author | weijun |
Fri, 09 Mar 2018 11:36:12 +0800 | |
changeset 49196 | 82a3005cb038 |
parent 47216 | 71c04702a3d5 |
child 52997 | 85ade44f351a |
permissions | -rw-r--r-- |
2 | 1 |
/* |
47005
dbfaf076da58
8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime
weijun
parents:
43243
diff
changeset
|
2 |
* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
||
27 |
package com.sun.security.auth.module; |
|
28 |
||
29 |
import java.io.*; |
|
30 |
import java.text.MessageFormat; |
|
31 |
import java.util.*; |
|
32 |
||
33 |
import javax.security.auth.*; |
|
25662 | 34 |
import javax.security.auth.kerberos.KerberosTicket; |
35 |
import javax.security.auth.kerberos.KerberosPrincipal; |
|
36 |
import javax.security.auth.kerberos.KerberosKey; |
|
37 |
import javax.security.auth.kerberos.KeyTab; |
|
2 | 38 |
import javax.security.auth.callback.*; |
39 |
import javax.security.auth.login.*; |
|
40 |
import javax.security.auth.spi.*; |
|
41 |
||
42 |
import sun.security.krb5.*; |
|
43 |
import sun.security.jgss.krb5.Krb5Util; |
|
44 |
import sun.security.krb5.Credentials; |
|
34687
d302ed125dc9
8144995: Move sun.misc.HexDumpEncoder to sun.security.util
chegar
parents:
31643
diff
changeset
|
45 |
import sun.security.util.HexDumpEncoder; |
43243
a48dab17a356
8173024: Replace direct use of AuthResources resource bundle from jdk.security.auth
mchung
parents:
42338
diff
changeset
|
46 |
import static sun.security.util.ResourcesMgr.getAuthResourceString; |
2 | 47 |
|
48 |
/** |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
49 |
* This {@code LoginModule} authenticates users using |
2 | 50 |
* Kerberos protocols. |
51 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
52 |
* <p> The configuration entry for {@code Krb5LoginModule} has |
2 | 53 |
* several options that control the authentication process and |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
54 |
* additions to the {@code Subject}'s private credential |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
55 |
* set. Irrespective of these options, the {@code Subject}'s |
2 | 56 |
* principal set and private credentials set are updated only when |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
57 |
* {@code commit} is called. |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
58 |
* When {@code commit} is called, the {@code KerberosPrincipal} |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
59 |
* is added to the {@code Subject}'s principal set (unless the |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
60 |
* {@code principal} is specified as "*"). If {@code isInitiator} |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
61 |
* is true, the {@code KerberosTicket} is |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
62 |
* added to the {@code Subject}'s private credentials. |
2 | 63 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
64 |
* <p> If the configuration entry for {@code KerberosLoginModule} |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
65 |
* has the option {@code storeKey} set to true, then |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
66 |
* {@code KerberosKey} or {@code KeyTab} will also be added to the |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
67 |
* subject's private credentials. {@code KerberosKey}, the principal's |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
68 |
* key(s) will be derived from user's password, and {@code KeyTab} is |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
69 |
* the keytab used when {@code useKeyTab} is set to true. The |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
70 |
* {@code KeyTab} object is restricted to be used by the specified |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
71 |
* principal unless the principal value is "*". |
2 | 72 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
73 |
* <p> This {@code LoginModule} recognizes the {@code doNotPrompt} |
2 | 74 |
* option. If set to true the user will not be prompted for the password. |
75 |
* |
|
76 |
* <p> The user can specify the location of the ticket cache by using |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
77 |
* the option {@code ticketCache} in the configuration entry. |
2 | 78 |
* |
79 |
* <p>The user can specify the keytab location by using |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
80 |
* the option {@code keyTab} |
2 | 81 |
* in the configuration entry. |
82 |
* |
|
83 |
* <p> The principal name can be specified in the configuration entry |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
84 |
* by using the option {@code principal}. The principal name |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
85 |
* can either be a simple user name, a service name such as |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
86 |
* {@code host/mission.eng.sun.com}, or "*". The principal can also |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
87 |
* be set using the system property {@code sun.security.krb5.principal}. |
2 | 88 |
* This property is checked during login. If this property is not set, then |
89 |
* the principal name from the configuration is used. In the |
|
90 |
* case where the principal property is not set and the principal |
|
91 |
* entry also does not exist, the user is prompted for the name. |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
92 |
* When this property of entry is set, and {@code useTicketCache} |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
93 |
* is set to true, only TGT belonging to this principal is used. |
2 | 94 |
* |
95 |
* <p> The following is a list of configuration options supported |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
96 |
* for {@code Krb5LoginModule}: |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
97 |
* <blockquote><dl> |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
98 |
* <dt>{@code refreshKrb5Config}:</dt> |
2 | 99 |
* <dd> Set this to true, if you want the configuration |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
100 |
* to be refreshed before the {@code login} method is called.</dd> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
101 |
* <dt>{@code useTicketCache}:</dt> |
2 | 102 |
* <dd>Set this to true, if you want the |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
103 |
* TGT to be obtained from the ticket cache. Set this option |
2 | 104 |
* to false if you do not want this module to use the ticket cache. |
105 |
* (Default is False). |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
106 |
* This module will search for the ticket |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
107 |
* cache in the following locations: On Solaris and Linux |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
108 |
* it will look for the ticket cache in /tmp/krb5cc_{@code uid} |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
109 |
* where the uid is numeric user identifier. If the ticket cache is |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
110 |
* not available in the above location, or if we are on a |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
111 |
* Windows platform, it will look for the cache as |
2 | 112 |
* {user.home}{file.separator}krb5cc_{user.name}. |
113 |
* You can override the ticket cache location by using |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
114 |
* {@code ticketCache}. |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
115 |
* For Windows, if a ticket cannot be retrieved from the file ticket cache, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
116 |
* it will use Local Security Authority (LSA) API to get the TGT. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
117 |
* <dt>{@code ticketCache}:</dt> |
2 | 118 |
* <dd>Set this to the name of the ticket |
119 |
* cache that contains user's TGT. |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
120 |
* If this is set, {@code useTicketCache} |
2 | 121 |
* must also be set to true; Otherwise a configuration error will |
122 |
* be returned.</dd> |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
123 |
* <dt>{@code renewTGT}:</dt> |
31643
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
124 |
* <dd>Set this to true, if you want to renew the TGT when it's more than |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
125 |
* half-way expired (the time until expiration is less than the time |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
126 |
* since start time). If this is set, {@code useTicketCache} must also be |
2 | 127 |
* set to true; otherwise a configuration error will be returned.</dd> |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
128 |
* <dt>{@code doNotPrompt}:</dt> |
2 | 129 |
* <dd>Set this to true if you do not want to be |
130 |
* prompted for the password |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
131 |
* if credentials can not be obtained from the cache, the keytab, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
132 |
* or through shared state.(Default is false) |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
133 |
* If set to true, credential must be obtained through cache, keytab, |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
134 |
* or shared state. Otherwise, authentication will fail.</dd> |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
135 |
* <dt>{@code useKeyTab}:</dt> |
2 | 136 |
* <dd>Set this to true if you |
137 |
* want the module to get the principal's key from the |
|
138 |
* the keytab.(default value is False) |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
139 |
* If {@code keytab} is not set then |
2 | 140 |
* the module will locate the keytab from the |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
141 |
* Kerberos configuration file. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
142 |
* If it is not specified in the Kerberos configuration file |
2 | 143 |
* then it will look for the file |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
144 |
* {@code {user.home}{file.separator}}krb5.keytab.</dd> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
145 |
* <dt>{@code keyTab}:</dt> |
2 | 146 |
* <dd>Set this to the file name of the |
147 |
* keytab to get principal's secret key.</dd> |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
148 |
* <dt>{@code storeKey}:</dt> |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
149 |
* <dd>Set this to true to if you want the keytab or the |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
150 |
* principal's key to be stored in the Subject's private credentials. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
151 |
* For {@code isInitiator} being false, if {@code principal} |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
152 |
* is "*", the {@link KeyTab} stored can be used by anyone, otherwise, |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
153 |
* it's restricted to be used by the specified principal only.</dd> |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
154 |
* <dt>{@code principal}:</dt> |
2 | 155 |
* <dd>The name of the principal that should |
156 |
* be used. The principal can be a simple username such as |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
157 |
* "{@code testuser}" or a service name such as |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
158 |
* "{@code host/testhost.eng.sun.com}". You can use the |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
159 |
* {@code principal} option to set the principal when there are |
2 | 160 |
* credentials for multiple principals in the |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
161 |
* {@code keyTab} or when you want a specific ticket cache only. |
2 | 162 |
* The principal can also be set using the system property |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
163 |
* {@code sun.security.krb5.principal}. In addition, if this |
2 | 164 |
* system property is defined, then it will be used. If this property |
165 |
* is not set, then the principal name from the configuration will be |
|
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
166 |
* used. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
167 |
* The principal name can be set to "*" when {@code isInitiator} is false. |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
168 |
* In this case, the acceptor is not bound to a single principal. It can |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
169 |
* act as any principal an initiator requests if keys for that principal |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
170 |
* can be found. When {@code isInitiator} is true, the principal name |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
171 |
* cannot be set to "*". |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
172 |
* </dd> |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
173 |
* <dt>{@code isInitiator}:</dt> |
2 | 174 |
* <dd>Set this to true, if initiator. Set this to false, if acceptor only. |
175 |
* (Default is true). |
|
176 |
* Note: Do not set this value to false for initiators.</dd> |
|
177 |
* </dl></blockquote> |
|
178 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
179 |
* <p> This {@code LoginModule} also recognizes the following additional |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
180 |
* {@code Configuration} |
2 | 181 |
* options that enable you to share username and passwords across different |
182 |
* authentication modules: |
|
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
183 |
* <blockquote><dl> |
2 | 184 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
185 |
* <dt>{@code useFirstPass}:</dt> |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
186 |
* <dd>if, true, this LoginModule retrieves the |
2 | 187 |
* username and password from the module's shared state, |
188 |
* using "javax.security.auth.login.name" and |
|
189 |
* "javax.security.auth.login.password" as the respective |
|
190 |
* keys. The retrieved values are used for authentication. |
|
191 |
* If authentication fails, no attempt for a retry |
|
192 |
* is made, and the failure is reported back to the |
|
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
193 |
* calling application.</dd> |
2 | 194 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
195 |
* <dt>{@code tryFirstPass}:</dt> |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
196 |
* <dd>if, true, this LoginModule retrieves the |
2 | 197 |
* the username and password from the module's shared |
198 |
* state using "javax.security.auth.login.name" and |
|
199 |
* "javax.security.auth.login.password" as the respective |
|
200 |
* keys. The retrieved values are used for |
|
201 |
* authentication. |
|
202 |
* If authentication fails, the module uses the |
|
203 |
* CallbackHandler to retrieve a new username |
|
204 |
* and password, and another attempt to authenticate |
|
205 |
* is made. If the authentication fails, |
|
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
206 |
* the failure is reported back to the calling application</dd> |
2 | 207 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
208 |
* <dt>{@code storePass}:</dt> |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
209 |
* <dd>if, true, this LoginModule stores the username and |
2 | 210 |
* password obtained from the CallbackHandler in the |
211 |
* modules shared state, using |
|
212 |
* "javax.security.auth.login.name" and |
|
213 |
* "javax.security.auth.login.password" as the respective |
|
214 |
* keys. This is not performed if existing values already |
|
215 |
* exist for the username and password in the shared |
|
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
216 |
* state, or if authentication fails.</dd> |
2 | 217 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
218 |
* <dt>{@code clearPass}:</dt> |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
219 |
* <dd>if, true, this LoginModule clears the |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
220 |
* username and password stored in the module's shared |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
221 |
* state after both phases of authentication |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
222 |
* (login and commit) have completed.</dd> |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
223 |
* </dl></blockquote> |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
224 |
* <p>If the principal system property or key is already provided, the value of |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
225 |
* "javax.security.auth.login.name" in the shared state is ignored. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
226 |
* <p>When multiple mechanisms to retrieve a ticket or key is provided, the |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
227 |
* preference order is: |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
228 |
* <ol> |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
229 |
* <li>ticket cache |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
230 |
* <li>keytab |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
231 |
* <li>shared state |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
232 |
* <li>user prompt |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
233 |
* </ol> |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
234 |
* |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
235 |
* <p>Note that if any step fails, it will fallback to the next step. |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
236 |
* There's only one exception, if the shared state step fails and |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
237 |
* {@code useFirstPass = true}, no user prompt is made. |
2 | 238 |
* <p>Examples of some configuration values for Krb5LoginModule in |
239 |
* JAAS config file and the results are: |
|
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
240 |
* <blockquote> |
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
241 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
242 |
* doNotPrompt = true}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
243 |
* This is an illegal combination since none of {@code useTicketCache, |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
244 |
* useKeyTab, useFirstPass} and {@code tryFirstPass} |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
245 |
* is set and the user can not be prompted for the password. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
246 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
247 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
248 |
* ticketCache = <filename>}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
249 |
* This is an illegal combination since {@code useTicketCache} |
2 | 250 |
* is not set to true and the ticketCache is set. A configuration error |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
251 |
* will occur. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
252 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
253 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
254 |
* renewTGT = true}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
255 |
* This is an illegal combination since {@code useTicketCache} is |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
256 |
* not set to true and renewTGT is set. A configuration error will occur. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
257 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
258 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
259 |
* storeKey = true useTicketCache = true doNotPrompt = true}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
260 |
* This is an illegal combination since {@code storeKey} is set to |
2 | 261 |
* true but the key can not be obtained either by prompting the user or from |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
262 |
* the keytab, or from the shared state. A configuration error will occur. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
263 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
264 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
265 |
* keyTab = <filename> doNotPrompt = true}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
266 |
* This is an illegal combination since useKeyTab is not set to true and |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
267 |
* the keyTab is set. A configuration error will occur. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
268 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
269 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
270 |
* debug = true}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
271 |
* Prompt the user for the principal name and the password. |
2 | 272 |
* Use the authentication exchange to get TGT from the KDC and |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
273 |
* populate the {@code Subject} with the principal and TGT. |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
274 |
* Output debug messages. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
275 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
276 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
277 |
* useTicketCache = true doNotPrompt = true}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
278 |
* Check the default cache for TGT and populate the {@code Subject} |
2 | 279 |
* with the principal and TGT. If the TGT is not available, |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
280 |
* do not prompt the user, instead fail the authentication. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
281 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
282 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
283 |
* principal = <name> useTicketCache = true doNotPrompt = true}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
284 |
* Get the TGT from the default cache for the principal and populate the |
2 | 285 |
* Subject's principal and private creds set. If ticket cache is |
286 |
* not available or does not contain the principal's TGT |
|
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
287 |
* authentication will fail. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
288 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
289 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
290 |
* useTicketCache = true |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
291 |
* ticketCache = <file name> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
292 |
* useKeyTab = true |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
293 |
* keyTab = <keytab filename> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
294 |
* principal = <principal name> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
295 |
* doNotPrompt = true}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
296 |
* Search the cache for the principal's TGT. If it is not available |
2 | 297 |
* use the key in the keytab to perform authentication exchange with the |
298 |
* KDC and acquire the TGT. |
|
299 |
* The Subject will be populated with the principal and the TGT. |
|
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
300 |
* If the key is not available or valid then authentication will fail. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
301 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
302 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
303 |
* useTicketCache = true ticketCache = <filename>}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
304 |
* The TGT will be obtained from the cache specified. |
2 | 305 |
* The Kerberos principal name used will be the principal name in |
306 |
* the Ticket cache. If the TGT is not available in the |
|
307 |
* ticket cache the user will be prompted for the principal name |
|
308 |
* and the password. The TGT will be obtained using the authentication |
|
309 |
* exchange with the KDC. |
|
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
310 |
* The Subject will be populated with the TGT. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
311 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
312 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
313 |
* useKeyTab = true keyTab=<keytab filename> principal = <principal name> storeKey = true}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
314 |
* The key for the principal will be retrieved from the keytab. |
2 | 315 |
* If the key is not available in the keytab the user will be prompted |
316 |
* for the principal's password. The Subject will be populated |
|
317 |
* with the principal's key either from the keytab or derived from the |
|
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
318 |
* password entered. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
319 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
320 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
321 |
* useKeyTab = true keyTab = <keytabname> storeKey = true doNotPrompt = false}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
322 |
* The user will be prompted for the service principal name. |
2 | 323 |
* If the principal's |
324 |
* longterm key is available in the keytab , it will be added to the |
|
325 |
* Subject's private credentials. An authentication exchange will be |
|
326 |
* attempted with the principal name and the key from the Keytab. |
|
327 |
* If successful the TGT will be added to the |
|
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
328 |
* Subject's private credentials set. Otherwise the authentication will fail. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
329 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
330 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
331 |
* isInitiator = false useKeyTab = true keyTab = <keytabname> storeKey = true principal = *}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
332 |
* The acceptor will be an unbound acceptor and it can act as any principal |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
333 |
* as long that principal has keys in the keytab. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
334 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
335 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
336 |
* useTicketCache = true |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
337 |
* ticketCache = <file name> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
338 |
* useKeyTab = true |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
339 |
* keyTab = <file name> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
340 |
* storeKey = true |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
341 |
* principal = <principal name>}</pre> |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
342 |
* The client's TGT will be retrieved from the ticket cache and added to the |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
343 |
* {@code Subject}'s private credentials. If the TGT is not available |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
344 |
* in the ticket cache, or the TGT's client name does not match the principal |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
345 |
* name, Java will use a secret key to obtain the TGT using the authentication |
2 | 346 |
* exchange and added to the Subject's private credentials. |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
347 |
* This secret key will be first retrieved from the keytab. If the key |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
348 |
* is not available, the user will be prompted for the password. In either |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
349 |
* case, the key derived from the password will be added to the |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
350 |
* Subject's private credentials set. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
351 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
352 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
353 |
* isInitiator = false}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
354 |
* Configured to act as acceptor only, credentials are not acquired |
2 | 355 |
* via AS exchange. For acceptors only, set this value to false. |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
356 |
* For initiators, do not set this value to false. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
357 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
358 |
* <pre>{@code |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
359 |
* isInitiator = true}</pre> |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
360 |
* Configured to act as initiator, credentials are acquired |
2 | 361 |
* via AS exchange. For initiators, set this value to true, or leave this |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
362 |
* option unset, in which case default value (true) will be used. |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
363 |
* |
49196
82a3005cb038
8199154: Accessibility issues in jdk.security.auth
weijun
parents:
47216
diff
changeset
|
364 |
* </blockquote> |
2 | 365 |
* |
366 |
* @author Ram Marti |
|
367 |
*/ |
|
368 |
||
369 |
public class Krb5LoginModule implements LoginModule { |
|
370 |
||
371 |
// initial state |
|
372 |
private Subject subject; |
|
373 |
private CallbackHandler callbackHandler; |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
374 |
private Map<String, Object> sharedState; |
2 | 375 |
private Map<String, ?> options; |
376 |
||
377 |
// configurable option |
|
378 |
private boolean debug = false; |
|
379 |
private boolean storeKey = false; |
|
380 |
private boolean doNotPrompt = false; |
|
381 |
private boolean useTicketCache = false; |
|
382 |
private boolean useKeyTab = false; |
|
383 |
private String ticketCacheName = null; |
|
384 |
private String keyTabName = null; |
|
385 |
private String princName = null; |
|
386 |
||
387 |
private boolean useFirstPass = false; |
|
388 |
private boolean tryFirstPass = false; |
|
389 |
private boolean storePass = false; |
|
390 |
private boolean clearPass = false; |
|
391 |
private boolean refreshKrb5Config = false; |
|
392 |
private boolean renewTGT = false; |
|
393 |
||
394 |
// specify if initiator. |
|
395 |
// perform authentication exchange if initiator |
|
396 |
private boolean isInitiator = true; |
|
397 |
||
398 |
// the authentication status |
|
399 |
private boolean succeeded = false; |
|
400 |
private boolean commitSucceeded = false; |
|
401 |
private String username; |
|
9499 | 402 |
|
403 |
// Encryption keys calculated from password. Assigned when storekey == true |
|
404 |
// and useKeyTab == false (or true but not found) |
|
2 | 405 |
private EncryptionKey[] encKeys = null; |
9499 | 406 |
|
407 |
KeyTab ktab = null; |
|
408 |
||
2 | 409 |
private Credentials cred = null; |
410 |
||
411 |
private PrincipalName principal = null; |
|
412 |
private KerberosPrincipal kerbClientPrinc = null; |
|
413 |
private KerberosTicket kerbTicket = null; |
|
414 |
private KerberosKey[] kerbKeys = null; |
|
415 |
private StringBuffer krb5PrincName = null; |
|
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
416 |
private boolean unboundServer = false; |
2 | 417 |
private char[] password = null; |
418 |
||
419 |
private static final String NAME = "javax.security.auth.login.name"; |
|
420 |
private static final String PWD = "javax.security.auth.login.password"; |
|
421 |
||
422 |
/** |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
423 |
* Initialize this {@code LoginModule}. |
2 | 424 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
425 |
* @param subject the {@code Subject} to be authenticated. |
2 | 426 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
427 |
* @param callbackHandler a {@code CallbackHandler} for |
2 | 428 |
* communication with the end user (prompting for |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
429 |
* usernames and passwords, for example). |
2 | 430 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
431 |
* @param sharedState shared {@code LoginModule} state. |
2 | 432 |
* |
433 |
* @param options options specified in the login |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
434 |
* {@code Configuration} for this particular |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
435 |
* {@code LoginModule}. |
2 | 436 |
*/ |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
437 |
// Unchecked warning from (Map<String, Object>)sharedState is safe |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
438 |
// since javax.security.auth.login.LoginContext passes a raw HashMap. |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
439 |
// Unchecked warnings from options.get(String) are safe since we are |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
440 |
// passing known keys. |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
441 |
@SuppressWarnings("unchecked") |
2 | 442 |
public void initialize(Subject subject, |
443 |
CallbackHandler callbackHandler, |
|
444 |
Map<String, ?> sharedState, |
|
445 |
Map<String, ?> options) { |
|
446 |
||
447 |
this.subject = subject; |
|
448 |
this.callbackHandler = callbackHandler; |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9499
diff
changeset
|
449 |
this.sharedState = (Map<String, Object>)sharedState; |
2 | 450 |
this.options = options; |
451 |
||
452 |
// initialize any configured options |
|
453 |
||
454 |
debug = "true".equalsIgnoreCase((String)options.get("debug")); |
|
455 |
storeKey = "true".equalsIgnoreCase((String)options.get("storeKey")); |
|
456 |
doNotPrompt = "true".equalsIgnoreCase((String)options.get |
|
457 |
("doNotPrompt")); |
|
458 |
useTicketCache = "true".equalsIgnoreCase((String)options.get |
|
459 |
("useTicketCache")); |
|
460 |
useKeyTab = "true".equalsIgnoreCase((String)options.get("useKeyTab")); |
|
461 |
ticketCacheName = (String)options.get("ticketCache"); |
|
462 |
keyTabName = (String)options.get("keyTab"); |
|
13590
f7f85d7f7a82
7152121: Krb5LoginModule no longer handles keyTabNames with "file:" prefix
weijun
parents:
10695
diff
changeset
|
463 |
if (keyTabName != null) { |
f7f85d7f7a82
7152121: Krb5LoginModule no longer handles keyTabNames with "file:" prefix
weijun
parents:
10695
diff
changeset
|
464 |
keyTabName = sun.security.krb5.internal.ktab.KeyTab.normalize( |
f7f85d7f7a82
7152121: Krb5LoginModule no longer handles keyTabNames with "file:" prefix
weijun
parents:
10695
diff
changeset
|
465 |
keyTabName); |
f7f85d7f7a82
7152121: Krb5LoginModule no longer handles keyTabNames with "file:" prefix
weijun
parents:
10695
diff
changeset
|
466 |
} |
2 | 467 |
princName = (String)options.get("principal"); |
468 |
refreshKrb5Config = |
|
469 |
"true".equalsIgnoreCase((String)options.get("refreshKrb5Config")); |
|
470 |
renewTGT = |
|
471 |
"true".equalsIgnoreCase((String)options.get("renewTGT")); |
|
472 |
||
473 |
// check isInitiator value |
|
474 |
String isInitiatorValue = ((String)options.get("isInitiator")); |
|
475 |
if (isInitiatorValue == null) { |
|
476 |
// use default, if value not set |
|
477 |
} else { |
|
478 |
isInitiator = "true".equalsIgnoreCase(isInitiatorValue); |
|
479 |
} |
|
480 |
||
481 |
tryFirstPass = |
|
482 |
"true".equalsIgnoreCase |
|
483 |
((String)options.get("tryFirstPass")); |
|
484 |
useFirstPass = |
|
485 |
"true".equalsIgnoreCase |
|
486 |
((String)options.get("useFirstPass")); |
|
487 |
storePass = |
|
488 |
"true".equalsIgnoreCase((String)options.get("storePass")); |
|
489 |
clearPass = |
|
490 |
"true".equalsIgnoreCase((String)options.get("clearPass")); |
|
491 |
if (debug) { |
|
492 |
System.out.print("Debug is " + debug |
|
493 |
+ " storeKey " + storeKey |
|
494 |
+ " useTicketCache " + useTicketCache |
|
495 |
+ " useKeyTab " + useKeyTab |
|
496 |
+ " doNotPrompt " + doNotPrompt |
|
497 |
+ " ticketCache is " + ticketCacheName |
|
498 |
+ " isInitiator " + isInitiator |
|
499 |
+ " KeyTab is " + keyTabName |
|
500 |
+ " refreshKrb5Config is " + refreshKrb5Config |
|
501 |
+ " principal is " + princName |
|
502 |
+ " tryFirstPass is " + tryFirstPass |
|
503 |
+ " useFirstPass is " + useFirstPass |
|
504 |
+ " storePass is " + storePass |
|
505 |
+ " clearPass is " + clearPass + "\n"); |
|
506 |
} |
|
507 |
} |
|
508 |
||
509 |
||
510 |
/** |
|
511 |
* Authenticate the user |
|
512 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
513 |
* @return true in all cases since this {@code LoginModule} |
2 | 514 |
* should not be ignored. |
515 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
516 |
* @exception FailedLoginException if the authentication fails. |
2 | 517 |
* |
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
518 |
* @exception LoginException if this {@code LoginModule} |
2 | 519 |
* is unable to perform the authentication. |
520 |
*/ |
|
521 |
public boolean login() throws LoginException { |
|
522 |
||
523 |
if (refreshKrb5Config) { |
|
524 |
try { |
|
525 |
if (debug) { |
|
526 |
System.out.println("Refreshing Kerberos configuration"); |
|
527 |
} |
|
528 |
sun.security.krb5.Config.refresh(); |
|
529 |
} catch (KrbException ke) { |
|
530 |
LoginException le = new LoginException(ke.getMessage()); |
|
531 |
le.initCause(ke); |
|
532 |
throw le; |
|
533 |
} |
|
534 |
} |
|
535 |
String principalProperty = System.getProperty |
|
536 |
("sun.security.krb5.principal"); |
|
537 |
if (principalProperty != null) { |
|
538 |
krb5PrincName = new StringBuffer(principalProperty); |
|
539 |
} else { |
|
540 |
if (princName != null) { |
|
541 |
krb5PrincName = new StringBuffer(princName); |
|
542 |
} |
|
543 |
} |
|
544 |
||
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
545 |
validateConfiguration(); |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
546 |
|
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
547 |
if (krb5PrincName != null && krb5PrincName.toString().equals("*")) { |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
548 |
unboundServer = true; |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
549 |
} |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
550 |
|
2 | 551 |
if (tryFirstPass) { |
552 |
try { |
|
553 |
attemptAuthentication(true); |
|
554 |
if (debug) |
|
555 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
556 |
"authentication succeeded"); |
|
557 |
succeeded = true; |
|
558 |
cleanState(); |
|
559 |
return true; |
|
560 |
} catch (LoginException le) { |
|
561 |
// authentication failed -- try again below by prompting |
|
562 |
cleanState(); |
|
563 |
if (debug) { |
|
564 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
565 |
"tryFirstPass failed with:" + |
|
566 |
le.getMessage()); |
|
567 |
} |
|
568 |
} |
|
569 |
} else if (useFirstPass) { |
|
570 |
try { |
|
571 |
attemptAuthentication(true); |
|
572 |
succeeded = true; |
|
573 |
cleanState(); |
|
574 |
return true; |
|
575 |
} catch (LoginException e) { |
|
576 |
// authentication failed -- clean out state |
|
577 |
if (debug) { |
|
578 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
579 |
"authentication failed \n" + |
|
580 |
e.getMessage()); |
|
581 |
} |
|
582 |
succeeded = false; |
|
583 |
cleanState(); |
|
584 |
throw e; |
|
585 |
} |
|
586 |
} |
|
587 |
||
588 |
// attempt the authentication by getting the username and pwd |
|
589 |
// by prompting or configuration i.e. not from shared state |
|
590 |
||
591 |
try { |
|
592 |
attemptAuthentication(false); |
|
593 |
succeeded = true; |
|
594 |
cleanState(); |
|
595 |
return true; |
|
596 |
} catch (LoginException e) { |
|
597 |
// authentication failed -- clean out state |
|
598 |
if (debug) { |
|
599 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
600 |
"authentication failed \n" + |
|
601 |
e.getMessage()); |
|
602 |
} |
|
603 |
succeeded = false; |
|
604 |
cleanState(); |
|
605 |
throw e; |
|
606 |
} |
|
607 |
} |
|
608 |
/** |
|
609 |
* process the configuration options |
|
610 |
* Get the TGT either out of |
|
611 |
* cache or from the KDC using the password entered |
|
612 |
* Check the permission before getting the TGT |
|
613 |
*/ |
|
614 |
||
615 |
private void attemptAuthentication(boolean getPasswdFromSharedState) |
|
616 |
throws LoginException { |
|
617 |
||
618 |
/* |
|
619 |
* Check the creds cache to see whether |
|
620 |
* we have TGT for this client principal |
|
621 |
*/ |
|
622 |
if (krb5PrincName != null) { |
|
623 |
try { |
|
624 |
principal = new PrincipalName |
|
625 |
(krb5PrincName.toString(), |
|
626 |
PrincipalName.KRB_NT_PRINCIPAL); |
|
627 |
} catch (KrbException e) { |
|
628 |
LoginException le = new LoginException(e.getMessage()); |
|
629 |
le.initCause(e); |
|
630 |
throw le; |
|
631 |
} |
|
632 |
} |
|
633 |
||
634 |
try { |
|
635 |
if (useTicketCache) { |
|
636 |
// ticketCacheName == null implies the default cache |
|
637 |
if (debug) |
|
638 |
System.out.println("Acquire TGT from Cache"); |
|
639 |
cred = Credentials.acquireTGTFromCache |
|
640 |
(principal, ticketCacheName); |
|
641 |
||
642 |
if (cred != null) { |
|
31643
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
643 |
if (renewTGT && isOld(cred)) { |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
644 |
// renew if ticket is old. |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
645 |
Credentials newCred = renewCredentials(cred); |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
646 |
if (newCred != null) { |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
647 |
cred = newCred; |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
648 |
} |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
649 |
} |
2 | 650 |
if (!isCurrent(cred)) { |
31643
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
651 |
// credentials have expired |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
652 |
cred = null; |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
653 |
if (debug) |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
654 |
System.out.println("Credentials are" + |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
655 |
" no longer valid"); |
2 | 656 |
} |
657 |
} |
|
658 |
||
659 |
if (cred != null) { |
|
660 |
// get the principal name from the ticket cache |
|
661 |
if (principal == null) { |
|
662 |
principal = cred.getClient(); |
|
663 |
} |
|
664 |
} |
|
665 |
if (debug) { |
|
666 |
System.out.println("Principal is " + principal); |
|
667 |
if (cred == null) { |
|
668 |
System.out.println |
|
669 |
("null credentials from Ticket Cache"); |
|
670 |
} |
|
671 |
} |
|
672 |
} |
|
673 |
||
674 |
// cred = null indicates that we didn't get the creds |
|
675 |
// from the cache or useTicketCache was false |
|
676 |
||
677 |
if (cred == null) { |
|
678 |
// We need the principal name whether we use keytab |
|
679 |
// or AS Exchange |
|
680 |
if (principal == null) { |
|
681 |
promptForName(getPasswdFromSharedState); |
|
682 |
principal = new PrincipalName |
|
683 |
(krb5PrincName.toString(), |
|
684 |
PrincipalName.KRB_NT_PRINCIPAL); |
|
685 |
} |
|
9499 | 686 |
|
687 |
/* |
|
688 |
* Before dynamic KeyTab support (6894072), here we check if |
|
689 |
* the keytab contains keys for the principal. If no, keytab |
|
690 |
* will not be used and password is prompted for. |
|
691 |
* |
|
692 |
* After 6894072, we normally don't check it, and expect the |
|
693 |
* keys can be populated until a real connection is made. The |
|
694 |
* check is still done when isInitiator == true, where the keys |
|
695 |
* will be used right now. |
|
696 |
* |
|
697 |
* Probably tricky relations: |
|
698 |
* |
|
699 |
* useKeyTab is config flag, but when it's true but the ktab |
|
700 |
* does not contains keys for principal, we would use password |
|
701 |
* and keep the flag unchanged (for reuse?). In this method, |
|
702 |
* we use (ktab != null) to check whether keytab is used. |
|
703 |
* After this method (and when storeKey == true), we use |
|
704 |
* (encKeys == null) to check. |
|
705 |
*/ |
|
2 | 706 |
if (useKeyTab) { |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
707 |
if (!unboundServer) { |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
708 |
KerberosPrincipal kp = |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
709 |
new KerberosPrincipal(principal.getName()); |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
710 |
ktab = (keyTabName == null) |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
711 |
? KeyTab.getInstance(kp) |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
712 |
: KeyTab.getInstance(kp, new File(keyTabName)); |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
713 |
} else { |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
714 |
ktab = (keyTabName == null) |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
715 |
? KeyTab.getUnboundInstance() |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
716 |
: KeyTab.getUnboundInstance(new File(keyTabName)); |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
717 |
} |
9499 | 718 |
if (isInitiator) { |
719 |
if (Krb5Util.keysFromJavaxKeyTab(ktab, principal).length |
|
720 |
== 0) { |
|
721 |
ktab = null; |
|
722 |
if (debug) { |
|
723 |
System.out.println |
|
724 |
("Key for the principal " + |
|
725 |
principal + |
|
726 |
" not available in " + |
|
727 |
((keyTabName == null) ? |
|
728 |
"default key tab" : keyTabName)); |
|
729 |
} |
|
730 |
} |
|
2 | 731 |
} |
732 |
} |
|
7183 | 733 |
|
734 |
KrbAsReqBuilder builder; |
|
9499 | 735 |
|
736 |
if (ktab == null) { |
|
2 | 737 |
promptForPass(getPasswdFromSharedState); |
7183 | 738 |
builder = new KrbAsReqBuilder(principal, password); |
2 | 739 |
if (isInitiator) { |
7183 | 740 |
// XXX Even if isInitiator=false, it might be |
741 |
// better to do an AS-REQ so that keys can be |
|
742 |
// updated with PA info |
|
743 |
cred = builder.action().getCreds(); |
|
2 | 744 |
} |
9499 | 745 |
if (storeKey) { |
10695
08c28770f82b
7089889: Krb5LoginModule.login() throws an exception if used without a keytab
weijun
parents:
10336
diff
changeset
|
746 |
encKeys = builder.getKeys(isInitiator); |
9499 | 747 |
// When encKeys is empty, the login actually fails. |
748 |
// For compatibility, exception is thrown in commit(). |
|
749 |
} |
|
2 | 750 |
} else { |
9499 | 751 |
builder = new KrbAsReqBuilder(principal, ktab); |
2 | 752 |
if (isInitiator) { |
7183 | 753 |
cred = builder.action().getCreds(); |
2 | 754 |
} |
755 |
} |
|
7183 | 756 |
builder.destroy(); |
2 | 757 |
|
758 |
if (debug) { |
|
759 |
System.out.println("principal is " + principal); |
|
760 |
HexDumpEncoder hd = new HexDumpEncoder(); |
|
9499 | 761 |
if (ktab != null) { |
762 |
System.out.println("Will use keytab"); |
|
763 |
} else if (storeKey) { |
|
764 |
for (int i = 0; i < encKeys.length; i++) { |
|
765 |
System.out.println("EncryptionKey: keyType=" + |
|
766 |
encKeys[i].getEType() + |
|
767 |
" keyBytes (hex dump)=" + |
|
768 |
hd.encodeBuffer(encKeys[i].getBytes())); |
|
769 |
} |
|
2 | 770 |
} |
771 |
} |
|
772 |
||
773 |
// we should hava a non-null cred |
|
774 |
if (isInitiator && (cred == null)) { |
|
775 |
throw new LoginException |
|
776 |
("TGT Can not be obtained from the KDC "); |
|
777 |
} |
|
778 |
||
779 |
} |
|
780 |
} catch (KrbException e) { |
|
781 |
LoginException le = new LoginException(e.getMessage()); |
|
782 |
le.initCause(e); |
|
783 |
throw le; |
|
784 |
} catch (IOException ioe) { |
|
785 |
LoginException ie = new LoginException(ioe.getMessage()); |
|
786 |
ie.initCause(ioe); |
|
787 |
throw ie; |
|
788 |
} |
|
789 |
} |
|
790 |
||
791 |
private void promptForName(boolean getPasswdFromSharedState) |
|
792 |
throws LoginException { |
|
793 |
krb5PrincName = new StringBuffer(""); |
|
794 |
if (getPasswdFromSharedState) { |
|
795 |
// use the name saved by the first module in the stack |
|
796 |
username = (String)sharedState.get(NAME); |
|
797 |
if (debug) { |
|
798 |
System.out.println |
|
799 |
("username from shared state is " + username + "\n"); |
|
800 |
} |
|
801 |
if (username == null) { |
|
802 |
System.out.println |
|
803 |
("username from shared state is null\n"); |
|
804 |
throw new LoginException |
|
805 |
("Username can not be obtained from sharedstate "); |
|
806 |
} |
|
807 |
if (debug) { |
|
808 |
System.out.println |
|
809 |
("username from shared state is " + username + "\n"); |
|
810 |
} |
|
811 |
if (username != null && username.length() > 0) { |
|
812 |
krb5PrincName.insert(0, username); |
|
813 |
return; |
|
814 |
} |
|
815 |
} |
|
816 |
||
817 |
if (doNotPrompt) { |
|
818 |
throw new LoginException |
|
14199
ed2d2261dfbc
8001204: typo: Unable to obtain Princpal Name for authentication
weijun
parents:
14030
diff
changeset
|
819 |
("Unable to obtain Principal Name for authentication "); |
2 | 820 |
} else { |
821 |
if (callbackHandler == null) |
|
822 |
throw new LoginException("No CallbackHandler " |
|
823 |
+ "available " |
|
824 |
+ "to garner authentication " |
|
825 |
+ "information from the user"); |
|
826 |
try { |
|
827 |
String defUsername = System.getProperty("user.name"); |
|
828 |
||
829 |
Callback[] callbacks = new Callback[1]; |
|
830 |
MessageFormat form = new MessageFormat( |
|
43243
a48dab17a356
8173024: Replace direct use of AuthResources resource bundle from jdk.security.auth
mchung
parents:
42338
diff
changeset
|
831 |
getAuthResourceString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
832 |
"Kerberos.username.defUsername.")); |
2 | 833 |
Object[] source = {defUsername}; |
834 |
callbacks[0] = new NameCallback(form.format(source)); |
|
835 |
callbackHandler.handle(callbacks); |
|
836 |
username = ((NameCallback)callbacks[0]).getName(); |
|
837 |
if (username == null || username.length() == 0) |
|
838 |
username = defUsername; |
|
839 |
krb5PrincName.insert(0, username); |
|
840 |
||
841 |
} catch (java.io.IOException ioe) { |
|
842 |
throw new LoginException(ioe.getMessage()); |
|
843 |
} catch (UnsupportedCallbackException uce) { |
|
844 |
throw new LoginException |
|
845 |
(uce.getMessage() |
|
846 |
+" not available to garner " |
|
847 |
+" authentication information " |
|
848 |
+" from the user"); |
|
849 |
} |
|
850 |
} |
|
851 |
} |
|
852 |
||
853 |
private void promptForPass(boolean getPasswdFromSharedState) |
|
854 |
throws LoginException { |
|
855 |
||
856 |
if (getPasswdFromSharedState) { |
|
857 |
// use the password saved by the first module in the stack |
|
858 |
password = (char[])sharedState.get(PWD); |
|
859 |
if (password == null) { |
|
860 |
if (debug) { |
|
861 |
System.out.println |
|
862 |
("Password from shared state is null"); |
|
863 |
} |
|
864 |
throw new LoginException |
|
865 |
("Password can not be obtained from sharedstate "); |
|
866 |
} |
|
867 |
if (debug) { |
|
868 |
System.out.println |
|
869 |
("password is " + new String(password)); |
|
870 |
} |
|
871 |
return; |
|
872 |
} |
|
873 |
if (doNotPrompt) { |
|
874 |
throw new LoginException |
|
875 |
("Unable to obtain password from user\n"); |
|
876 |
} else { |
|
877 |
if (callbackHandler == null) |
|
878 |
throw new LoginException("No CallbackHandler " |
|
879 |
+ "available " |
|
880 |
+ "to garner authentication " |
|
881 |
+ "information from the user"); |
|
882 |
try { |
|
883 |
Callback[] callbacks = new Callback[1]; |
|
884 |
String userName = krb5PrincName.toString(); |
|
885 |
MessageFormat form = new MessageFormat( |
|
43243
a48dab17a356
8173024: Replace direct use of AuthResources resource bundle from jdk.security.auth
mchung
parents:
42338
diff
changeset
|
886 |
getAuthResourceString( |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
887 |
"Kerberos.password.for.username.")); |
2 | 888 |
Object[] source = {userName}; |
889 |
callbacks[0] = new PasswordCallback( |
|
890 |
form.format(source), |
|
891 |
false); |
|
892 |
callbackHandler.handle(callbacks); |
|
893 |
char[] tmpPassword = ((PasswordCallback) |
|
894 |
callbacks[0]).getPassword(); |
|
895 |
if (tmpPassword == null) { |
|
21961
50019af27ca3
8028351: JWS doesn't get authenticated when using kerberos auth proxy
weijun
parents:
20742
diff
changeset
|
896 |
throw new LoginException("No password provided"); |
2 | 897 |
} |
898 |
password = new char[tmpPassword.length]; |
|
899 |
System.arraycopy(tmpPassword, 0, |
|
900 |
password, 0, tmpPassword.length); |
|
901 |
((PasswordCallback)callbacks[0]).clearPassword(); |
|
902 |
||
903 |
||
904 |
// clear tmpPassword |
|
905 |
for (int i = 0; i < tmpPassword.length; i++) |
|
906 |
tmpPassword[i] = ' '; |
|
907 |
tmpPassword = null; |
|
908 |
if (debug) { |
|
909 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
910 |
"user entered username: " + |
|
911 |
krb5PrincName); |
|
912 |
System.out.println(); |
|
913 |
} |
|
914 |
} catch (java.io.IOException ioe) { |
|
915 |
throw new LoginException(ioe.getMessage()); |
|
916 |
} catch (UnsupportedCallbackException uce) { |
|
917 |
throw new LoginException(uce.getMessage() |
|
918 |
+" not available to garner " |
|
919 |
+" authentication information " |
|
920 |
+ "from the user"); |
|
921 |
} |
|
922 |
} |
|
923 |
} |
|
924 |
||
925 |
private void validateConfiguration() throws LoginException { |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
926 |
if (doNotPrompt && !useTicketCache && !useKeyTab |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
927 |
&& !tryFirstPass && !useFirstPass) |
2 | 928 |
throw new LoginException |
929 |
("Configuration Error" |
|
930 |
+ " - either doNotPrompt should be " |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
931 |
+ " false or at least one of useTicketCache, " |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
932 |
+ " useKeyTab, tryFirstPass and useFirstPass" |
2 | 933 |
+ " should be true"); |
934 |
if (ticketCacheName != null && !useTicketCache) |
|
935 |
throw new LoginException |
|
936 |
("Configuration Error " |
|
937 |
+ " - useTicketCache should be set " |
|
938 |
+ "to true to use the ticket cache" |
|
939 |
+ ticketCacheName); |
|
940 |
if (keyTabName != null & !useKeyTab) |
|
941 |
throw new LoginException |
|
942 |
("Configuration Error - useKeyTab should be set to true " |
|
943 |
+ "to use the keytab" + keyTabName); |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
944 |
if (storeKey && doNotPrompt && !useKeyTab |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
945 |
&& !tryFirstPass && !useFirstPass) |
2 | 946 |
throw new LoginException |
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
947 |
("Configuration Error - either doNotPrompt should be set to " |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
948 |
+ " false or at least one of tryFirstPass, useFirstPass " |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
793
diff
changeset
|
949 |
+ "or useKeyTab must be set to true for storeKey option"); |
2 | 950 |
if (renewTGT && !useTicketCache) |
951 |
throw new LoginException |
|
952 |
("Configuration Error" |
|
953 |
+ " - either useTicketCache should be " |
|
954 |
+ " true or renewTGT should be false"); |
|
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
955 |
if (krb5PrincName != null && krb5PrincName.toString().equals("*")) { |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
956 |
if (isInitiator) { |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
957 |
throw new LoginException |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
958 |
("Configuration Error" |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
959 |
+ " - principal cannot be * when isInitiator is true"); |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
960 |
} |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
961 |
} |
2 | 962 |
} |
963 |
||
31643
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
964 |
private static boolean isCurrent(Credentials creds) |
2 | 965 |
{ |
966 |
Date endTime = creds.getEndTime(); |
|
967 |
if (endTime != null) { |
|
968 |
return (System.currentTimeMillis() <= endTime.getTime()); |
|
969 |
} |
|
970 |
return true; |
|
971 |
} |
|
972 |
||
31643
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
973 |
private static boolean isOld(Credentials creds) |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
974 |
{ |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
975 |
Date endTime = creds.getEndTime(); |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
976 |
if (endTime != null) { |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
977 |
Date authTime = creds.getAuthTime(); |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
978 |
long now = System.currentTimeMillis(); |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
979 |
if (authTime != null) { |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
980 |
// pass the mid between auth and end |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
981 |
return now - authTime.getTime() > endTime.getTime() - now; |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
982 |
} else { |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
983 |
// will expire in less than 2 hours |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
984 |
return now <= endTime.getTime() - 1000*3600*2L; |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
985 |
} |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
986 |
} |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
987 |
return false; |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
988 |
} |
abad00f2c027
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
weijun
parents:
30044
diff
changeset
|
989 |
|
2 | 990 |
private Credentials renewCredentials(Credentials creds) |
991 |
{ |
|
992 |
Credentials lcreds; |
|
993 |
try { |
|
994 |
if (!creds.isRenewable()) |
|
995 |
throw new RefreshFailedException("This ticket" + |
|
996 |
" is not renewable"); |
|
47005
dbfaf076da58
8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime
weijun
parents:
43243
diff
changeset
|
997 |
if (creds.getRenewTill() == null) { |
dbfaf076da58
8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime
weijun
parents:
43243
diff
changeset
|
998 |
// Renewable ticket without renew-till. Illegal and ignored. |
dbfaf076da58
8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime
weijun
parents:
43243
diff
changeset
|
999 |
return creds; |
dbfaf076da58
8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime
weijun
parents:
43243
diff
changeset
|
1000 |
} |
2 | 1001 |
if (System.currentTimeMillis() > cred.getRenewTill().getTime()) |
1002 |
throw new RefreshFailedException("This ticket is past " |
|
1003 |
+ "its last renewal time."); |
|
1004 |
lcreds = creds.renew(); |
|
1005 |
if (debug) |
|
1006 |
System.out.println("Renewed Kerberos Ticket"); |
|
1007 |
} catch (Exception e) { |
|
1008 |
lcreds = null; |
|
1009 |
if (debug) |
|
1010 |
System.out.println("Ticket could not be renewed : " |
|
1011 |
+ e.getMessage()); |
|
1012 |
} |
|
1013 |
return lcreds; |
|
1014 |
} |
|
1015 |
||
1016 |
/** |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
1017 |
* This method is called if the LoginContext's |
2 | 1018 |
* overall authentication succeeded |
1019 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL |
|
1020 |
* LoginModules succeeded). |
|
1021 |
* |
|
1022 |
* <p> If this LoginModule's own authentication attempt |
|
1023 |
* succeeded (checked by retrieving the private state saved by the |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
1024 |
* {@code login} method), then this method associates a |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
1025 |
* {@code Krb5Principal} |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
1026 |
* with the {@code Subject} located in the |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
1027 |
* {@code LoginModule}. It adds Kerberos Credentials to the |
2 | 1028 |
* the Subject's private credentials set. If this LoginModule's own |
1029 |
* authentication attempted failed, then this method removes |
|
1030 |
* any state that was originally saved. |
|
1031 |
* |
|
1032 |
* @exception LoginException if the commit fails. |
|
1033 |
* |
|
1034 |
* @return true if this LoginModule's own login and commit |
|
1035 |
* attempts succeeded, or false otherwise. |
|
1036 |
*/ |
|
1037 |
||
1038 |
public boolean commit() throws LoginException { |
|
1039 |
||
1040 |
/* |
|
1041 |
* Let us add the Krb5 Creds to the Subject's |
|
1042 |
* private credentials. The credentials are of type |
|
1043 |
* KerberosKey or KerberosTicket |
|
1044 |
*/ |
|
1045 |
if (succeeded == false) { |
|
1046 |
return false; |
|
1047 |
} else { |
|
1048 |
||
1049 |
if (isInitiator && (cred == null)) { |
|
1050 |
succeeded = false; |
|
1051 |
throw new LoginException("Null Client Credential"); |
|
1052 |
} |
|
1053 |
||
1054 |
if (subject.isReadOnly()) { |
|
1055 |
cleanKerberosCred(); |
|
1056 |
throw new LoginException("Subject is Readonly"); |
|
1057 |
} |
|
1058 |
||
1059 |
/* |
|
1060 |
* Add the Principal (authenticated identity) |
|
1061 |
* to the Subject's principal set and |
|
1062 |
* add the credentials (TGT or Service key) to the |
|
1063 |
* Subject's private credentials |
|
1064 |
*/ |
|
1065 |
||
1066 |
Set<Object> privCredSet = subject.getPrivateCredentials(); |
|
1067 |
Set<java.security.Principal> princSet = subject.getPrincipals(); |
|
1068 |
kerbClientPrinc = new KerberosPrincipal(principal.getName()); |
|
1069 |
||
1070 |
// create Kerberos Ticket |
|
1071 |
if (isInitiator) { |
|
1072 |
kerbTicket = Krb5Util.credsToTicket(cred); |
|
1073 |
} |
|
1074 |
||
9499 | 1075 |
if (storeKey && encKeys != null) { |
1076 |
if (encKeys.length == 0) { |
|
2 | 1077 |
succeeded = false; |
1078 |
throw new LoginException("Null Server Key "); |
|
1079 |
} |
|
1080 |
||
1081 |
kerbKeys = new KerberosKey[encKeys.length]; |
|
1082 |
for (int i = 0; i < encKeys.length; i ++) { |
|
1083 |
Integer temp = encKeys[i].getKeyVersionNumber(); |
|
1084 |
kerbKeys[i] = new KerberosKey(kerbClientPrinc, |
|
1085 |
encKeys[i].getBytes(), |
|
1086 |
encKeys[i].getEType(), |
|
1087 |
(temp == null? |
|
1088 |
0: temp.intValue())); |
|
1089 |
} |
|
1090 |
||
1091 |
} |
|
9499 | 1092 |
// Let us add the kerbClientPrinc,kerbTicket and KeyTab/KerbKey (if |
2 | 1093 |
// storeKey is true) |
15649
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
1094 |
|
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
1095 |
// We won't add "*" as a KerberosPrincipal |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
1096 |
if (!unboundServer && |
f6bd3d34f844
8001104: Unbound SASL service: the GSSAPI/krb5 mech
weijun
parents:
14769
diff
changeset
|
1097 |
!princSet.contains(kerbClientPrinc)) { |
2 | 1098 |
princSet.add(kerbClientPrinc); |
9499 | 1099 |
} |
2 | 1100 |
|
1101 |
// add the TGT |
|
1102 |
if (kerbTicket != null) { |
|
1103 |
if (!privCredSet.contains(kerbTicket)) |
|
1104 |
privCredSet.add(kerbTicket); |
|
1105 |
} |
|
1106 |
||
1107 |
if (storeKey) { |
|
9499 | 1108 |
if (encKeys == null) { |
14030
8dc91f5c3d67
7201053: Krb5LoginModule shows NPE when both useTicketCache and storeKey are set to true
weijun
parents:
13590
diff
changeset
|
1109 |
if (ktab != null) { |
8dc91f5c3d67
7201053: Krb5LoginModule shows NPE when both useTicketCache and storeKey are set to true
weijun
parents:
13590
diff
changeset
|
1110 |
if (!privCredSet.contains(ktab)) { |
8dc91f5c3d67
7201053: Krb5LoginModule shows NPE when both useTicketCache and storeKey are set to true
weijun
parents:
13590
diff
changeset
|
1111 |
privCredSet.add(ktab); |
9499 | 1112 |
} |
14030
8dc91f5c3d67
7201053: Krb5LoginModule shows NPE when both useTicketCache and storeKey are set to true
weijun
parents:
13590
diff
changeset
|
1113 |
} else { |
8dc91f5c3d67
7201053: Krb5LoginModule shows NPE when both useTicketCache and storeKey are set to true
weijun
parents:
13590
diff
changeset
|
1114 |
succeeded = false; |
8dc91f5c3d67
7201053: Krb5LoginModule shows NPE when both useTicketCache and storeKey are set to true
weijun
parents:
13590
diff
changeset
|
1115 |
throw new LoginException("No key to store"); |
2 | 1116 |
} |
9499 | 1117 |
} else { |
1118 |
for (int i = 0; i < kerbKeys.length; i ++) { |
|
1119 |
if (!privCredSet.contains(kerbKeys[i])) { |
|
1120 |
privCredSet.add(kerbKeys[i]); |
|
1121 |
} |
|
1122 |
encKeys[i].destroy(); |
|
1123 |
encKeys[i] = null; |
|
1124 |
if (debug) { |
|
1125 |
System.out.println("Added server's key" |
|
1126 |
+ kerbKeys[i]); |
|
1127 |
System.out.println("\t\t[Krb5LoginModule] " + |
|
1128 |
"added Krb5Principal " + |
|
1129 |
kerbClientPrinc.toString() |
|
1130 |
+ " to Subject"); |
|
1131 |
} |
|
2 | 1132 |
} |
1133 |
} |
|
1134 |
} |
|
1135 |
} |
|
1136 |
commitSucceeded = true; |
|
1137 |
if (debug) |
|
1138 |
System.out.println("Commit Succeeded \n"); |
|
1139 |
return true; |
|
1140 |
} |
|
1141 |
||
1142 |
/** |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
1143 |
* This method is called if the LoginContext's |
2 | 1144 |
* overall authentication failed. |
1145 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL |
|
1146 |
* LoginModules did not succeed). |
|
1147 |
* |
|
1148 |
* <p> If this LoginModule's own authentication attempt |
|
1149 |
* succeeded (checked by retrieving the private state saved by the |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
1150 |
* {@code login} and {@code commit} methods), |
2 | 1151 |
* then this method cleans up any state that was originally saved. |
1152 |
* |
|
1153 |
* @exception LoginException if the abort fails. |
|
1154 |
* |
|
1155 |
* @return false if this LoginModule's own login and/or commit attempts |
|
1156 |
* failed, and true otherwise. |
|
1157 |
*/ |
|
1158 |
||
1159 |
public boolean abort() throws LoginException { |
|
1160 |
if (succeeded == false) { |
|
1161 |
return false; |
|
1162 |
} else if (succeeded == true && commitSucceeded == false) { |
|
1163 |
// login succeeded but overall authentication failed |
|
1164 |
succeeded = false; |
|
1165 |
cleanKerberosCred(); |
|
1166 |
} else { |
|
1167 |
// overall authentication succeeded and commit succeeded, |
|
1168 |
// but someone else's commit failed |
|
1169 |
logout(); |
|
1170 |
} |
|
1171 |
return true; |
|
1172 |
} |
|
1173 |
||
1174 |
/** |
|
1175 |
* Logout the user. |
|
1176 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
1177 |
* <p> This method removes the {@code Krb5Principal} |
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
1178 |
* that was added by the {@code commit} method. |
2 | 1179 |
* |
1180 |
* @exception LoginException if the logout fails. |
|
1181 |
* |
|
30044
bab15bbe2ca3
8078528: clean out tidy warnings from security.auth
avstepan
parents:
25859
diff
changeset
|
1182 |
* @return true in all cases since this {@code LoginModule} |
2 | 1183 |
* should not be ignored. |
1184 |
*/ |
|
1185 |
public boolean logout() throws LoginException { |
|
1186 |
||
1187 |
if (debug) { |
|
1188 |
System.out.println("\t\t[Krb5LoginModule]: " + |
|
1189 |
"Entering logout"); |
|
1190 |
} |
|
1191 |
||
1192 |
if (subject.isReadOnly()) { |
|
1193 |
cleanKerberosCred(); |
|
1194 |
throw new LoginException("Subject is Readonly"); |
|
1195 |
} |
|
1196 |
||
1197 |
subject.getPrincipals().remove(kerbClientPrinc); |
|
1198 |
// Let us remove all Kerberos credentials stored in the Subject |
|
1199 |
Iterator<Object> it = subject.getPrivateCredentials().iterator(); |
|
1200 |
while (it.hasNext()) { |
|
1201 |
Object o = it.next(); |
|
1202 |
if (o instanceof KerberosTicket || |
|
9499 | 1203 |
o instanceof KerberosKey || |
1204 |
o instanceof KeyTab) { |
|
2 | 1205 |
it.remove(); |
1206 |
} |
|
1207 |
} |
|
1208 |
// clean the kerberos ticket and keys |
|
1209 |
cleanKerberosCred(); |
|
1210 |
||
1211 |
succeeded = false; |
|
1212 |
commitSucceeded = false; |
|
1213 |
if (debug) { |
|
1214 |
System.out.println("\t\t[Krb5LoginModule]: " + |
|
1215 |
"logged out Subject"); |
|
1216 |
} |
|
1217 |
return true; |
|
1218 |
} |
|
1219 |
||
1220 |
/** |
|
1221 |
* Clean Kerberos credentials |
|
1222 |
*/ |
|
1223 |
private void cleanKerberosCred() throws LoginException { |
|
1224 |
// Clean the ticket and server key |
|
1225 |
try { |
|
1226 |
if (kerbTicket != null) |
|
1227 |
kerbTicket.destroy(); |
|
1228 |
if (kerbKeys != null) { |
|
1229 |
for (int i = 0; i < kerbKeys.length; i++) { |
|
1230 |
kerbKeys[i].destroy(); |
|
1231 |
} |
|
1232 |
} |
|
1233 |
} catch (DestroyFailedException e) { |
|
1234 |
throw new LoginException |
|
1235 |
("Destroy Failed on Kerberos Private Credentials"); |
|
1236 |
} |
|
1237 |
kerbTicket = null; |
|
1238 |
kerbKeys = null; |
|
1239 |
kerbClientPrinc = null; |
|
1240 |
} |
|
1241 |
||
1242 |
/** |
|
1243 |
* Clean out the state |
|
1244 |
*/ |
|
1245 |
private void cleanState() { |
|
1246 |
||
1247 |
// save input as shared state only if |
|
1248 |
// authentication succeeded |
|
1249 |
if (succeeded) { |
|
1250 |
if (storePass && |
|
1251 |
!sharedState.containsKey(NAME) && |
|
1252 |
!sharedState.containsKey(PWD)) { |
|
1253 |
sharedState.put(NAME, username); |
|
1254 |
sharedState.put(PWD, password); |
|
1255 |
} |
|
793
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1256 |
} else { |
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1257 |
// remove temp results for the next try |
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1258 |
encKeys = null; |
9499 | 1259 |
ktab = null; |
793
8183c2b0985f
6716534: Krb5LoginModule has not cleaned temp info between authentication attempts
weijun
parents:
2
diff
changeset
|
1260 |
principal = null; |
2 | 1261 |
} |
1262 |
username = null; |
|
1263 |
password = null; |
|
1264 |
if (krb5PrincName != null && krb5PrincName.length() != 0) |
|
1265 |
krb5PrincName.delete(0, krb5PrincName.length()); |
|
1266 |
krb5PrincName = null; |
|
1267 |
if (clearPass) { |
|
1268 |
sharedState.remove(NAME); |
|
1269 |
sharedState.remove(PWD); |
|
1270 |
} |
|
1271 |
} |
|
1272 |
} |