|
2
|
1 |
/*
|
|
|
2 |
* Copyright 2005 Sun Microsystems, Inc. All Rights Reserved.
|
|
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
4 |
*
|
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
|
|
7 |
* published by the Free Software Foundation. Sun designates this
|
|
|
8 |
* particular file as subject to the "Classpath" exception as provided
|
|
|
9 |
* by Sun in the LICENSE file that accompanied this code.
|
|
|
10 |
*
|
|
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
|
15 |
* accompanied this code).
|
|
|
16 |
*
|
|
|
17 |
* You should have received a copy of the GNU General Public License version
|
|
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
20 |
*
|
|
|
21 |
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
|
|
22 |
* CA 95054 USA or visit www.sun.com if you need additional information or
|
|
|
23 |
* have any questions.
|
|
|
24 |
*/
|
|
|
25 |
|
|
|
26 |
package sun.net.www.protocol.http;
|
|
|
27 |
|
|
|
28 |
import java.io.IOException;
|
|
|
29 |
|
|
|
30 |
import org.ietf.jgss.GSSContext;
|
|
|
31 |
import org.ietf.jgss.GSSException;
|
|
|
32 |
import org.ietf.jgss.GSSName;
|
|
|
33 |
import org.ietf.jgss.Oid;
|
|
|
34 |
|
|
|
35 |
import sun.security.jgss.GSSManagerImpl;
|
|
|
36 |
import sun.security.jgss.GSSUtil;
|
|
|
37 |
|
|
|
38 |
/**
|
|
|
39 |
* This class encapsulates all JAAS and JGSS API calls in a seperate class
|
|
|
40 |
* outside NegotiateAuthentication.java so that J2SE build can go smoothly
|
|
|
41 |
* without the presence of it.
|
|
|
42 |
*
|
|
|
43 |
* @author weijun.wang@sun.com
|
|
|
44 |
* @since 1.6
|
|
|
45 |
*/
|
|
|
46 |
public class NegotiatorImpl extends Negotiator {
|
|
|
47 |
|
|
|
48 |
private static final boolean DEBUG =
|
|
|
49 |
java.security.AccessController.doPrivileged(
|
|
|
50 |
new sun.security.action.GetBooleanAction("sun.security.krb5.debug"));
|
|
|
51 |
|
|
|
52 |
private GSSContext context;
|
|
|
53 |
private byte[] oneToken;
|
|
|
54 |
|
|
|
55 |
/**
|
|
|
56 |
* Initialize the object, which includes:<ul>
|
|
|
57 |
* <li>Find out what GSS mechanism to use from <code>http.negotiate.mechanism.oid</code>,
|
|
|
58 |
* defaults SPNEGO
|
|
|
59 |
* <li>Creating the GSSName for the target host, "HTTP/"+hostname
|
|
|
60 |
* <li>Creating GSSContext
|
|
|
61 |
* <li>A first call to initSecContext</ul>
|
|
|
62 |
* @param hostname name of peer server
|
|
|
63 |
* @param scheme auth scheme requested, Negotiate ot Kerberos
|
|
|
64 |
* @throws GSSException if any JGSS-API call fails
|
|
|
65 |
*/
|
|
|
66 |
private void init(final String hostname, String scheme) throws GSSException {
|
|
|
67 |
// "1.2.840.113554.1.2.2" Kerberos
|
|
|
68 |
// "1.3.6.1.5.5.2" SPNEGO
|
|
|
69 |
final Oid oid;
|
|
|
70 |
|
|
|
71 |
if (scheme.equalsIgnoreCase("Kerberos")) {
|
|
|
72 |
// we can only use Kerberos mech when the scheme is kerberos
|
|
|
73 |
oid = GSSUtil.GSS_KRB5_MECH_OID;
|
|
|
74 |
} else {
|
|
|
75 |
String pref = java.security.AccessController.doPrivileged(
|
|
|
76 |
new java.security.PrivilegedAction<String>() {
|
|
|
77 |
public String run() {
|
|
|
78 |
return System.getProperty(
|
|
|
79 |
"http.auth.preference",
|
|
|
80 |
"spnego");
|
|
|
81 |
}
|
|
|
82 |
});
|
|
|
83 |
if (pref.equalsIgnoreCase("kerberos")) {
|
|
|
84 |
oid = GSSUtil.GSS_KRB5_MECH_OID;
|
|
|
85 |
} else {
|
|
|
86 |
// currently there is no 3rd mech we can use
|
|
|
87 |
oid = GSSUtil.GSS_SPNEGO_MECH_OID;
|
|
|
88 |
}
|
|
|
89 |
}
|
|
|
90 |
|
|
|
91 |
GSSManagerImpl manager = new GSSManagerImpl(
|
|
|
92 |
GSSUtil.CALLER_HTTP_NEGOTIATE);
|
|
|
93 |
|
|
288
|
94 |
String peerName = "HTTP@" + hostname;
|
|
2
|
95 |
|
|
288
|
96 |
GSSName serverName = manager.createName(peerName,
|
|
|
97 |
GSSName.NT_HOSTBASED_SERVICE);
|
|
2
|
98 |
context = manager.createContext(serverName,
|
|
|
99 |
oid,
|
|
|
100 |
null,
|
|
|
101 |
GSSContext.DEFAULT_LIFETIME);
|
|
|
102 |
|
|
|
103 |
// In order to support credential delegation in HTTP/SPNEGO,
|
|
|
104 |
// we always request it before initSecContext. The current
|
|
|
105 |
// implementation will check the OK-AS-DELEGATE flag inside
|
|
|
106 |
// the service ticket of the web server, and only enable
|
|
|
107 |
// delegation when this flag is set. This check is only
|
|
|
108 |
// performed when the GSS caller is CALLER_HTTP_NEGOTIATE,
|
|
|
109 |
// so all other normal GSS-API calls are not affected.
|
|
|
110 |
|
|
|
111 |
context.requestCredDeleg(true);
|
|
|
112 |
oneToken = context.initSecContext(new byte[0], 0, 0);
|
|
|
113 |
}
|
|
|
114 |
|
|
|
115 |
/**
|
|
|
116 |
* Constructor
|
|
|
117 |
* @param hostname name of peer server
|
|
|
118 |
* @param scheme auth scheme requested, Negotiate ot Kerberos
|
|
|
119 |
* @throws java.io.IOException If negotiator cannot be constructed
|
|
|
120 |
*/
|
|
|
121 |
public NegotiatorImpl(String hostname, String scheme) throws IOException {
|
|
|
122 |
try {
|
|
|
123 |
init(hostname, scheme);
|
|
|
124 |
} catch (GSSException e) {
|
|
|
125 |
if (DEBUG) {
|
|
|
126 |
System.out.println("Negotiate support not initiated, will fallback to other scheme if allowed. Reason:");
|
|
|
127 |
e.printStackTrace();
|
|
|
128 |
}
|
|
|
129 |
IOException ioe = new IOException("Negotiate support not initiated");
|
|
|
130 |
ioe.initCause(e);
|
|
|
131 |
throw ioe;
|
|
|
132 |
}
|
|
|
133 |
}
|
|
|
134 |
|
|
|
135 |
/**
|
|
|
136 |
* Return the first token of GSS, in SPNEGO, it's called NegTokenInit
|
|
|
137 |
* @return the first token
|
|
|
138 |
*/
|
|
|
139 |
public byte[] firstToken() {
|
|
|
140 |
return oneToken;
|
|
|
141 |
}
|
|
|
142 |
|
|
|
143 |
/**
|
|
|
144 |
* Return the rest tokens of GSS, in SPNEGO, it's called NegTokenTarg
|
|
|
145 |
* @param token the token received from server
|
|
|
146 |
* @return the next token
|
|
|
147 |
* @throws java.io.IOException if the token cannot be created successfully
|
|
|
148 |
*/
|
|
|
149 |
public byte[] nextToken(byte[] token) throws IOException {
|
|
|
150 |
try {
|
|
|
151 |
return context.initSecContext(token, 0, token.length);
|
|
|
152 |
} catch (GSSException e) {
|
|
|
153 |
if (DEBUG) {
|
|
|
154 |
System.out.println("Negotiate support cannot continue. Reason:");
|
|
|
155 |
e.printStackTrace();
|
|
|
156 |
}
|
|
|
157 |
IOException ioe = new IOException("Negotiate support cannot continue");
|
|
|
158 |
ioe.initCause(e);
|
|
|
159 |
throw ioe;
|
|
|
160 |
}
|
|
|
161 |
}
|
|
|
162 |
}
|