307 |
307 |
308 private static KerberosTicket getTgt(GSSCaller caller, Krb5NameElement name, |
308 private static KerberosTicket getTgt(GSSCaller caller, Krb5NameElement name, |
309 int initLifetime) |
309 int initLifetime) |
310 throws GSSException { |
310 throws GSSException { |
311 |
311 |
312 String realm = null; |
312 final String clientPrincipal; |
313 final String clientPrincipal, tgsPrincipal = null; |
|
314 |
313 |
315 /* |
314 /* |
316 * Find the TGT for the realm that the client is in. If the client |
315 * Find the TGT for the realm that the client is in. If the client |
317 * name is not available, then use the default realm. |
316 * name is not available, then use the default realm. |
318 */ |
317 */ |
319 if (name != null) { |
318 if (name != null) { |
320 clientPrincipal = (name.getKrb5PrincipalName()).getName(); |
319 clientPrincipal = (name.getKrb5PrincipalName()).getName(); |
321 realm = (name.getKrb5PrincipalName()).getRealmAsString(); |
|
322 } else { |
320 } else { |
323 clientPrincipal = null; |
321 clientPrincipal = null; |
324 try { |
|
325 Config config = Config.getInstance(); |
|
326 realm = config.getDefaultRealm(); |
|
327 } catch (KrbException e) { |
|
328 GSSException ge = |
|
329 new GSSException(GSSException.NO_CRED, -1, |
|
330 "Attempt to obtain INITIATE credentials failed!" + |
|
331 " (" + e.getMessage() + ")"); |
|
332 ge.initCause(e); |
|
333 throw ge; |
|
334 } |
|
335 } |
322 } |
336 |
323 |
337 final AccessControlContext acc = AccessController.getContext(); |
324 final AccessControlContext acc = AccessController.getContext(); |
338 |
325 |
339 try { |
326 try { |
341 ? GSSCaller.CALLER_INITIATE |
328 ? GSSCaller.CALLER_INITIATE |
342 : caller; |
329 : caller; |
343 return AccessController.doPrivileged( |
330 return AccessController.doPrivileged( |
344 new PrivilegedExceptionAction<KerberosTicket>() { |
331 new PrivilegedExceptionAction<KerberosTicket>() { |
345 public KerberosTicket run() throws Exception { |
332 public KerberosTicket run() throws Exception { |
|
333 // It's OK to use null as serverPrincipal. TGT is almost |
|
334 // the first ticket for a principal and we use list. |
346 return Krb5Util.getTicket( |
335 return Krb5Util.getTicket( |
347 realCaller, |
336 realCaller, |
348 clientPrincipal, tgsPrincipal, acc); |
337 clientPrincipal, null, acc); |
349 }}); |
338 }}); |
350 } catch (PrivilegedActionException e) { |
339 } catch (PrivilegedActionException e) { |
351 GSSException ge = |
340 GSSException ge = |
352 new GSSException(GSSException.NO_CRED, -1, |
341 new GSSException(GSSException.NO_CRED, -1, |
353 "Attempt to obtain new INITIATE credentials failed!" + |
342 "Attempt to obtain new INITIATE credentials failed!" + |
354 " (" + e.getMessage() + ")"); |
343 " (" + e.getMessage() + ")"); |
355 ge.initCause(e.getException()); |
344 ge.initCause(e.getException()); |
356 throw ge; |
345 throw ge; |
357 } |
346 } |
358 } |
347 } |
|
348 |
|
349 @Override |
|
350 public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException { |
|
351 try { |
|
352 Krb5NameElement kname = (Krb5NameElement)name; |
|
353 Credentials newCred = Credentials.acquireS4U2selfCreds( |
|
354 kname.getKrb5PrincipalName(), krb5Credentials); |
|
355 return new Krb5ProxyCredential(this, kname, newCred.getTicket()); |
|
356 } catch (IOException | KrbException ke) { |
|
357 GSSException ge = |
|
358 new GSSException(GSSException.FAILURE, -1, |
|
359 "Attempt to obtain S4U2self credentials failed!"); |
|
360 ge.initCause(ke); |
|
361 throw ge; |
|
362 } |
|
363 } |
359 } |
364 } |