will occur. |
|
244 |
* <ul> |
|
245 |
* <p> <code>renewTGT</code>=true; |
|
246 |
*</ul> |
|
247 |
* <p> This is an illegal combination since <code>useTicketCache</code> is |
|
248 |
* not set to true and renewTGT is set. A configuration error will occur. |
|
249 |
* <ul> |
|
250 |
* <p> <code>storeKey</code>=true |
|
251 |
* <code>useTicketCache</code> = true |
|
252 |
* <code>doNotPrompt</code>=true;; |
|
253 |
*</ul> |
|
254 |
* <p> This is an illegal combination since <code>storeKey</code> is set to |
|
255 |
* true but the key can not be obtained either by prompting the user or from |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
256 |
* the keytab, or from the shared state. A configuration error will occur. |
2 | 257 |
* <ul> |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
258 |
* <p> <code>keyTab</code> = <filename> <code>doNotPrompt</code>=true ; |
2 | 259 |
* </ul> |
260 |
* <p>This is an illegal combination since useKeyTab is not set to true and |
|
261 |
* the keyTab is set. A configuration error will occur. |
|
262 |
* <ul> |
|
263 |
* <p> <code>debug=true </code> |
|
264 |
*</ul> |
|
265 |
* <p> Prompt the user for the principal name and the password. |
|
266 |
* Use the authentication exchange to get TGT from the KDC and |
|
267 |
* populate the <code>Subject</code> with the principal and TGT. |
|
268 |
* Output debug messages. |
|
269 |
* <ul> |
|
270 |
* <p> <code>useTicketCache</code> = true <code>doNotPrompt</code>=true; |
|
271 |
*</ul> |
|
272 |
* <p>Check the default cache for TGT and populate the <code>Subject</code> |
|
273 |
* with the principal and TGT. If the TGT is not available, |
|
274 |
* do not prompt the user, instead fail the authentication. |
|
275 |
* <ul> |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
276 |
* <p><code>principal</code>=<name><code>useTicketCache</code> = true |
2 | 277 |
* <code>doNotPrompt</code>=true; |
278 |
*</ul> |
|
279 |
* <p> Get the TGT from the default cache for the principal and populate the |
|
280 |
* Subject's principal and private creds set. If ticket cache is |
|
281 |
* not available or does not contain the principal's TGT |
|
282 |
* authentication will fail. |
|
283 |
* <ul> |
|
284 |
* <p> <code>useTicketCache</code> = true |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
285 |
* <code>ticketCache</code>=<file name><code>useKeyTab</code> = true |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
286 |
* <code> keyTab</code>=<keytab filename> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
287 |
* <code>principal</code> = <principal name> |
2 | 288 |
* <code>doNotPrompt</code>=true; |
289 |
*</ul> |
|
290 |
* <p> Search the cache for the principal's TGT. If it is not available |
|
291 |
* use the key in the keytab to perform authentication exchange with the |
|
292 |
* KDC and acquire the TGT. |
|
293 |
* The Subject will be populated with the principal and the TGT. |
|
294 |
* If the key is not available or valid then authentication will fail. |
|
295 |
* <ul> |
|
296 |
* <p><code>useTicketCache</code> = true |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
297 |
* <code>ticketCache</code>=<file name> |
2 | 298 |
*</ul> |
299 |
* <p> The TGT will be obtained from the cache specified. |
|
300 |
* The Kerberos principal name used will be the principal name in |
|
301 |
* the Ticket cache. If the TGT is not available in the |
|
302 |
* ticket cache the user will be prompted for the principal name |
|
303 |
* and the password. The TGT will be obtained using the authentication |
|
304 |
* exchange with the KDC. |
|
305 |
* The Subject will be populated with the TGT. |
|
306 |
*<ul> |
|
307 |
* <p> <code>useKeyTab</code> = true |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
308 |
* <code>keyTab</code>=<keytab filename> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
309 |
* <code>principal</code>= <principal name> |
2 | 310 |
* <code>storeKey</code>=true; |
311 |
*</ul> |
|
312 |
* <p> The key for the principal will be retrieved from the keytab. |
|
313 |
* If the key is not available in the keytab the user will be prompted |
|
314 |
* for the principal's password. The Subject will be populated |
|
315 |
* with the principal's key either from the keytab or derived from the |
|
316 |
* password entered. |
|
317 |
* <ul> |
|
318 |
* <p> <code>useKeyTab</code> = true |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
319 |
* <code>keyTab</code>=<keytabname> |
2 | 320 |
* <code>storeKey</code>=true |
321 |
* <code>doNotPrompt</code>=true; |
|
322 |
*</ul> |
|
323 |
* <p>The user will be prompted for the service principal name. |
|
324 |
* If the principal's |
|
325 |
* longterm key is available in the keytab , it will be added to the |
|
326 |
* Subject's private credentials. An authentication exchange will be |
|
327 |
* attempted with the principal name and the key from the Keytab. |
|
328 |
* If successful the TGT will be added to the |
|
329 |
* Subject's private credentials set. Otherwise the authentication will |
|
330 |
* fail. |
|
331 |
*<ul> |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
332 |
* <p> |
2 | 333 |
* <code>useTicketCache</code>=true |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
334 |
* <code>ticketCache</code>=<file name>; |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
335 |
* <code>useKeyTab</code> = true |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
336 |
* <code>keyTab</code>=<file name> <code>storeKey</code>=true |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
337 |
* <code>principal</code>= <principal name> |
2 | 338 |
*</ul> |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
339 |
* <p> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
340 |
* The client's TGT will be retrieved from the ticket cache and added to the |
2 | 341 |
* <code>Subject</code>'s private credentials. If the TGT is not available |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
342 |
* in the ticket cache, or the TGT's client name does not match the principal |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
343 |
* name, Java will use a secret key to obtain the TGT using the authentication |
2 | 344 |
* exchange and added to the Subject's private credentials. |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
345 |
* This secret key will be first retrieved from the keytab. If the key |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
346 |
* is not available, the user will be prompted for the password. In either |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
347 |
* case, the key derived from the password will be added to the |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
348 |
* Subject's private credentials set. |
2 | 349 |
* <ul> |
350 |
* <p><code>isInitiator</code> = false |
|
351 |
*</ul> |
|
352 |
* <p>Configured to act as acceptor only, credentials are not acquired |
|
353 |
* via AS exchange. For acceptors only, set this value to false. |
|
354 |
* For initiators, do not set this value to false. |
|
355 |
* <ul> |
|
356 |
* <p><code>isInitiator</code> = true |
|
357 |
*</ul> |
|
358 |
* <p>Configured to act as initiator, credentials are acquired |
|
359 |
* via AS exchange. For initiators, set this value to true, or leave this |
|
360 |
* option unset, in which case default value (true) will be used. |
|
361 |
* |
|
362 |
* @author Ram Marti |
|
363 |
*/ |
|
364 |
||
365 |
public class Krb5LoginModule implements LoginModule { |
|
366 |
||
367 |
// initial state |
|
368 |
private Subject subject; |
|
369 |
private CallbackHandler callbackHandler; |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
370 |
private Map<String, Object> sharedState; |
2 | 371 |
private Map<String, ?> options; |
372 |
||
373 |
// configurable option |
|
374 |
private boolean debug = false; |
|
375 |
private boolean storeKey = false; |
|
376 |
private boolean doNotPrompt = false; |
|
377 |
private boolean useTicketCache = false; |
|
378 |
private boolean useKeyTab = false; |
|
379 |
private String ticketCacheName = null; |
|
380 |
private String keyTabName = null; |
|
381 |
private String princName = null; |
|
382 |
||
383 |
private boolean useFirstPass = false; |
|
384 |
private boolean tryFirstPass = false; |
|
385 |
private boolean storePass = false; |
|
386 |
private boolean clearPass = false; |
|
387 |
private boolean refreshKrb5Config = false; |
|
388 |
private boolean renewTGT = false; |
|
389 |
||
390 |
// specify if initiator. |
|
391 |
// perform authentication exchange if initiator |
|
392 |
private boolean isInitiator = true; |
|
393 |
||
394 |
// the authentication status |
|
395 |
private boolean succeeded = false; |
|
396 |
private boolean commitSucceeded = false; |
|
397 |
private String username; |
|
9499 | 398 |
|
399 |
// Encryption keys calculated from password. Assigned when storekey == true |
|
400 |
// and useKeyTab == false (or true but not found) |
|
2 | 401 |
private EncryptionKey[] encKeys = null; |
9499 | 402 |
|
403 |
KeyTab ktab = null; |
|
404 |
||
2 | 405 |
private Credentials cred = null; |
406 |
||
407 |
private PrincipalName principal = null; |
|
408 |
private KerberosPrincipal kerbClientPrinc = null; |
|
409 |
private KerberosTicket kerbTicket = null; |
|
410 |
private KerberosKey[] kerbKeys = null; |
|
411 |
private StringBuffer krb5PrincName = null; |
|
412 |
private char[] password = null; |
|
413 |
||
414 |
private static final String NAME = "javax.security.auth.login.name"; |
|
415 |
private static final String PWD = "javax.security.auth.login.password"; |
|
416 |
static final java.util.ResourceBundle rb = |
|
417 |
java.util.ResourceBundle.getBundle("sun.security.util.AuthResources"); |
|
418 |
||
419 |
/** |
|
420 |
* Initialize this <code>LoginModule</code>. |
|
421 |
* |
|
422 |
* <p> |
|
423 |
* @param subject the <code>Subject</code> to be authenticated. <p> |
|
424 |
* |
|
425 |
* @param callbackHandler a <code>CallbackHandler</code> for |
|
426 |
* communication with the end user (prompting for |
|
427 |
* usernames and passwords, for example). <p> |
|
428 |
* |
|
429 |
* @param sharedState shared <code>LoginModule</code> state. <p> |
|
430 |
* |
|
431 |
* @param options options specified in the login |
|
432 |
* <code>Configuration</code> for this particular |
|
433 |
* <code>LoginModule</code>. |
|
434 |
*/ |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
435 |
// Unchecked warning from (Map<String, Object>)sharedState is safe |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
436 |
// since javax.security.auth.login.LoginContext passes a raw HashMap. |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
437 |
// Unchecked warnings from options.get(String) are safe since we are |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
438 |
// passing known keys. |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
439 |
@SuppressWarnings("unchecked") |
2 | 440 |
public void initialize(Subject subject, |
441 |
CallbackHandler callbackHandler, |
|
442 |
Map<String, ?> sharedState, |
|
443 |
Map<String, ?> options) { |
|
444 |
||
445 |
this.subject = subject; |
|
446 |
this.callbackHandler = callbackHandler; |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
447 |
this.sharedState = (Map<String, Object>)sharedState; |
2 | 448 |
this.options = options; |
449 |
||
450 |
// initialize any configured options |
|
451 |
||
452 |
debug = "true".equalsIgnoreCase((String)options.get("debug")); |
|
453 |
storeKey = "true".equalsIgnoreCase((String)options.get("storeKey")); |
|
454 |
doNotPrompt = "true".equalsIgnoreCase((String)options.get |
|
455 |
("doNotPrompt")); |
|
456 |
useTicketCache = "true".equalsIgnoreCase((String)options.get |
|
457 |
("useTicketCache")); |
|
458 |
useKeyTab = "true".equalsIgnoreCase((String)options.get("useKeyTab")); |
|
459 |
ticketCacheName = (String)options.get("ticketCache"); |
|
460 |
keyTabName = (String)options.get("keyTab"); |
|
461 |
princName = (String)options.get("principal"); |
|
462 |
refreshKrb5Config = |
|
463 |
"true".equalsIgnoreCase((String)options.get("refreshKrb5Config")); |
|
464 |
renewTGT = |
|
465 |
"true".equalsIgnoreCase((String)options.get("renewTGT")); |
|
466 |
||
467 |
// check isInitiator value |
|
468 |
String isInitiatorValue = ((String)options.get("isInitiator")); |
|
469 |
if (isInitiatorValue == null) { |
|
470 |
// use default, if value not set |
|
471 |
} else { |
|
472 |
isInitiator = "true".equalsIgnoreCase(isInitiatorValue); |
|
473 |
} |
|
474 |
||
475 |
tryFirstPass = |
|
476 |
"true".equalsIgnoreCase |
|
477 |
((String)options.get("tryFirstPass")); |
|
478 |
useFirstPass = |
|
479 |
"true".equalsIgnoreCase |
|
480 |
((String)options.get("useFirstPass")); |
|
481 |
storePass = |
|
482 |
"true".equalsIgnoreCase((String)options.get("storePass")); |
|
483 |
clearPass = |
|
484 |
"true".equalsIgnoreCase((String)options.get("clearPass")); |
|
485 |
if (debug) { |
|
486 |
System.out.print("Debug is " + debug |
|
487 |
+ " storeKey " + storeKey |
|
488 |
+ " useTicketCache " + useTicketCache |
|
489 |
+ " useKeyTab " + useKeyTab |
|
490 |
+ " doNotPrompt " + doNotPrompt |
|
491 |
+ " ticketCache is " + ticketCacheName |
|
492 |
+ " isInitiator " + isInitiator |
|
493 |
+ " KeyTab is " + keyTabName |
|
494 |
+ " refreshKrb5Config is " + refreshKrb5Config |
|
495 |
+ " principal is " + princName |
|
496 |
+ " tryFirstPass is " + tryFirstPass |
|
497 |
+ " useFirstPass is " + useFirstPass |
|
498 |
+ " storePass is " + storePass |
|
499 |
+ " clearPass is " + clearPass + "\n"); |
|
500 |
} |
|
501 |
} |
|
502 |
||
503 |
||
504 |
/** |
|
505 |
* Authenticate the user |
|
506 |
* |
|
507 |
* <p> |
|
508 |
* |
|
509 |
* @return true in all cases since this <code>LoginModule</code> |
|
510 |
* should not be ignored. |
|
511 |
* |
|
512 |
* @exception FailedLoginException if the authentication fails. <p> |
|
513 |
* |
|
514 |
* @exception LoginException if this <code>LoginModule</code> |
|
515 |
* is unable to perform the authentication. |
|
516 |
*/ |
|
517 |
public boolean login() throws LoginException { |
|
518 |
||
519 |
int len; |
|
520 |
validateConfiguration(); |
|
521 |
if (refreshKrb5Config) { |
|
522 |
try { |
|
523 |
if (debug) { |
|
524 |
System.out.println("Refreshing Kerberos configuration"); |
|
525 |
} |
|
526 |
sun.security.krb5.Config.refresh(); |
|
527 |
} catch (KrbException ke) { |
|
528 |
LoginException le = new LoginException(ke.getMessage()); |
|
529 |
le.initCause(ke); |
|
530 |
throw le; |
|
531 |
} |
|
532 |
} |
|
533 |
String principalProperty = System.getProperty |
|
534 |
("sun.security.krb5.principal"); |
|
535 |
if (principalProperty != null) { |
|
536 |
krb5PrincName = new StringBuffer(principalProperty); |
|
537 |
} else { |
|
538 |
if (princName != null) { |
|
539 |
krb5PrincName = new StringBuffer(princName); |
|
540 |
} |
|
541 |
} |
|
542 |
||
543 |
if (tryFirstPass) { |
|
544 |
try { |
|
545 |
attemptAuthentication(true); |
|
546 |
if (debug) |
|
547 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
548 |
"authentication succeeded"); |
|
549 |
succeeded = true; |
|
550 |
cleanState(); |
|
551 |
return true; |
|
552 |
} catch (LoginException le) { |
|
553 |
// authentication failed -- try again below by prompting |
|
554 |
cleanState(); |
|
555 |
if (debug) { |
|
556 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
557 |
"tryFirstPass failed with:" + |
|
558 |
le.getMessage()); |
|
559 |
} |
|
560 |
} |
|
561 |
} else if (useFirstPass) { |
|
562 |
try { |
|
563 |
attemptAuthentication(true); |
|
564 |
succeeded = true; |
|
565 |
cleanState(); |
|
566 |
return true; |
|
567 |
} catch (LoginException e) { |
|
568 |
// authentication failed -- clean out state |
|
569 |
if (debug) { |
|
570 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
571 |
"authentication failed \n" + |
|
572 |
e.getMessage()); |
|
573 |
} |
|
574 |
succeeded = false; |
|
575 |
cleanState(); |
|
576 |
throw e; |
|
577 |
} |
|
578 |
} |
|
579 |
||
580 |
// attempt the authentication by getting the username and pwd |
|
581 |
// by prompting or configuration i.e. not from shared state |
|
582 |
||
583 |
try { |
|
584 |
attemptAuthentication(false); |
|
585 |
succeeded = true; |
|
586 |
cleanState(); |
|
587 |
return true; |
|
588 |
} catch (LoginException e) { |
|
589 |
// authentication failed -- clean out state |
|
590 |
if (debug) { |
|
591 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
592 |
"authentication failed \n" + |
|
593 |
e.getMessage()); |
|
594 |
} |
|
595 |
succeeded = false; |
|
596 |
cleanState(); |
|
597 |
throw e; |
|
598 |
} |
|
599 |
} |
|
600 |
/** |
|
601 |
* process the configuration options |
|
602 |
* Get the TGT either out of |
|
603 |
* cache or from the KDC using the password entered |
|
604 |
* Check the permission before getting the TGT |
|
605 |
*/ |
|
606 |
||
607 |
private void attemptAuthentication(boolean getPasswdFromSharedState) |
|
608 |
throws LoginException { |
|
609 |
||
610 |
/* |
|
611 |
* Check the creds cache to see whether |
|
612 |
* we have TGT for this client principal |
|
613 |
*/ |
|
614 |
if (krb5PrincName != null) { |
|
615 |
try { |
|
616 |
principal = new PrincipalName |
|
617 |
(krb5PrincName.toString(), |
|
618 |
PrincipalName.KRB_NT_PRINCIPAL); |
|
619 |
} catch (KrbException e) { |
|
620 |
LoginException le = new LoginException(e.getMessage()); |
|
621 |
le.initCause(e); |
|
622 |
throw le; |
|
623 |
} |
|
624 |
} |
|
625 |
||
626 |
try { |
|
627 |
if (useTicketCache) { |
|
628 |
// ticketCacheName == null implies the default cache |
|
629 |
if (debug) |
|
630 |
System.out.println("Acquire TGT from Cache"); |
|
631 |
cred = Credentials.acquireTGTFromCache |
|
632 |
(principal, ticketCacheName); |
|
633 |
||
634 |
if (cred != null) { |
|
635 |
// check to renew credentials |
|
636 |
if (!isCurrent(cred)) { |
|
637 |
if (renewTGT) { |
|
638 |
cred = renewCredentials(cred); |
|
639 |
} else { |
|
640 |
// credentials have expired |
|
641 |
cred = null; |
|
642 |
if (debug) |
|
643 |
System.out.println("Credentials are" + |
|
644 |
" no longer valid"); |
|
645 |
} |
|
646 |
} |
|
647 |
} |
|
648 |
||
649 |
if (cred != null) { |
|
650 |
// get the principal name from the ticket cache |
|
651 |
if (principal == null) { |
|
652 |
principal = cred.getClient(); |
|
653 |
} |
|
654 |
} |
|
655 |
if (debug) { |
|
656 |
System.out.println("Principal is " + principal); |
|
657 |
if (cred == null) { |
|
658 |
System.out.println |
|
659 |
("null credentials from Ticket Cache"); |
|
660 |
} |
|
661 |
} |
|
662 |
} |
|
663 |
||
664 |
// cred = null indicates that we didn't get the creds |
|
665 |
// from the cache or useTicketCache was false |
|
666 |
||
667 |
if (cred == null) { |
|
668 |
// We need the principal name whether we use keytab |
|
669 |
// or AS Exchange |
|
670 |
if (principal == null) { |
|
671 |
promptForName(getPasswdFromSharedState); |
|
672 |
principal = new PrincipalName |
|
673 |
(krb5PrincName.toString(), |
|
674 |
PrincipalName.KRB_NT_PRINCIPAL); |
|
675 |
} |
|
9499 | 676 |
|
677 |
/* |
|
678 |
* Before dynamic KeyTab support (6894072), here we check if |
|
679 |
* the keytab contains keys for the principal. If no, keytab |
|
680 |
* will not be used and password is prompted for. |
|
681 |
* |
|
682 |
* After 6894072, we normally don't check it, and expect the |
|
683 |
* keys can be populated until a real connection is made. The |
|
684 |
* check is still done when isInitiator == true, where the keys |
|
685 |
* will be used right now. |
|
686 |
* |
|
687 |
* Probably tricky relations: |
|
688 |
* |
|
689 |
* useKeyTab is config flag, but when it's true but the ktab |
|
690 |
* does not contains keys for principal, we would use password |
|
691 |
* and keep the flag unchanged (for reuse?). In this method, |
|
692 |
* we use (ktab != null) to check whether keytab is used. |
|
693 |
* After this method (and when storeKey == true), we use |
|
694 |
* (encKeys == null) to check. |
|
695 |
*/ |
|
2 | 696 |
if (useKeyTab) { |
9499 | 697 |
ktab = (keyTabName == null) |
698 |
? KeyTab.getInstance() |
|
699 |
: KeyTab.getInstance(new File(keyTabName)); |
|
700 |
if (isInitiator) { |
|
701 |
if (Krb5Util.keysFromJavaxKeyTab(ktab, principal).length |
|
702 |
== 0) { |
|
703 |
ktab = null; |
|
704 |
if (debug) { |
|
705 |
System.out.println |
|
706 |
("Key for the principal " + |
|
707 |
principal + |
|
708 |
" not available in " + |
|
709 |
((keyTabName == null) ? |
|
710 |
"default key tab" : keyTabName)); |
|
711 |
} |
|
712 |
} |
|
2 | 713 |
} |
714 |
} |
|
7183 | 715 |
|
716 |
KrbAsReqBuilder builder; |
|
9499 | 717 |
|
718 |
if (ktab == null) { |
|
2 | 719 |
promptForPass(getPasswdFromSharedState); |
7183 | 720 |
builder = new KrbAsReqBuilder(principal, password); |
2 | 721 |
if (isInitiator) { |
7183 | 722 |
// XXX Even if isInitiator=false, it might be |
723 |
// better to do an AS-REQ so that keys can be |
|
724 |
// updated with PA info |
|
725 |
cred = builder.action().getCreds(); |
|
2 | 726 |
} |
9499 | 727 |
if (storeKey) { |
10695
08c28770f82b
7089889: Krb5LoginModule.login() throws an exception if used without a keytab
weijun
parents:
10336
diff
changeset
|
728 |
encKeys = builder.getKeys(isInitiator); |
9499 | 729 |
// When encKeys is empty, the login actually fails. |
730 |
// For compatibility, exception is thrown in commit(). |
|
731 |
} |
|
2 | 732 |
} else { |
9499 | 733 |
builder = new KrbAsReqBuilder(principal, ktab); |
2 | 734 |
if (isInitiator) { |
7183 | 735 |
cred = builder.action().getCreds(); |
2 | 736 |
} |
737 |
} |
|
7183 | 738 |
builder.destroy(); |
2 | 739 |
|
740 |
if (debug) { |
|
741 |
System.out.println("principal is " + principal); |
|
742 |
HexDumpEncoder hd = new HexDumpEncoder(); |
|
9499 | 743 |
if (ktab != null) { |
744 |
System.out.println("Will use keytab"); |
|
745 |
} else if (storeKey) { |
|
746 |
for (int i = 0; i < encKeys.length; i++) { |
|
747 |
System.out.println("EncryptionKey: keyType=" + |
|
748 |
encKeys[i].getEType() + |
|
749 |
" keyBytes (hex dump)=" + |
|
750 |
hd.encodeBuffer(encKeys[i].getBytes())); |
|
751 |
} |
|
2 | 752 |
} |
753 |
} |
|
754 |
||
755 |
// we should hava a non-null cred |
|
756 |
if (isInitiator && (cred == null)) { |
|
757 |
throw new LoginException |
|
758 |
("TGT Can not be obtained from the KDC "); |
|
759 |
} |
|
760 |
||
761 |
} |
|
762 |
} catch (KrbException e) { |
|
763 |
LoginException le = new LoginException(e.getMessage()); |
|
764 |
le.initCause(e); |
|
765 |
throw le; |
|
766 |
} catch (IOException ioe) { |
|
767 |
LoginException ie = new LoginException(ioe.getMessage()); |
|
768 |
ie.initCause(ioe); |
|
769 |
throw ie; |
|
770 |
} |
|
771 |
} |
|
772 |
||
773 |
private void promptForName(boolean getPasswdFromSharedState) |
|
774 |
throws LoginException { |
|
775 |
krb5PrincName = new StringBuffer(""); |
|
776 |
if (getPasswdFromSharedState) { |
|
777 |
// use the name saved by the first module in the stack |
|
778 |
username = (String)sharedState.get(NAME); |
|
779 |
if (debug) { |
|
780 |
System.out.println |
|
781 |
("username from shared state is " + username + "\n"); |
|
782 |
} |
|
783 |
if (username == null) { |
|
784 |
System.out.println |
|
785 |
("username from shared state is null\n"); |
|
786 |
throw new LoginException |
|
787 |
("Username can not be obtained from sharedstate "); |
|
788 |
} |
|
789 |
if (debug) { |
|
790 |
System.out.println |
|
791 |
("username from shared state is " + username + "\n"); |
|
792 |
} |
|
793 |
if (username != null && username.length() > 0) { |
|
794 |
krb5PrincName.insert(0, username); |
|
795 |
return; |
|
796 |
} |
|
797 |
} |
|
798 |
||
799 |
if (doNotPrompt) { |
|
800 |
throw new LoginException |
|
801 |
("Unable to obtain Princpal Name for authentication "); |
|
802 |
} else { |
|
803 |
if (callbackHandler == null) |
|
804 |
throw new LoginException("No CallbackHandler " |
|
805 |
+ "available " |
|
806 |
+ "to garner authentication " |
|
807 |
+ "information from the user"); |
|
808 |
try { |
|
809 |
String defUsername = System.getProperty("user.name"); |
|
810 |
||
811 |
Callback[] callbacks = new Callback[1]; |
|
812 |
MessageFormat form = new MessageFormat( |
|
813 |
rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
814 |
"Kerberos.username.defUsername.")); |
2 | 815 |
Object[] source = {defUsername}; |
816 |
callbacks[0] = new NameCallback(form.format(source)); |
|
817 |
callbackHandler.handle(callbacks); |
|
818 |
username = ((NameCallback)callbacks[0]).getName(); |
|
819 |
if (username == null || username.length() == 0) |
|
820 |
username = defUsername; |
|
821 |
krb5PrincName.insert(0, username); |
|
822 |
||
823 |
} catch (java.io.IOException ioe) { |
|
824 |
throw new LoginException(ioe.getMessage()); |
|
825 |
} catch (UnsupportedCallbackException uce) { |
|
826 |
throw new LoginException |
|
827 |
(uce.getMessage() |
|
828 |
+" not available to garner " |
|
829 |
+" authentication information " |
|
830 |
+" from the user"); |
|
831 |
} |
|
832 |
} |
|
833 |
} |
|
834 |
||
835 |
private void promptForPass(boolean getPasswdFromSharedState) |
|
836 |
throws LoginException { |
|
837 |
||
838 |
if (getPasswdFromSharedState) { |
|
839 |
// use the password saved by the first module in the stack |
|
840 |
password = (char[])sharedState.get(PWD); |
|
841 |
if (password == null) { |
|
842 |
if (debug) { |
|
843 |
System.out.println |
|
844 |
("Password from shared state is null"); |
|
845 |
} |
|
846 |
throw new LoginException |
|
847 |
("Password can not be obtained from sharedstate "); |
|
848 |
} |
|
849 |
if (debug) { |
|
850 |
System.out.println |
|
851 |
("password is " + new String(password)); |
|
852 |
} |
|
853 |
return; |
|
854 |
} |
|
855 |
if (doNotPrompt) { |
|
856 |
throw new LoginException |
|
857 |
("Unable to obtain password from user\n"); |
|
858 |
} else { |
|
859 |
if (callbackHandler == null) |
|
860 |
throw new LoginException("No CallbackHandler " |
|
861 |
+ "available " |
|
862 |
+ "to garner authentication " |
|
863 |
+ "information from the user"); |
|
864 |
try { |
|
865 |
Callback[] callbacks = new Callback[1]; |
|
866 |
String userName = krb5PrincName.toString(); |
|
867 |
MessageFormat form = new MessageFormat( |
|
868 |
rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
869 |
"Kerberos.password.for.username.")); |
2 | 870 |
Object[] source = {userName}; |
871 |
callbacks[0] = new PasswordCallback( |
|
872 |
form.format(source), |
|
873 |
false); |
|
874 |
callbackHandler.handle(callbacks); |
|
875 |
char[] tmpPassword = ((PasswordCallback) |
|
876 |
callbacks[0]).getPassword(); |
|
877 |
if (tmpPassword == null) { |
|
878 |
// treat a NULL password as an empty password |
|
879 |
tmpPassword = new char[0]; |
|
880 |
} |
|
881 |
password = new char[tmpPassword.length]; |
|
882 |
System.arraycopy(tmpPassword, 0, |
|
883 |
password, 0, tmpPassword.length); |
|
884 |
((PasswordCallback)callbacks[0]).clearPassword(); |
|
885 |
||
886 |
||
887 |
// clear tmpPassword |
|
888 |
for (int i = 0; i < tmpPassword.length; i++) |
|
889 |
tmpPassword[i] = ' '; |
|
890 |
tmpPassword = null; |
|
891 |
if (debug) { |
|
892 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
893 |
"user entered username: " + |
|
894 |
krb5PrincName); |
|
895 |
System.out.println(); |
|
896 |
} |
|
897 |
} catch (java.io.IOException ioe) { |
|
898 |
throw new LoginException(ioe.getMessage()); |
|
899 |
} catch (UnsupportedCallbackException uce) { |
|
900 |
throw new LoginException(uce.getMessage() |
|
901 |
+" not available to garner " |
|
902 |
+" authentication information " |
|
903 |
+ "from the user"); |
|
904 |
} |
|
905 |
} |
|
906 |
} |
|
907 |
||
908 |
private void validateConfiguration() throws LoginException { |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
909 |
if (doNotPrompt && !useTicketCache && !useKeyTab |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
910 |
&& !tryFirstPass && !useFirstPass) |
2 | 911 |
throw new LoginException |
912 |
("Configuration Error" |
|
913 |
+ " - either doNotPrompt should be " |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
914 |
+ " false or at least one of useTicketCache, " |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
915 |
+ " useKeyTab, tryFirstPass and useFirstPass" |
2 | 916 |
+ " should be true"); |
917 |
if (ticketCacheName != null && !useTicketCache) |
|
918 |
throw new LoginException |
|
919 |
("Configuration Error " |
|
920 |
+ " - useTicketCache should be set " |
|
921 |
+ "to true to use the ticket cache" |
|
922 |
+ ticketCacheName); |
|
923 |
if (keyTabName != null & !useKeyTab) |
|
924 |
throw new LoginException |
|
925 |
("Configuration Error - useKeyTab should be set to true " |
|
926 |
+ "to use the keytab" + keyTabName); |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
927 |
if (storeKey && doNotPrompt && !useKeyTab |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
928 |
&& !tryFirstPass && !useFirstPass) |
2 | 929 |
throw new LoginException |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
930 |
("Configuration Error - either doNotPrompt should be set to " |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
931 |
+ " false or at least one of tryFirstPass, useFirstPass " |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
932 |
+ "or useKeyTab must be set to true for storeKey option"); |
2 | 933 |
if (renewTGT && !useTicketCache) |
934 |
throw new LoginException |
|
935 |
("Configuration Error" |
|
936 |
+ " - either useTicketCache should be " |
|
937 |
+ " true or renewTGT should be false"); |
|
938 |
} |
|
939 |
||
940 |
private boolean isCurrent(Credentials creds) |
|
941 |
{ |
|
942 |
Date endTime = creds.getEndTime(); |
|
943 |
if (endTime != null) { |
|
944 |
return (System.currentTimeMillis() <= endTime.getTime()); |
|
945 |
} |
|
946 |
return true; |
|
947 |
} |
|
948 |
||
949 |
private Credentials renewCredentials(Credentials creds) |
|
950 |
{ |
|
951 |
Credentials lcreds; |
|
952 |
try { |
|
953 |
if (!creds.isRenewable()) |
|
954 |
throw new RefreshFailedException("This ticket" + |
|
955 |
" is not renewable"); |
|
956 |
if (System.currentTimeMillis() > cred.getRenewTill().getTime()) |
|
957 |
throw new RefreshFailedException("This ticket is past " |
|
958 |
+ "its last renewal time."); |
|
959 |
lcreds = creds.renew(); |
|
960 |
if (debug) |
|
961 |
System.out.println("Renewed Kerberos Ticket"); |
|
962 |
} catch (Exception e) { |
|
963 |
lcreds = null; |
|
964 |
if (debug) |
|
965 |
System.out.println("Ticket could not be renewed : " |
|
966 |
+ e.getMessage()); |
|
967 |
} |
|
968 |
return lcreds; |
|
969 |
} |
|
970 |
||
971 |
/** |
|
972 |
* <p> This method is called if the LoginContext's |
|
973 |
* overall authentication succeeded |
|
974 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL |
|
975 |
* LoginModules succeeded). |
|
976 |
* |
|
977 |
* <p> If this LoginModule's own authentication attempt |
|
978 |
* succeeded (checked by retrieving the private state saved by the |
|
979 |
* <code>login</code> method), then this method associates a |
|
980 |
* <code>Krb5Principal</code> |
|
981 |
* with the <code>Subject</code> located in the |
|
982 |
* <code>LoginModule</code>. It adds Kerberos Credentials to the |
|
983 |
* the Subject's private credentials set. If this LoginModule's own |
|
984 |
* authentication attempted failed, then this method removes |
|
985 |
* any state that was originally saved. |
|
986 |
* |
|
987 |
* <p> |
|
988 |
* |
|
989 |
* @exception LoginException if the commit fails. |
|
990 |
* |
|
991 |
* @return true if this LoginModule's own login and commit |
|
992 |
* attempts succeeded, or false otherwise. |
|
993 |
*/ |
|
994 |
||
995 |
public boolean commit() throws LoginException { |
|
996 |
||
997 |
/* |
|
998 |
* Let us add the Krb5 Creds to the Subject's |
|
999 |
* private credentials. The credentials are of type |
|
1000 |
* KerberosKey or KerberosTicket |
|
1001 |
*/ |
|
1002 |
if (succeeded == false) { |
|
1003 |
return false; |
|
1004 |
} else { |
|
1005 |
||
1006 |
if (isInitiator && (cred == null)) { |
|
1007 |
succeeded = false; |
|
1008 |
throw new LoginException("Null Client Credential"); |
|
1009 |
} |
|
1010 |
||
1011 |
if (subject.isReadOnly()) { |
|
1012 |
cleanKerberosCred(); |
|
1013 |
throw new LoginException("Subject is Readonly"); |
|
1014 |
} |
|
1015 |
||
1016 |
/* |
|
1017 |
* Add the Principal (authenticated identity) |
|
1018 |
* to the Subject's principal set and |
|
1019 |
* add the credentials (TGT or Service key) to the |
|
1020 |
* Subject's private credentials |
|
1021 |
*/ |
|
1022 |
||
1023 |
Set<Object> privCredSet = subject.getPrivateCredentials(); |
|
1024 |
Set<java.security.Principal> princSet = subject.getPrincipals(); |
|
1025 |
kerbClientPrinc = new KerberosPrincipal(principal.getName()); |
|
1026 |
||
1027 |
// create Kerberos Ticket |
|
1028 |
if (isInitiator) { |
|
1029 |
kerbTicket = Krb5Util.credsToTicket(cred); |
|
1030 |
} |
|
1031 |
||
9499 | 1032 |
if (storeKey && encKeys != null) { |
1033 |
if (encKeys.length == 0) { |
|
2 | 1034 |
succeeded = false; |
1035 |
throw new LoginException("Null Server Key "); |
|
1036 |
} |
|
1037 |
||
1038 |
kerbKeys = new KerberosKey[encKeys.length]; |
|
1039 |
for (int i = 0; i < encKeys.length; i ++) { |
|
1040 |
Integer temp = encKeys[i].getKeyVersionNumber(); |
|
1041 |
kerbKeys[i] = new KerberosKey(kerbClientPrinc, |
|
1042 |
encKeys[i].getBytes(), |
|
1043 |
encKeys[i].getEType(), |
|
1044 |
(temp == null? |
|
1045 |
0: temp.intValue())); |
|
1046 |
} |
|
1047 |
||
1048 |
} |
|
9499 | 1049 |
// Let us add the kerbClientPrinc,kerbTicket and KeyTab/KerbKey (if |
2 | 1050 |
// storeKey is true) |
9499 | 1051 |
if (!princSet.contains(kerbClientPrinc)) { |
2 | 1052 |
princSet.add(kerbClientPrinc); |
9499 | 1053 |
} |
2 | 1054 |
|
1055 |
// add the TGT |
|
1056 |
if (kerbTicket != null) { |
|
1057 |
if (!privCredSet.contains(kerbTicket)) |
|
1058 |
privCredSet.add(kerbTicket); |
|
1059 |
} |
|
1060 |
||
1061 |
if (storeKey) { |
|
9499 | 1062 |
if (encKeys == null) { |
1063 |
if (!privCredSet.contains(ktab)) { |
|
1064 |
privCredSet.add(ktab); |
|
1065 |
// Compatibility; also add keys to privCredSet |
|
1066 |
for (KerberosKey key: ktab.getKeys(kerbClientPrinc)) { |
|
1067 |
privCredSet.add(new Krb5Util.KeysFromKeyTab(key)); |
|
1068 |
} |
|
2 | 1069 |
} |
9499 | 1070 |
} else { |
1071 |
for (int i = 0; i < kerbKeys.length; i ++) { |
|
1072 |
if (!privCredSet.contains(kerbKeys[i])) { |
|
1073 |
privCredSet.add(kerbKeys[i]); |
|
1074 |
} |
|
1075 |
encKeys[i].destroy(); |
|
1076 |
encKeys[i] = null; |
|
1077 |
if (debug) { |
|
1078 |
System.out.println("Added server's key" |
|
1079 |
+ kerbKeys[i]); |
|
1080 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
1081 |
"added Krb5Principal " + |
|
1082 |
kerbClientPrinc.toString() |
|
1083 |
+ " to Subject"); |
|
1084 |
} |
|
2 | 1085 |
} |
1086 |
} |
|
1087 |
} |
|
1088 |
} |
|
1089 |
commitSucceeded = true; |
|
1090 |
if (debug) |
|
1091 |
System.out.println("Commit Succeeded \n"); |
|
1092 |
return true; |
|
1093 |
} |
|
1094 |
||
1095 |
/** |
|
1096 |
* <p> This method is called if the LoginContext's |
|
1097 |
* overall authentication failed. |
|
1098 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL |
|
1099 |
* LoginModules did not succeed). |
|
1100 |
* |
|
1101 |
* <p> If this LoginModule's own authentication attempt |
|
1102 |
* succeeded (checked by retrieving the private state saved by the |
|
1103 |
* <code>login</code> and <code>commit</code> methods), |
|
1104 |
* then this method cleans up any state that was originally saved. |
|
1105 |
* |
|
1106 |
* <p> |
|
1107 |
* |
|
1108 |
* @exception LoginException if the abort fails. |
|
1109 |
* |
|
1110 |
* @return false if this LoginModule's own login and/or commit attempts |
|
1111 |
* failed, and true otherwise. |
|
1112 |
*/ |
|
1113 |
||
1114 |
public boolean abort() throws LoginException { |
|
1115 |
if (succeeded == false) { |
|
1116 |
return false; |
|
1117 |
} else if (succeeded == true && commitSucceeded == false) { |
|
1118 |
// login succeeded but overall authentication failed |
|
1119 |
succeeded = false; |
|
1120 |
cleanKerberosCred(); |
|
1121 |
} else { |
|
1122 |
// overall authentication succeeded and commit succeeded, |
|
1123 |
// but someone else's commit failed |
|
1124 |
logout(); |
|
1125 |
} |
|
1126 |
return true; |
|
1127 |
} |
|
1128 |
||
1129 |
/** |
|
1130 |
* Logout the user. |
|
1131 |
* |
|
1132 |
* <p> This method removes the <code>Krb5Principal</code> |
|
1133 |
* that was added by the <code>commit</code> method. |
|
1134 |
* |
|
1135 |
* <p> |
|
1136 |
* |
|
1137 |
* @exception LoginException if the logout fails. |
|
1138 |
* |
|
1139 |
* @return true in all cases since this <code>LoginModule</code> |
|
1140 |
* should not be ignored. |
|
1141 |
*/ |
|
1142 |
public boolean logout() throws LoginException { |
|
1143 |
||
1144 |
if (debug) { |
|
1145 |
System.out.println("\t\t[Krb5LoginModule]: " + |
|
1146 |
"Entering logout"); |
|
1147 |
} |
|
1148 |
||
1149 |
if (subject.isReadOnly()) { |
|
1150 |
cleanKerberosCred(); |
|
1151 |
throw new LoginException("Subject is Readonly"); |
|
1152 |
} |
|
1153 |
||
1154 |
subject.getPrincipals().remove(kerbClientPrinc); |
|
1155 |
// Let us remove all Kerberos credentials stored in the Subject |
|
1156 |
Iterator<Object> it = subject.getPrivateCredentials().iterator(); |
|
1157 |
while (it.hasNext()) { |
|
1158 |
Object o = it.next(); |
|
1159 |
if (o instanceof KerberosTicket || |
|
9499 | 1160 |
o instanceof KerberosKey || |
1161 |
o instanceof KeyTab) { |
|
2 | 1162 |
it.remove(); |
1163 |
} |
|
1164 |
} |
|
1165 |
// clean the kerberos ticket and keys |
|
1166 |
cleanKerberosCred(); |
|
1167 |
||
1168 |
succeeded = false; |
|
1169 |
commitSucceeded = false; |
|
1170 |
if (debug) { |
|
1171 |
System.out.println("\t\t[Krb5LoginModule]: " + |
|
1172 |
"logged out Subject"); |
|
1173 |
} |
|
1174 |
return true; |
|
1175 |
} |
|
1176 |
||
1177 |
/** |
|
1178 |
* Clean Kerberos credentials |
|
1179 |
*/ |
|
1180 |
private void cleanKerberosCred() throws LoginException { |
|
1181 |
// Clean the ticket and server key |
|
1182 |
try { |
|
1183 |
if (kerbTicket != null) |
|
1184 |
kerbTicket.destroy(); |
|
1185 |
if (kerbKeys != null) { |
|
1186 |
for (int i = 0; i < kerbKeys.length; i++) { |
|
1187 |
kerbKeys[i].destroy(); |
|
1188 |
} |
|
1189 |
} |
|
1190 |
} catch (DestroyFailedException e) { |
|
1191 |
throw new LoginException |
|
1192 |
("Destroy Failed on Kerberos Private Credentials"); |
|
1193 |
} |
|
1194 |
kerbTicket = null; |
|
1195 |
kerbKeys = null; |
|
1196 |
kerbClientPrinc = null; |
|
1197 |
} |
|
1198 |
||
1199 |
/** |
|
1200 |
* Clean out the state |
|
1201 |
*/ |
|
1202 |
private void cleanState() { |
|
1203 |
||
1204 |
// save input as shared state only if |
|
1205 |
// authentication succeeded |
|
1206 |
if (succeeded) { |
|
1207 |
if (storePass && |
|
1208 |
!sharedState.containsKey(NAME) && |
|
1209 |
!sharedState.containsKey(PWD)) { |
|
1210 |
sharedState.put(NAME, username); |
|
1211 |
sharedState.put(PWD, password); |
|
1212 |
} |
|
793
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1213 |
} else { |
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1214 |
// remove temp results for the next try |
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1215 |
encKeys = null; |
9499 | 1216 |
ktab = null; |
793
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1217 |
principal = null; |
2 | 1218 |
} |
1219 |
username = null; |
|
1220 |
password = null; |
|
1221 |
if (krb5PrincName != null && krb5PrincName.length() != 0) |
|
1222 |
krb5PrincName.delete(0, krb5PrincName.length()); |
|
1223 |
krb5PrincName = null; |
|
1224 |
if (clearPass) { |
|
1225 |
sharedState.remove(NAME); |
|
1226 |
sharedState.remove(PWD); |
|
1227 |
} |
|
1228 |
} |
|
1229 |
} |