author | weijun |
Thu, 11 Nov 2010 15:51:12 +0800 | |
changeset 7179 | 4afb81e50183 |
parent 5506 | 202f599c92aa |
child 7183 | d8ccc1c73358 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
5506 | 2 |
* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
||
27 |
package com.sun.security.auth.module; |
|
28 |
||
29 |
import java.io.*; |
|
30 |
import java.net.*; |
|
31 |
import java.text.MessageFormat; |
|
32 |
import java.util.*; |
|
33 |
||
34 |
import javax.security.auth.*; |
|
35 |
import javax.security.auth.kerberos.*; |
|
36 |
import javax.security.auth.callback.*; |
|
37 |
import javax.security.auth.login.*; |
|
38 |
import javax.security.auth.spi.*; |
|
39 |
||
40 |
import sun.security.krb5.*; |
|
41 |
import sun.security.krb5.Config; |
|
42 |
import sun.security.krb5.RealmException; |
|
43 |
import sun.security.util.AuthResources; |
|
44 |
import sun.security.jgss.krb5.Krb5Util; |
|
45 |
import sun.security.krb5.Credentials; |
|
46 |
import sun.misc.HexDumpEncoder; |
|
47 |
||
48 |
/** |
|
49 |
* <p> This <code>LoginModule</code> authenticates users using |
|
50 |
* Kerberos protocols. |
|
51 |
* |
|
52 |
* <p> The configuration entry for <code>Krb5LoginModule</code> has |
|
53 |
* several options that control the authentication process and |
|
54 |
* additions to the <code>Subject</code>'s private credential |
|
55 |
* set. Irrespective of these options, the <code>Subject</code>'s |
|
56 |
* principal set and private credentials set are updated only when |
|
57 |
* <code>commit</code> is called. |
|
58 |
* When <code>commit</code> is called, the <code>KerberosPrincipal</code> |
|
59 |
* is added to the <code>Subject</code>'s |
|
60 |
* principal set and <code>KerberosTicket</code> is |
|
61 |
* added to the <code>Subject</code>'s private credentials. |
|
62 |
* |
|
63 |
* <p> If the configuration entry for <code>KerberosLoginModule</code> |
|
64 |
* has the option <code>storeKey</code> set to true, then |
|
65 |
* <code>KerberosKey</code> will also be added to the |
|
66 |
* subject's private credentials. <code>KerberosKey</code>, the principal's |
|
67 |
* key will be either obtained from the keytab or |
|
68 |
* derived from user's password. |
|
69 |
* |
|
70 |
* <p> This <code>LoginModule</code> recognizes the <code>doNotPrompt</code> |
|
71 |
* option. If set to true the user will not be prompted for the password. |
|
72 |
* |
|
73 |
* <p> The user can specify the location of the ticket cache by using |
|
74 |
* the option <code>ticketCache</code> in the configuration entry. |
|
75 |
* |
|
76 |
* <p>The user can specify the keytab location by using |
|
77 |
* the option <code>keyTab</code> |
|
78 |
* in the configuration entry. |
|
79 |
* |
|
80 |
* <p> The principal name can be specified in the configuration entry |
|
81 |
* by using the option <code>principal</code>. The principal name |
|
82 |
* can either be a simple user name or a service name such as |
|
83 |
* <code>host/mission.eng.sun.com</code>. The principal can also |
|
84 |
* be set using the system property <code>sun.security.krb5.principal</code>. |
|
85 |
* This property is checked during login. If this property is not set, then |
|
86 |
* the principal name from the configuration is used. In the |
|
87 |
* case where the principal property is not set and the principal |
|
88 |
* entry also does not exist, the user is prompted for the name. |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
89 |
* When this property of entry is set, and <code>useTicketCache</code> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
90 |
* is set to true, only TGT belonging to this principal is used. |
2 | 91 |
* |
92 |
* <p> The following is a list of configuration options supported |
|
93 |
* for <code>Krb5LoginModule</code>: |
|
94 |
* <dl> |
|
95 |
* <blockquote><dt><b><code>refreshKrb5Config</code></b>:</dt> |
|
96 |
* <dd> Set this to true, if you want the configuration |
|
97 |
* to be refreshed before the <code>login</code> method is called.</dd> |
|
98 |
* <P> |
|
99 |
* <dt><b><code>useTicketCache</code></b>:</dt> |
|
100 |
* <dd>Set this to true, if you want the |
|
101 |
* TGT to be obtained |
|
102 |
* from the ticket cache. Set this option |
|
103 |
* to false if you do not want this module to use the ticket cache. |
|
104 |
* (Default is False). |
|
105 |
* This module will |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
106 |
* search for the ticket |
2 | 107 |
* cache in the following locations: |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
108 |
* On Solaris and Linux |
2 | 109 |
* it will look for the ticket cache in /tmp/krb5cc_<code>uid</code> |
110 |
* where the uid is numeric user |
|
111 |
* identifier. If the ticket cache is |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
112 |
* not available in the above location, or if we are on a |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
113 |
* Windows platform, it will look for the cache as |
2 | 114 |
* {user.home}{file.separator}krb5cc_{user.name}. |
115 |
* You can override the ticket cache location by using |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
116 |
* <code>ticketCache</code>. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
117 |
* For Windows, if a ticket cannot be retrieved from the file ticket cache, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
118 |
* it will use Local Security Authority (LSA) API to get the TGT. |
2 | 119 |
* <P> |
120 |
* <dt><b><code>ticketCache</code></b>:</dt> |
|
121 |
* <dd>Set this to the name of the ticket |
|
122 |
* cache that contains user's TGT. |
|
123 |
* If this is set, <code>useTicketCache</code> |
|
124 |
* must also be set to true; Otherwise a configuration error will |
|
125 |
* be returned.</dd> |
|
126 |
* <P> |
|
127 |
* <dt><b><code>renewTGT</code></b>:</dt> |
|
128 |
* <dd>Set this to true, if you want to renew |
|
129 |
* the TGT. If this is set, <code>useTicketCache</code> must also be |
|
130 |
* set to true; otherwise a configuration error will be returned.</dd> |
|
131 |
* <p> |
|
132 |
* <dt><b><code>doNotPrompt</code></b>:</dt> |
|
133 |
* <dd>Set this to true if you do not want to be |
|
134 |
* prompted for the password |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
135 |
* if credentials can not be obtained from the cache, the keytab, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
136 |
* or through shared state.(Default is false) |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
137 |
* If set to true, credential must be obtained through cache, keytab, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
138 |
* or shared state. Otherwise, authentication will fail.</dd> |
2 | 139 |
* <P> |
140 |
* <dt><b><code>useKeyTab</code></b>:</dt> |
|
141 |
* <dd>Set this to true if you |
|
142 |
* want the module to get the principal's key from the |
|
143 |
* the keytab.(default value is False) |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
144 |
* If <code>keytab</code> |
2 | 145 |
* is not set then |
146 |
* the module will locate the keytab from the |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
147 |
* Kerberos configuration file. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
148 |
* If it is not specified in the Kerberos configuration file |
2 | 149 |
* then it will look for the file |
150 |
* <code>{user.home}{file.separator}</code>krb5.keytab.</dd> |
|
151 |
* <P> |
|
152 |
* <dt><b><code>keyTab</code></b>:</dt> |
|
153 |
* <dd>Set this to the file name of the |
|
154 |
* keytab to get principal's secret key.</dd> |
|
155 |
* <P> |
|
156 |
* <dt><b><code>storeKey</code></b>:</dt> |
|
157 |
* <dd>Set this to true to if you want the |
|
158 |
* principal's key to be stored in the Subject's private credentials. </dd> |
|
159 |
* <p> |
|
160 |
* <dt><b><code>principal</code></b>:</dt> |
|
161 |
* <dd>The name of the principal that should |
|
162 |
* be used. The principal can be a simple username such as |
|
163 |
* "<code>testuser</code>" or a service name such as |
|
164 |
* "<code>host/testhost.eng.sun.com</code>". You can use the |
|
165 |
* <code>principal</code> option to set the principal when there are |
|
166 |
* credentials for multiple principals in the |
|
167 |
* <code>keyTab</code> or when you want a specific ticket cache only. |
|
168 |
* The principal can also be set using the system property |
|
169 |
* <code>sun.security.krb5.principal</code>. In addition, if this |
|
170 |
* system property is defined, then it will be used. If this property |
|
171 |
* is not set, then the principal name from the configuration will be |
|
172 |
* used.</dd> |
|
173 |
* <P> |
|
174 |
* <dt><b><code>isInitiator</code></b>:</dt> |
|
175 |
* <dd>Set this to true, if initiator. Set this to false, if acceptor only. |
|
176 |
* (Default is true). |
|
177 |
* Note: Do not set this value to false for initiators.</dd> |
|
178 |
* </dl></blockquote> |
|
179 |
* |
|
180 |
* <p> This <code>LoginModule</code> also recognizes the following additional |
|
181 |
* <code>Configuration</code> |
|
182 |
* options that enable you to share username and passwords across different |
|
183 |
* authentication modules: |
|
184 |
* <pre> |
|
185 |
* |
|
186 |
* useFirstPass if, true, this LoginModule retrieves the |
|
187 |
* username and password from the module's shared state, |
|
188 |
* using "javax.security.auth.login.name" and |
|
189 |
* "javax.security.auth.login.password" as the respective |
|
190 |
* keys. The retrieved values are used for authentication. |
|
191 |
* If authentication fails, no attempt for a retry |
|
192 |
* is made, and the failure is reported back to the |
|
193 |
* calling application. |
|
194 |
* |
|
195 |
* tryFirstPass if, true, this LoginModule retrieves the |
|
196 |
* the username and password from the module's shared |
|
197 |
* state using "javax.security.auth.login.name" and |
|
198 |
* "javax.security.auth.login.password" as the respective |
|
199 |
* keys. The retrieved values are used for |
|
200 |
* authentication. |
|
201 |
* If authentication fails, the module uses the |
|
202 |
* CallbackHandler to retrieve a new username |
|
203 |
* and password, and another attempt to authenticate |
|
204 |
* is made. If the authentication fails, |
|
205 |
* the failure is reported back to the calling application |
|
206 |
* |
|
207 |
* storePass if, true, this LoginModule stores the username and |
|
208 |
* password obtained from the CallbackHandler in the |
|
209 |
* modules shared state, using |
|
210 |
* "javax.security.auth.login.name" and |
|
211 |
* "javax.security.auth.login.password" as the respective |
|
212 |
* keys. This is not performed if existing values already |
|
213 |
* exist for the username and password in the shared |
|
214 |
* state, or if authentication fails. |
|
215 |
* |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
216 |
* clearPass if, true, this LoginModule clears the |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
217 |
* username and password stored in the module's shared |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
218 |
* state after both phases of authentication |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
219 |
* (login and commit) have completed. |
2 | 220 |
* </pre> |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
221 |
* <p>If the principal system property or key is already provided, the value of |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
222 |
* "javax.security.auth.login.name" in the shared state is ignored. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
223 |
* <p>When multiple mechanisms to retrieve a ticket or key is provided, the |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
224 |
* preference order looks like this: |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
225 |
* <ol> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
226 |
* <li>ticket cache |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
227 |
* <li>keytab |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
228 |
* <li>shared state |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
229 |
* <li>user prompt |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
230 |
* </ol> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
231 |
* <p>Note that if any step fails, it will fallback to the next step. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
232 |
* There's only one exception, it the shared state step fails and |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
233 |
* <code>useFirstPass</code>=true, no user prompt is made. |
2 | 234 |
* <p>Examples of some configuration values for Krb5LoginModule in |
235 |
* JAAS config file and the results are: |
|
236 |
* <ul> |
|
237 |
* <p> <code>doNotPrompt</code>=true; |
|
238 |
* </ul> |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
239 |
* <p> This is an illegal combination since none of <code>useTicketCache</code>, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
240 |
* <code>useKeyTab</code>, <code>useFirstPass</code> and <code>tryFirstPass</code> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
241 |
* is set and the user can not be prompted for the password. |
2 | 242 |
*<ul> |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
243 |
* <p> <code>ticketCache</code> = <filename>; |
2 | 244 |
*</ul> |
245 |
* <p> This is an illegal combination since <code>useTicketCache</code> |
|
246 |
* is not set to true and the ticketCache is set. A configuration error |
|
247 |
* will occur. |
|
248 |
* <ul> |
|
249 |
* <p> <code>renewTGT</code>=true; |
|
250 |
*</ul> |
|
251 |
* <p> This is an illegal combination since <code>useTicketCache</code> is |
|
252 |
* not set to true and renewTGT is set. A configuration error will occur. |
|
253 |
* <ul> |
|
254 |
* <p> <code>storeKey</code>=true |
|
255 |
* <code>useTicketCache</code> = true |
|
256 |
* <code>doNotPrompt</code>=true;; |
|
257 |
*</ul> |
|
258 |
* <p> This is an illegal combination since <code>storeKey</code> is set to |
|
259 |
* true but the key can not be obtained either by prompting the user or from |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
260 |
* the keytab, or from the shared state. A configuration error will occur. |
2 | 261 |
* <ul> |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
262 |
* <p> <code>keyTab</code> = <filename> <code>doNotPrompt</code>=true ; |
2 | 263 |
* </ul> |
264 |
* <p>This is an illegal combination since useKeyTab is not set to true and |
|
265 |
* the keyTab is set. A configuration error will occur. |
|
266 |
* <ul> |
|
267 |
* <p> <code>debug=true </code> |
|
268 |
*</ul> |
|
269 |
* <p> Prompt the user for the principal name and the password. |
|
270 |
* Use the authentication exchange to get TGT from the KDC and |
|
271 |
* populate the <code>Subject</code> with the principal and TGT. |
|
272 |
* Output debug messages. |
|
273 |
* <ul> |
|
274 |
* <p> <code>useTicketCache</code> = true <code>doNotPrompt</code>=true; |
|
275 |
*</ul> |
|
276 |
* <p>Check the default cache for TGT and populate the <code>Subject</code> |
|
277 |
* with the principal and TGT. If the TGT is not available, |
|
278 |
* do not prompt the user, instead fail the authentication. |
|
279 |
* <ul> |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
280 |
* <p><code>principal</code>=<name><code>useTicketCache</code> = true |
2 | 281 |
* <code>doNotPrompt</code>=true; |
282 |
*</ul> |
|
283 |
* <p> Get the TGT from the default cache for the principal and populate the |
|
284 |
* Subject's principal and private creds set. If ticket cache is |
|
285 |
* not available or does not contain the principal's TGT |
|
286 |
* authentication will fail. |
|
287 |
* <ul> |
|
288 |
* <p> <code>useTicketCache</code> = true |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
289 |
* <code>ticketCache</code>=<file name><code>useKeyTab</code> = true |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
290 |
* <code> keyTab</code>=<keytab filename> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
291 |
* <code>principal</code> = <principal name> |
2 | 292 |
* <code>doNotPrompt</code>=true; |
293 |
*</ul> |
|
294 |
* <p> Search the cache for the principal's TGT. If it is not available |
|
295 |
* use the key in the keytab to perform authentication exchange with the |
|
296 |
* KDC and acquire the TGT. |
|
297 |
* The Subject will be populated with the principal and the TGT. |
|
298 |
* If the key is not available or valid then authentication will fail. |
|
299 |
* <ul> |
|
300 |
* <p><code>useTicketCache</code> = true |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
301 |
* <code>ticketCache</code>=<file name> |
2 | 302 |
*</ul> |
303 |
* <p> The TGT will be obtained from the cache specified. |
|
304 |
* The Kerberos principal name used will be the principal name in |
|
305 |
* the Ticket cache. If the TGT is not available in the |
|
306 |
* ticket cache the user will be prompted for the principal name |
|
307 |
* and the password. The TGT will be obtained using the authentication |
|
308 |
* exchange with the KDC. |
|
309 |
* The Subject will be populated with the TGT. |
|
310 |
*<ul> |
|
311 |
* <p> <code>useKeyTab</code> = true |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
312 |
* <code>keyTab</code>=<keytab filename> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
313 |
* <code>principal</code>= <principal name> |
2 | 314 |
* <code>storeKey</code>=true; |
315 |
*</ul> |
|
316 |
* <p> The key for the principal will be retrieved from the keytab. |
|
317 |
* If the key is not available in the keytab the user will be prompted |
|
318 |
* for the principal's password. The Subject will be populated |
|
319 |
* with the principal's key either from the keytab or derived from the |
|
320 |
* password entered. |
|
321 |
* <ul> |
|
322 |
* <p> <code>useKeyTab</code> = true |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
323 |
* <code>keyTab</code>=<keytabname> |
2 | 324 |
* <code>storeKey</code>=true |
325 |
* <code>doNotPrompt</code>=true; |
|
326 |
*</ul> |
|
327 |
* <p>The user will be prompted for the service principal name. |
|
328 |
* If the principal's |
|
329 |
* longterm key is available in the keytab , it will be added to the |
|
330 |
* Subject's private credentials. An authentication exchange will be |
|
331 |
* attempted with the principal name and the key from the Keytab. |
|
332 |
* If successful the TGT will be added to the |
|
333 |
* Subject's private credentials set. Otherwise the authentication will |
|
334 |
* fail. |
|
335 |
*<ul> |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
336 |
* <p> |
2 | 337 |
* <code>useTicketCache</code>=true |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
338 |
* <code>ticketCache</code>=<file name>; |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
339 |
* <code>useKeyTab</code> = true |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
340 |
* <code>keyTab</code>=<file name> <code>storeKey</code>=true |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
341 |
* <code>principal</code>= <principal name> |
2 | 342 |
*</ul> |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
343 |
* <p> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
344 |
* The client's TGT will be retrieved from the ticket cache and added to the |
2 | 345 |
* <code>Subject</code>'s private credentials. If the TGT is not available |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
346 |
* in the ticket cache, or the TGT's client name does not match the principal |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
347 |
* name, Java will use a secret key to obtain the TGT using the authentication |
2 | 348 |
* exchange and added to the Subject's private credentials. |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
349 |
* This secret key will be first retrieved from the keytab. If the key |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
350 |
* is not available, the user will be prompted for the password. In either |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
351 |
* case, the key derived from the password will be added to the |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
352 |
* Subject's private credentials set. |
2 | 353 |
* <ul> |
354 |
* <p><code>isInitiator</code> = false |
|
355 |
*</ul> |
|
356 |
* <p>Configured to act as acceptor only, credentials are not acquired |
|
357 |
* via AS exchange. For acceptors only, set this value to false. |
|
358 |
* For initiators, do not set this value to false. |
|
359 |
* <ul> |
|
360 |
* <p><code>isInitiator</code> = true |
|
361 |
*</ul> |
|
362 |
* <p>Configured to act as initiator, credentials are acquired |
|
363 |
* via AS exchange. For initiators, set this value to true, or leave this |
|
364 |
* option unset, in which case default value (true) will be used. |
|
365 |
* |
|
366 |
* @author Ram Marti |
|
367 |
*/ |
|
368 |
||
369 |
public class Krb5LoginModule implements LoginModule { |
|
370 |
||
371 |
// initial state |
|
372 |
private Subject subject; |
|
373 |
private CallbackHandler callbackHandler; |
|
374 |
private Map sharedState; |
|
375 |
private Map<String, ?> options; |
|
376 |
||
377 |
// configurable option |
|
378 |
private boolean debug = false; |
|
379 |
private boolean storeKey = false; |
|
380 |
private boolean doNotPrompt = false; |
|
381 |
private boolean useTicketCache = false; |
|
382 |
private boolean useKeyTab = false; |
|
383 |
private String ticketCacheName = null; |
|
384 |
private String keyTabName = null; |
|
385 |
private String princName = null; |
|
386 |
||
387 |
private boolean useFirstPass = false; |
|
388 |
private boolean tryFirstPass = false; |
|
389 |
private boolean storePass = false; |
|
390 |
private boolean clearPass = false; |
|
391 |
private boolean refreshKrb5Config = false; |
|
392 |
private boolean renewTGT = false; |
|
393 |
||
394 |
// specify if initiator. |
|
395 |
// perform authentication exchange if initiator |
|
396 |
private boolean isInitiator = true; |
|
397 |
||
398 |
// the authentication status |
|
399 |
private boolean succeeded = false; |
|
400 |
private boolean commitSucceeded = false; |
|
401 |
private String username; |
|
402 |
private EncryptionKey[] encKeys = null; |
|
403 |
private Credentials cred = null; |
|
404 |
||
405 |
private PrincipalName principal = null; |
|
406 |
private KerberosPrincipal kerbClientPrinc = null; |
|
407 |
private KerberosTicket kerbTicket = null; |
|
408 |
private KerberosKey[] kerbKeys = null; |
|
409 |
private StringBuffer krb5PrincName = null; |
|
410 |
private char[] password = null; |
|
411 |
||
412 |
private static final String NAME = "javax.security.auth.login.name"; |
|
413 |
private static final String PWD = "javax.security.auth.login.password"; |
|
414 |
static final java.util.ResourceBundle rb = |
|
415 |
java.util.ResourceBundle.getBundle("sun.security.util.AuthResources"); |
|
416 |
||
417 |
/** |
|
418 |
* Initialize this <code>LoginModule</code>. |
|
419 |
* |
|
420 |
* <p> |
|
421 |
* @param subject the <code>Subject</code> to be authenticated. <p> |
|
422 |
* |
|
423 |
* @param callbackHandler a <code>CallbackHandler</code> for |
|
424 |
* communication with the end user (prompting for |
|
425 |
* usernames and passwords, for example). <p> |
|
426 |
* |
|
427 |
* @param sharedState shared <code>LoginModule</code> state. <p> |
|
428 |
* |
|
429 |
* @param options options specified in the login |
|
430 |
* <code>Configuration</code> for this particular |
|
431 |
* <code>LoginModule</code>. |
|
432 |
*/ |
|
433 |
||
434 |
public void initialize(Subject subject, |
|
435 |
CallbackHandler callbackHandler, |
|
436 |
Map<String, ?> sharedState, |
|
437 |
Map<String, ?> options) { |
|
438 |
||
439 |
this.subject = subject; |
|
440 |
this.callbackHandler = callbackHandler; |
|
441 |
this.sharedState = sharedState; |
|
442 |
this.options = options; |
|
443 |
||
444 |
// initialize any configured options |
|
445 |
||
446 |
debug = "true".equalsIgnoreCase((String)options.get("debug")); |
|
447 |
storeKey = "true".equalsIgnoreCase((String)options.get("storeKey")); |
|
448 |
doNotPrompt = "true".equalsIgnoreCase((String)options.get |
|
449 |
("doNotPrompt")); |
|
450 |
useTicketCache = "true".equalsIgnoreCase((String)options.get |
|
451 |
("useTicketCache")); |
|
452 |
useKeyTab = "true".equalsIgnoreCase((String)options.get("useKeyTab")); |
|
453 |
ticketCacheName = (String)options.get("ticketCache"); |
|
454 |
keyTabName = (String)options.get("keyTab"); |
|
455 |
princName = (String)options.get("principal"); |
|
456 |
refreshKrb5Config = |
|
457 |
"true".equalsIgnoreCase((String)options.get("refreshKrb5Config")); |
|
458 |
renewTGT = |
|
459 |
"true".equalsIgnoreCase((String)options.get("renewTGT")); |
|
460 |
||
461 |
// check isInitiator value |
|
462 |
String isInitiatorValue = ((String)options.get("isInitiator")); |
|
463 |
if (isInitiatorValue == null) { |
|
464 |
// use default, if value not set |
|
465 |
} else { |
|
466 |
isInitiator = "true".equalsIgnoreCase(isInitiatorValue); |
|
467 |
} |
|
468 |
||
469 |
tryFirstPass = |
|
470 |
"true".equalsIgnoreCase |
|
471 |
((String)options.get("tryFirstPass")); |
|
472 |
useFirstPass = |
|
473 |
"true".equalsIgnoreCase |
|
474 |
((String)options.get("useFirstPass")); |
|
475 |
storePass = |
|
476 |
"true".equalsIgnoreCase((String)options.get("storePass")); |
|
477 |
clearPass = |
|
478 |
"true".equalsIgnoreCase((String)options.get("clearPass")); |
|
479 |
if (debug) { |
|
480 |
System.out.print("Debug is " + debug |
|
481 |
+ " storeKey " + storeKey |
|
482 |
+ " useTicketCache " + useTicketCache |
|
483 |
+ " useKeyTab " + useKeyTab |
|
484 |
+ " doNotPrompt " + doNotPrompt |
|
485 |
+ " ticketCache is " + ticketCacheName |
|
486 |
+ " isInitiator " + isInitiator |
|
487 |
+ " KeyTab is " + keyTabName |
|
488 |
+ " refreshKrb5Config is " + refreshKrb5Config |
|
489 |
+ " principal is " + princName |
|
490 |
+ " tryFirstPass is " + tryFirstPass |
|
491 |
+ " useFirstPass is " + useFirstPass |
|
492 |
+ " storePass is " + storePass |
|
493 |
+ " clearPass is " + clearPass + "\n"); |
|
494 |
} |
|
495 |
} |
|
496 |
||
497 |
||
498 |
/** |
|
499 |
* Authenticate the user |
|
500 |
* |
|
501 |
* <p> |
|
502 |
* |
|
503 |
* @return true in all cases since this <code>LoginModule</code> |
|
504 |
* should not be ignored. |
|
505 |
* |
|
506 |
* @exception FailedLoginException if the authentication fails. <p> |
|
507 |
* |
|
508 |
* @exception LoginException if this <code>LoginModule</code> |
|
509 |
* is unable to perform the authentication. |
|
510 |
*/ |
|
511 |
public boolean login() throws LoginException { |
|
512 |
||
513 |
int len; |
|
514 |
validateConfiguration(); |
|
515 |
if (refreshKrb5Config) { |
|
516 |
try { |
|
517 |
if (debug) { |
|
518 |
System.out.println("Refreshing Kerberos configuration"); |
|
519 |
} |
|
520 |
sun.security.krb5.Config.refresh(); |
|
521 |
} catch (KrbException ke) { |
|
522 |
LoginException le = new LoginException(ke.getMessage()); |
|
523 |
le.initCause(ke); |
|
524 |
throw le; |
|
525 |
} |
|
526 |
} |
|
527 |
String principalProperty = System.getProperty |
|
528 |
("sun.security.krb5.principal"); |
|
529 |
if (principalProperty != null) { |
|
530 |
krb5PrincName = new StringBuffer(principalProperty); |
|
531 |
} else { |
|
532 |
if (princName != null) { |
|
533 |
krb5PrincName = new StringBuffer(princName); |
|
534 |
} |
|
535 |
} |
|
536 |
||
537 |
if (tryFirstPass) { |
|
538 |
try { |
|
539 |
attemptAuthentication(true); |
|
540 |
if (debug) |
|
541 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
542 |
"authentication succeeded"); |
|
543 |
succeeded = true; |
|
544 |
cleanState(); |
|
545 |
return true; |
|
546 |
} catch (LoginException le) { |
|
547 |
// authentication failed -- try again below by prompting |
|
548 |
cleanState(); |
|
549 |
if (debug) { |
|
550 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
551 |
"tryFirstPass failed with:" + |
|
552 |
le.getMessage()); |
|
553 |
} |
|
554 |
} |
|
555 |
} else if (useFirstPass) { |
|
556 |
try { |
|
557 |
attemptAuthentication(true); |
|
558 |
succeeded = true; |
|
559 |
cleanState(); |
|
560 |
return true; |
|
561 |
} catch (LoginException e) { |
|
562 |
// authentication failed -- clean out state |
|
563 |
if (debug) { |
|
564 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
565 |
"authentication failed \n" + |
|
566 |
e.getMessage()); |
|
567 |
} |
|
568 |
succeeded = false; |
|
569 |
cleanState(); |
|
570 |
throw e; |
|
571 |
} |
|
572 |
} |
|
573 |
||
574 |
// attempt the authentication by getting the username and pwd |
|
575 |
// by prompting or configuration i.e. not from shared state |
|
576 |
||
577 |
try { |
|
578 |
attemptAuthentication(false); |
|
579 |
succeeded = true; |
|
580 |
cleanState(); |
|
581 |
return true; |
|
582 |
} catch (LoginException e) { |
|
583 |
// authentication failed -- clean out state |
|
584 |
if (debug) { |
|
585 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
586 |
"authentication failed \n" + |
|
587 |
e.getMessage()); |
|
588 |
} |
|
589 |
succeeded = false; |
|
590 |
cleanState(); |
|
591 |
throw e; |
|
592 |
} |
|
593 |
} |
|
594 |
/** |
|
595 |
* process the configuration options |
|
596 |
* Get the TGT either out of |
|
597 |
* cache or from the KDC using the password entered |
|
598 |
* Check the permission before getting the TGT |
|
599 |
*/ |
|
600 |
||
601 |
private void attemptAuthentication(boolean getPasswdFromSharedState) |
|
602 |
throws LoginException { |
|
603 |
||
604 |
/* |
|
605 |
* Check the creds cache to see whether |
|
606 |
* we have TGT for this client principal |
|
607 |
*/ |
|
608 |
if (krb5PrincName != null) { |
|
609 |
try { |
|
610 |
principal = new PrincipalName |
|
611 |
(krb5PrincName.toString(), |
|
612 |
PrincipalName.KRB_NT_PRINCIPAL); |
|
613 |
} catch (KrbException e) { |
|
614 |
LoginException le = new LoginException(e.getMessage()); |
|
615 |
le.initCause(e); |
|
616 |
throw le; |
|
617 |
} |
|
618 |
} |
|
619 |
||
620 |
try { |
|
621 |
if (useTicketCache) { |
|
622 |
// ticketCacheName == null implies the default cache |
|
623 |
if (debug) |
|
624 |
System.out.println("Acquire TGT from Cache"); |
|
625 |
cred = Credentials.acquireTGTFromCache |
|
626 |
(principal, ticketCacheName); |
|
627 |
||
628 |
if (cred != null) { |
|
629 |
// check to renew credentials |
|
630 |
if (!isCurrent(cred)) { |
|
631 |
if (renewTGT) { |
|
632 |
cred = renewCredentials(cred); |
|
633 |
} else { |
|
634 |
// credentials have expired |
|
635 |
cred = null; |
|
636 |
if (debug) |
|
637 |
System.out.println("Credentials are" + |
|
638 |
" no longer valid"); |
|
639 |
} |
|
640 |
} |
|
641 |
} |
|
642 |
||
643 |
if (cred != null) { |
|
644 |
// get the principal name from the ticket cache |
|
645 |
if (principal == null) { |
|
646 |
principal = cred.getClient(); |
|
647 |
} |
|
648 |
} |
|
649 |
if (debug) { |
|
650 |
System.out.println("Principal is " + principal); |
|
651 |
if (cred == null) { |
|
652 |
System.out.println |
|
653 |
("null credentials from Ticket Cache"); |
|
654 |
} |
|
655 |
} |
|
656 |
} |
|
657 |
||
658 |
// cred = null indicates that we didn't get the creds |
|
659 |
// from the cache or useTicketCache was false |
|
660 |
||
661 |
if (cred == null) { |
|
662 |
// We need the principal name whether we use keytab |
|
663 |
// or AS Exchange |
|
664 |
if (principal == null) { |
|
665 |
promptForName(getPasswdFromSharedState); |
|
666 |
principal = new PrincipalName |
|
667 |
(krb5PrincName.toString(), |
|
668 |
PrincipalName.KRB_NT_PRINCIPAL); |
|
669 |
} |
|
670 |
if (useKeyTab) { |
|
671 |
encKeys = |
|
672 |
EncryptionKey.acquireSecretKeys(principal, keyTabName); |
|
673 |
||
674 |
if (debug) { |
|
675 |
if (encKeys != null) |
|
676 |
System.out.println |
|
677 |
("principal's key obtained from the keytab"); |
|
678 |
else |
|
679 |
System.out.println |
|
680 |
("Key for the principal " + |
|
681 |
principal + |
|
682 |
" not available in " + |
|
683 |
((keyTabName == null) ? |
|
684 |
"default key tab" : keyTabName)); |
|
685 |
} |
|
686 |
||
687 |
} |
|
688 |
// We can't get the key from the keytab so prompt |
|
689 |
if (encKeys == null) { |
|
690 |
promptForPass(getPasswdFromSharedState); |
|
691 |
||
692 |
encKeys = EncryptionKey.acquireSecretKeys( |
|
693 |
password, principal.getSalt()); |
|
694 |
||
695 |
if (isInitiator) { |
|
696 |
if (debug) |
|
697 |
System.out.println("Acquire TGT using AS Exchange"); |
|
698 |
cred = Credentials.acquireTGT(principal, |
|
699 |
encKeys, password); |
|
700 |
// update keys after pre-auth |
|
701 |
encKeys = EncryptionKey.acquireSecretKeys(password, |
|
702 |
principal.getSalt()); |
|
703 |
} |
|
704 |
} else { |
|
705 |
if (isInitiator) { |
|
706 |
if (debug) |
|
707 |
System.out.println("Acquire TGT using AS Exchange"); |
|
708 |
cred = Credentials.acquireTGT(principal, |
|
709 |
encKeys, password); |
|
710 |
} |
|
711 |
} |
|
712 |
||
713 |
// Get the TGT using AS Exchange |
|
714 |
if (debug) { |
|
715 |
System.out.println("principal is " + principal); |
|
716 |
HexDumpEncoder hd = new HexDumpEncoder(); |
|
717 |
for (int i = 0; i < encKeys.length; i++) { |
|
718 |
System.out.println("EncryptionKey: keyType=" + |
|
719 |
encKeys[i].getEType() + " keyBytes (hex dump)=" + |
|
5457 | 720 |
hd.encodeBuffer(encKeys[i].getBytes())); |
2 | 721 |
} |
722 |
} |
|
723 |
||
724 |
// we should hava a non-null cred |
|
725 |
if (isInitiator && (cred == null)) { |
|
726 |
throw new LoginException |
|
727 |
("TGT Can not be obtained from the KDC "); |
|
728 |
} |
|
729 |
||
730 |
} |
|
731 |
} catch (KrbException e) { |
|
732 |
LoginException le = new LoginException(e.getMessage()); |
|
733 |
le.initCause(e); |
|
734 |
throw le; |
|
735 |
} catch (IOException ioe) { |
|
736 |
LoginException ie = new LoginException(ioe.getMessage()); |
|
737 |
ie.initCause(ioe); |
|
738 |
throw ie; |
|
739 |
} |
|
740 |
} |
|
741 |
||
742 |
private void promptForName(boolean getPasswdFromSharedState) |
|
743 |
throws LoginException { |
|
744 |
krb5PrincName = new StringBuffer(""); |
|
745 |
if (getPasswdFromSharedState) { |
|
746 |
// use the name saved by the first module in the stack |
|
747 |
username = (String)sharedState.get(NAME); |
|
748 |
if (debug) { |
|
749 |
System.out.println |
|
750 |
("username from shared state is " + username + "\n"); |
|
751 |
} |
|
752 |
if (username == null) { |
|
753 |
System.out.println |
|
754 |
("username from shared state is null\n"); |
|
755 |
throw new LoginException |
|
756 |
("Username can not be obtained from sharedstate "); |
|
757 |
} |
|
758 |
if (debug) { |
|
759 |
System.out.println |
|
760 |
("username from shared state is " + username + "\n"); |
|
761 |
} |
|
762 |
if (username != null && username.length() > 0) { |
|
763 |
krb5PrincName.insert(0, username); |
|
764 |
return; |
|
765 |
} |
|
766 |
} |
|
767 |
||
768 |
if (doNotPrompt) { |
|
769 |
throw new LoginException |
|
770 |
("Unable to obtain Princpal Name for authentication "); |
|
771 |
} else { |
|
772 |
if (callbackHandler == null) |
|
773 |
throw new LoginException("No CallbackHandler " |
|
774 |
+ "available " |
|
775 |
+ "to garner authentication " |
|
776 |
+ "information from the user"); |
|
777 |
try { |
|
778 |
String defUsername = System.getProperty("user.name"); |
|
779 |
||
780 |
Callback[] callbacks = new Callback[1]; |
|
781 |
MessageFormat form = new MessageFormat( |
|
782 |
rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
783 |
"Kerberos.username.defUsername.")); |
2 | 784 |
Object[] source = {defUsername}; |
785 |
callbacks[0] = new NameCallback(form.format(source)); |
|
786 |
callbackHandler.handle(callbacks); |
|
787 |
username = ((NameCallback)callbacks[0]).getName(); |
|
788 |
if (username == null || username.length() == 0) |
|
789 |
username = defUsername; |
|
790 |
krb5PrincName.insert(0, username); |
|
791 |
||
792 |
} catch (java.io.IOException ioe) { |
|
793 |
throw new LoginException(ioe.getMessage()); |
|
794 |
} catch (UnsupportedCallbackException uce) { |
|
795 |
throw new LoginException |
|
796 |
(uce.getMessage() |
|
797 |
+" not available to garner " |
|
798 |
+" authentication information " |
|
799 |
+" from the user"); |
|
800 |
} |
|
801 |
} |
|
802 |
} |
|
803 |
||
804 |
private void promptForPass(boolean getPasswdFromSharedState) |
|
805 |
throws LoginException { |
|
806 |
||
807 |
if (getPasswdFromSharedState) { |
|
808 |
// use the password saved by the first module in the stack |
|
809 |
password = (char[])sharedState.get(PWD); |
|
810 |
if (password == null) { |
|
811 |
if (debug) { |
|
812 |
System.out.println |
|
813 |
("Password from shared state is null"); |
|
814 |
} |
|
815 |
throw new LoginException |
|
816 |
("Password can not be obtained from sharedstate "); |
|
817 |
} |
|
818 |
if (debug) { |
|
819 |
System.out.println |
|
820 |
("password is " + new String(password)); |
|
821 |
} |
|
822 |
return; |
|
823 |
} |
|
824 |
if (doNotPrompt) { |
|
825 |
throw new LoginException |
|
826 |
("Unable to obtain password from user\n"); |
|
827 |
} else { |
|
828 |
if (callbackHandler == null) |
|
829 |
throw new LoginException("No CallbackHandler " |
|
830 |
+ "available " |
|
831 |
+ "to garner authentication " |
|
832 |
+ "information from the user"); |
|
833 |
try { |
|
834 |
Callback[] callbacks = new Callback[1]; |
|
835 |
String userName = krb5PrincName.toString(); |
|
836 |
MessageFormat form = new MessageFormat( |
|
837 |
rb.getString( |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
838 |
"Kerberos.password.for.username.")); |
2 | 839 |
Object[] source = {userName}; |
840 |
callbacks[0] = new PasswordCallback( |
|
841 |
form.format(source), |
|
842 |
false); |
|
843 |
callbackHandler.handle(callbacks); |
|
844 |
char[] tmpPassword = ((PasswordCallback) |
|
845 |
callbacks[0]).getPassword(); |
|
846 |
if (tmpPassword == null) { |
|
847 |
// treat a NULL password as an empty password |
|
848 |
tmpPassword = new char[0]; |
|
849 |
} |
|
850 |
password = new char[tmpPassword.length]; |
|
851 |
System.arraycopy(tmpPassword, 0, |
|
852 |
password, 0, tmpPassword.length); |
|
853 |
((PasswordCallback)callbacks[0]).clearPassword(); |
|
854 |
||
855 |
||
856 |
// clear tmpPassword |
|
857 |
for (int i = 0; i < tmpPassword.length; i++) |
|
858 |
tmpPassword[i] = ' '; |
|
859 |
tmpPassword = null; |
|
860 |
if (debug) { |
|
861 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
862 |
"user entered username: " + |
|
863 |
krb5PrincName); |
|
864 |
System.out.println(); |
|
865 |
} |
|
866 |
} catch (java.io.IOException ioe) { |
|
867 |
throw new LoginException(ioe.getMessage()); |
|
868 |
} catch (UnsupportedCallbackException uce) { |
|
869 |
throw new LoginException(uce.getMessage() |
|
870 |
+" not available to garner " |
|
871 |
+" authentication information " |
|
872 |
+ "from the user"); |
|
873 |
} |
|
874 |
} |
|
875 |
} |
|
876 |
||
877 |
private void validateConfiguration() throws LoginException { |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
878 |
if (doNotPrompt && !useTicketCache && !useKeyTab |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
879 |
&& !tryFirstPass && !useFirstPass) |
2 | 880 |
throw new LoginException |
881 |
("Configuration Error" |
|
882 |
+ " - either doNotPrompt should be " |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
883 |
+ " false or at least one of useTicketCache, " |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
884 |
+ " useKeyTab, tryFirstPass and useFirstPass" |
2 | 885 |
+ " should be true"); |
886 |
if (ticketCacheName != null && !useTicketCache) |
|
887 |
throw new LoginException |
|
888 |
("Configuration Error " |
|
889 |
+ " - useTicketCache should be set " |
|
890 |
+ "to true to use the ticket cache" |
|
891 |
+ ticketCacheName); |
|
892 |
if (keyTabName != null & !useKeyTab) |
|
893 |
throw new LoginException |
|
894 |
("Configuration Error - useKeyTab should be set to true " |
|
895 |
+ "to use the keytab" + keyTabName); |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
896 |
if (storeKey && doNotPrompt && !useKeyTab |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
897 |
&& !tryFirstPass && !useFirstPass) |
2 | 898 |
throw new LoginException |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
899 |
("Configuration Error - either doNotPrompt should be set to " |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
900 |
+ " false or at least one of tryFirstPass, useFirstPass " |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
901 |
+ "or useKeyTab must be set to true for storeKey option"); |
2 | 902 |
if (renewTGT && !useTicketCache) |
903 |
throw new LoginException |
|
904 |
("Configuration Error" |
|
905 |
+ " - either useTicketCache should be " |
|
906 |
+ " true or renewTGT should be false"); |
|
907 |
} |
|
908 |
||
909 |
private boolean isCurrent(Credentials creds) |
|
910 |
{ |
|
911 |
Date endTime = creds.getEndTime(); |
|
912 |
if (endTime != null) { |
|
913 |
return (System.currentTimeMillis() <= endTime.getTime()); |
|
914 |
} |
|
915 |
return true; |
|
916 |
} |
|
917 |
||
918 |
private Credentials renewCredentials(Credentials creds) |
|
919 |
{ |
|
920 |
Credentials lcreds; |
|
921 |
try { |
|
922 |
if (!creds.isRenewable()) |
|
923 |
throw new RefreshFailedException("This ticket" + |
|
924 |
" is not renewable"); |
|
925 |
if (System.currentTimeMillis() > cred.getRenewTill().getTime()) |
|
926 |
throw new RefreshFailedException("This ticket is past " |
|
927 |
+ "its last renewal time."); |
|
928 |
lcreds = creds.renew(); |
|
929 |
if (debug) |
|
930 |
System.out.println("Renewed Kerberos Ticket"); |
|
931 |
} catch (Exception e) { |
|
932 |
lcreds = null; |
|
933 |
if (debug) |
|
934 |
System.out.println("Ticket could not be renewed : " |
|
935 |
+ e.getMessage()); |
|
936 |
} |
|
937 |
return lcreds; |
|
938 |
} |
|
939 |
||
940 |
/** |
|
941 |
* <p> This method is called if the LoginContext's |
|
942 |
* overall authentication succeeded |
|
943 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL |
|
944 |
* LoginModules succeeded). |
|
945 |
* |
|
946 |
* <p> If this LoginModule's own authentication attempt |
|
947 |
* succeeded (checked by retrieving the private state saved by the |
|
948 |
* <code>login</code> method), then this method associates a |
|
949 |
* <code>Krb5Principal</code> |
|
950 |
* with the <code>Subject</code> located in the |
|
951 |
* <code>LoginModule</code>. It adds Kerberos Credentials to the |
|
952 |
* the Subject's private credentials set. If this LoginModule's own |
|
953 |
* authentication attempted failed, then this method removes |
|
954 |
* any state that was originally saved. |
|
955 |
* |
|
956 |
* <p> |
|
957 |
* |
|
958 |
* @exception LoginException if the commit fails. |
|
959 |
* |
|
960 |
* @return true if this LoginModule's own login and commit |
|
961 |
* attempts succeeded, or false otherwise. |
|
962 |
*/ |
|
963 |
||
964 |
public boolean commit() throws LoginException { |
|
965 |
||
966 |
/* |
|
967 |
* Let us add the Krb5 Creds to the Subject's |
|
968 |
* private credentials. The credentials are of type |
|
969 |
* KerberosKey or KerberosTicket |
|
970 |
*/ |
|
971 |
if (succeeded == false) { |
|
972 |
return false; |
|
973 |
} else { |
|
974 |
||
975 |
if (isInitiator && (cred == null)) { |
|
976 |
succeeded = false; |
|
977 |
throw new LoginException("Null Client Credential"); |
|
978 |
} |
|
979 |
||
980 |
if (subject.isReadOnly()) { |
|
981 |
cleanKerberosCred(); |
|
982 |
throw new LoginException("Subject is Readonly"); |
|
983 |
} |
|
984 |
||
985 |
/* |
|
986 |
* Add the Principal (authenticated identity) |
|
987 |
* to the Subject's principal set and |
|
988 |
* add the credentials (TGT or Service key) to the |
|
989 |
* Subject's private credentials |
|
990 |
*/ |
|
991 |
||
992 |
Set<Object> privCredSet = subject.getPrivateCredentials(); |
|
993 |
Set<java.security.Principal> princSet = subject.getPrincipals(); |
|
994 |
kerbClientPrinc = new KerberosPrincipal(principal.getName()); |
|
995 |
||
996 |
// create Kerberos Ticket |
|
997 |
if (isInitiator) { |
|
998 |
kerbTicket = Krb5Util.credsToTicket(cred); |
|
999 |
} |
|
1000 |
||
1001 |
if (storeKey) { |
|
1002 |
if (encKeys == null || encKeys.length <= 0) { |
|
1003 |
succeeded = false; |
|
1004 |
throw new LoginException("Null Server Key "); |
|
1005 |
} |
|
1006 |
||
1007 |
kerbKeys = new KerberosKey[encKeys.length]; |
|
1008 |
for (int i = 0; i < encKeys.length; i ++) { |
|
1009 |
Integer temp = encKeys[i].getKeyVersionNumber(); |
|
1010 |
kerbKeys[i] = new KerberosKey(kerbClientPrinc, |
|
1011 |
encKeys[i].getBytes(), |
|
1012 |
encKeys[i].getEType(), |
|
1013 |
(temp == null? |
|
1014 |
0: temp.intValue())); |
|
1015 |
} |
|
1016 |
||
1017 |
} |
|
1018 |
// Let us add the kerbClientPrinc,kerbTicket and kerbKey (if |
|
1019 |
// storeKey is true) |
|
1020 |
if (!princSet.contains(kerbClientPrinc)) |
|
1021 |
princSet.add(kerbClientPrinc); |
|
1022 |
||
1023 |
// add the TGT |
|
1024 |
if (kerbTicket != null) { |
|
1025 |
if (!privCredSet.contains(kerbTicket)) |
|
1026 |
privCredSet.add(kerbTicket); |
|
1027 |
} |
|
1028 |
||
1029 |
if (storeKey) { |
|
1030 |
for (int i = 0; i < kerbKeys.length; i++) { |
|
1031 |
if (!privCredSet.contains(kerbKeys[i])) { |
|
1032 |
privCredSet.add(kerbKeys[i]); |
|
1033 |
} |
|
1034 |
encKeys[i].destroy(); |
|
1035 |
encKeys[i] = null; |
|
1036 |
if (debug) { |
|
1037 |
System.out.println("Added server's key" |
|
1038 |
+ kerbKeys[i]); |
|
1039 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
1040 |
"added Krb5Principal " + |
|
1041 |
kerbClientPrinc.toString() |
|
1042 |
+ " to Subject"); |
|
1043 |
} |
|
1044 |
} |
|
1045 |
} |
|
1046 |
} |
|
1047 |
commitSucceeded = true; |
|
1048 |
if (debug) |
|
1049 |
System.out.println("Commit Succeeded \n"); |
|
1050 |
return true; |
|
1051 |
} |
|
1052 |
||
1053 |
/** |
|
1054 |
* <p> This method is called if the LoginContext's |
|
1055 |
* overall authentication failed. |
|
1056 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL |
|
1057 |
* LoginModules did not succeed). |
|
1058 |
* |
|
1059 |
* <p> If this LoginModule's own authentication attempt |
|
1060 |
* succeeded (checked by retrieving the private state saved by the |
|
1061 |
* <code>login</code> and <code>commit</code> methods), |
|
1062 |
* then this method cleans up any state that was originally saved. |
|
1063 |
* |
|
1064 |
* <p> |
|
1065 |
* |
|
1066 |
* @exception LoginException if the abort fails. |
|
1067 |
* |
|
1068 |
* @return false if this LoginModule's own login and/or commit attempts |
|
1069 |
* failed, and true otherwise. |
|
1070 |
*/ |
|
1071 |
||
1072 |
public boolean abort() throws LoginException { |
|
1073 |
if (succeeded == false) { |
|
1074 |
return false; |
|
1075 |
} else if (succeeded == true && commitSucceeded == false) { |
|
1076 |
// login succeeded but overall authentication failed |
|
1077 |
succeeded = false; |
|
1078 |
cleanKerberosCred(); |
|
1079 |
} else { |
|
1080 |
// overall authentication succeeded and commit succeeded, |
|
1081 |
// but someone else's commit failed |
|
1082 |
logout(); |
|
1083 |
} |
|
1084 |
return true; |
|
1085 |
} |
|
1086 |
||
1087 |
/** |
|
1088 |
* Logout the user. |
|
1089 |
* |
|
1090 |
* <p> This method removes the <code>Krb5Principal</code> |
|
1091 |
* that was added by the <code>commit</code> method. |
|
1092 |
* |
|
1093 |
* <p> |
|
1094 |
* |
|
1095 |
* @exception LoginException if the logout fails. |
|
1096 |
* |
|
1097 |
* @return true in all cases since this <code>LoginModule</code> |
|
1098 |
* should not be ignored. |
|
1099 |
*/ |
|
1100 |
public boolean logout() throws LoginException { |
|
1101 |
||
1102 |
if (debug) { |
|
1103 |
System.out.println("\t\t[Krb5LoginModule]: " + |
|
1104 |
"Entering logout"); |
|
1105 |
} |
|
1106 |
||
1107 |
if (subject.isReadOnly()) { |
|
1108 |
cleanKerberosCred(); |
|
1109 |
throw new LoginException("Subject is Readonly"); |
|
1110 |
} |
|
1111 |
||
1112 |
subject.getPrincipals().remove(kerbClientPrinc); |
|
1113 |
// Let us remove all Kerberos credentials stored in the Subject |
|
1114 |
Iterator<Object> it = subject.getPrivateCredentials().iterator(); |
|
1115 |
while (it.hasNext()) { |
|
1116 |
Object o = it.next(); |
|
1117 |
if (o instanceof KerberosTicket || |
|
1118 |
o instanceof KerberosKey) { |
|
1119 |
it.remove(); |
|
1120 |
} |
|
1121 |
} |
|
1122 |
// clean the kerberos ticket and keys |
|
1123 |
cleanKerberosCred(); |
|
1124 |
||
1125 |
succeeded = false; |
|
1126 |
commitSucceeded = false; |
|
1127 |
if (debug) { |
|
1128 |
System.out.println("\t\t[Krb5LoginModule]: " + |
|
1129 |
"logged out Subject"); |
|
1130 |
} |
|
1131 |
return true; |
|
1132 |
} |
|
1133 |
||
1134 |
/** |
|
1135 |
* Clean Kerberos credentials |
|
1136 |
*/ |
|
1137 |
private void cleanKerberosCred() throws LoginException { |
|
1138 |
// Clean the ticket and server key |
|
1139 |
try { |
|
1140 |
if (kerbTicket != null) |
|
1141 |
kerbTicket.destroy(); |
|
1142 |
if (kerbKeys != null) { |
|
1143 |
for (int i = 0; i < kerbKeys.length; i++) { |
|
1144 |
kerbKeys[i].destroy(); |
|
1145 |
} |
|
1146 |
} |
|
1147 |
} catch (DestroyFailedException e) { |
|
1148 |
throw new LoginException |
|
1149 |
("Destroy Failed on Kerberos Private Credentials"); |
|
1150 |
} |
|
1151 |
kerbTicket = null; |
|
1152 |
kerbKeys = null; |
|
1153 |
kerbClientPrinc = null; |
|
1154 |
} |
|
1155 |
||
1156 |
/** |
|
1157 |
* Clean out the state |
|
1158 |
*/ |
|
1159 |
private void cleanState() { |
|
1160 |
||
1161 |
// save input as shared state only if |
|
1162 |
// authentication succeeded |
|
1163 |
if (succeeded) { |
|
1164 |
if (storePass && |
|
1165 |
!sharedState.containsKey(NAME) && |
|
1166 |
!sharedState.containsKey(PWD)) { |
|
1167 |
sharedState.put(NAME, username); |
|
1168 |
sharedState.put(PWD, password); |
|
1169 |
} |
|
793
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1170 |
} else { |
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1171 |
// remove temp results for the next try |
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1172 |
encKeys = null; |
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1173 |
principal = null; |
2 | 1174 |
} |
1175 |
username = null; |
|
1176 |
password = null; |
|
1177 |
if (krb5PrincName != null && krb5PrincName.length() != 0) |
|
1178 |
krb5PrincName.delete(0, krb5PrincName.length()); |
|
1179 |
krb5PrincName = null; |
|
1180 |
if (clearPass) { |
|
1181 |
sharedState.remove(NAME); |
|
1182 |
sharedState.remove(PWD); |
|
1183 |
} |
|
1184 |
} |
|
1185 |
} |