Produced by Araxis Merge on 9/25/2018 2:13:05 PM Central Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | build 3.zip\build 3\MHLTH_YS_137_Source\JavaScript\resources\javaJDF-1.8.0\src\com\sun\security\auth\module | Krb5LoginModule.java | Mon Jan 22 14:46:52 2018 UTC |
2 | build 3.zip\build 3\MHLTH_YS_137_Source\JavaScript\resources\javaJDF-1.8.0\src\com\sun\security\auth\module | Krb5LoginModule.java | Wed Sep 12 16:41:30 2018 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 4 | 2554 |
Changed | 3 | 6 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | /* | |
2 | * Copyrig ht (c) 200 0, 2013, O racle and/ or its aff iliates. A ll rights reserved. | |
3 | * DO NOT ALTER OR R EMOVE COPY RIGHT NOTI CES OR THI S FILE HEA DER. | |
4 | * | |
5 | * This co de is free software; you can r edistribut e it and/o r modify i t | |
6 | * under t he terms o f the GNU General Pu blic Licen se version 2 only, a s | |
7 | * publish ed by the Free Softw are Founda tion. Ora cle design ates this | |
8 | * particu lar file a s subject to the "Cl asspath" e xception a s provided | |
9 | * by Orac le in the LICENSE fi le that ac companied this code. | |
10 | * | |
11 | * This co de is dist ributed in the hope that it wi ll be usef ul, but WI THOUT | |
12 | * ANY WAR RANTY; wit hout even the implie d warranty of MERCHA NTABILITY or | |
13 | * FITNESS FOR A PAR TICULAR PU RPOSE. Se e the GNU General Pu blic Licen se | |
14 | * version 2 for mor e details (a copy is included in the LIC ENSE file that | |
15 | * accompa nied this code). | |
16 | * | |
17 | * You sho uld have r eceived a copy of th e GNU Gene ral Public License v ersion | |
18 | * 2 along with this work; if not, write to the Fr ee Softwar e Foundati on, | |
19 | * Inc., 5 1 Franklin St, Fifth Floor, Bo ston, MA 0 2110-1301 USA. | |
20 | * | |
21 | * Please contact Or acle, 500 Oracle Par kway, Redw ood Shores , CA 94065 USA | |
22 | * or visi t www.orac le.com if you need a dditional informatio n or have any | |
23 | * questio ns. | |
24 | */ | |
25 | ||
26 | ||
27 | package co m.sun.secu rity.auth. module; | |
28 | ||
29 | import jav a.io.*; | |
30 | import jav a.security .AccessCon troller; | |
31 | import jav a.security .Privilege dAction; | |
32 | import jav a.text.Mes sageFormat ; | |
33 | import jav a.util.*; | |
34 | ||
35 | import jav ax.securit y.auth.*; | |
36 | import jav ax.securit y.auth.ker beros.*; | |
37 | import jav ax.securit y.auth.cal lback.*; | |
38 | import jav ax.securit y.auth.log in.*; | |
39 | import jav ax.securit y.auth.spi .*; | |
40 | ||
41 | import sun .security. krb5.*; | |
42 | import sun .security. jgss.krb5. Krb5Util; | |
43 | import sun .security. krb5.Crede ntials; | |
44 | import sun .misc.HexD umpEncoder ; | |
45 | ||
46 | /** | |
47 | * <p> Thi s <code>Lo ginModule< /code> aut henticates users usi ng | |
48 | * Kerbero s protocol s. | |
49 | * | |
50 | * <p> The configura tion entry for <code >Krb5Login Module</co de> has | |
51 | * several options t hat contro l the auth entication process a nd | |
52 | * additio ns to the <code>Subj ect</code> 's private credentia l | |
53 | * set. Ir respective of these options, t he <code>S ubject</co de>'s | |
54 | * princip al set and private c redentials set are u pdated onl y when | |
55 | * <code>c ommit</cod e> is call ed. | |
56 | * When <c ode>commit </code> is called, t he <code>K erberosPri ncipal</co de> | |
57 | * is adde d to the < code>Subje ct</code>' s principa l set (unl ess the | |
58 | * <code>p rincipal</ code> is s pecified a s "*"). If <code>isI nitiator</ code> | |
59 | * is true , the <cod e>Kerberos Ticket</co de> is | |
60 | * added t o the <cod e>Subject< /code>'s p rivate cre dentials. | |
61 | * | |
62 | * <p> If the config uration en try for <c ode>Kerber osLoginMod ule</code> | |
63 | * has the option <c ode>storeK ey</code> set to tru e, then | |
64 | * <code>K erberosKey </code> or <code>Key Tab</code> will also be added to the | |
65 | * subject 's private credentia ls. <code> KerberosKe y</code>, the princi pal's | |
66 | * key(s) will be de rived from user's pa ssword, an d <code>Ke yTab</code > is | |
67 | * the key tab used w hen <code> useKeyTab< /code> is set to tru e. The | |
68 | * <code>K eyTab</cod e> object is restric ted to be used by th e specifie d | |
69 | * princip al unless the princi pal value is "*". | |
70 | * | |
71 | * <p> Thi s <code>Lo ginModule< /code> rec ognizes th e <code>do NotPrompt< /code> | |
72 | * option. If set to true the user will not be pro mpted for the passwo rd. | |
73 | * | |
74 | * <p> The user can specify t he locatio n of the t icket cach e by using | |
75 | * the opt ion <code> ticketCach e</code> i n the conf iguration entry. | |
76 | * | |
77 | * <p>The user can s pecify the keytab lo cation by using | |
78 | * the opt ion <code> keyTab</co de> | |
79 | * in the configurat ion entry. | |
80 | * | |
81 | * <p> The principal name can be specifi ed in the configurat ion entry | |
82 | * by usin g the opti on <code>p rincipal</ code>. The principal name | |
83 | * can eit her be a s imple user name, a s ervice nam e such as | |
84 | * <code>h ost/missio n.eng.sun. com</code> , or "*". The princi pal can al so | |
85 | * be set using the system pro perty <cod e>sun.secu rity.krb5. principal< /code>. | |
86 | * This pr operty is checked du ring login . If this property i s not set, then | |
87 | * the pri ncipal nam e from the configura tion is us ed. In the | |
88 | * case wh ere the pr incipal pr operty is not set an d the prin cipal | |
89 | * entry a lso does n ot exist, the user i s prompted for the n ame. | |
90 | * When th is propert y of entry is set, a nd <code>u seTicketCa che</code> | |
91 | * is set to true, o nly TGT be longing to this prin cipal is u sed. | |
92 | * | |
93 | * <p> The following is a list of config uration op tions supp orted | |
94 | * for <co de>Krb5Log inModule</ code>: | |
95 | * <blockq uote><dl> | |
96 | * <dt><b> <code>refr eshKrb5Con fig</code> </b>:</dt> | |
97 | * <dd> Se t this to true, if y ou want th e configur ation | |
98 | * to be r efreshed b efore the <code>logi n</code> m ethod is c alled.</dd > | |
99 | * <dt><b> <code>useT icketCache </code></b >:</dt> | |
100 | * <dd>Set this to t rue, if yo u want the | |
101 | * TGT to be obtaine d | |
102 | * from th e ticket c ache. Set this optio n | |
103 | * to fals e if you d o not want this modu le to use the ticket cache. | |
104 | * (Defaul t is False ). | |
105 | * This mo dule will | |
106 | * search for the ti cket | |
107 | * cache i n the foll owing loca tions: | |
108 | * On Sola ris and Li nux | |
109 | * it will look for the ticket cache in /tmp/krb5c c_<code>ui d</code> | |
110 | * where t he uid is numeric us er | |
111 | * identif ier. If th e ticket c ache is | |
112 | * not ava ilable in the above location, or if we a re on a | |
113 | * Windows platform, it will l ook for th e cache as | |
114 | * {user.h ome}{file. separator} krb5cc_{us er.name}. | |
115 | * You can override the ticket cache loc ation by u sing | |
116 | * <code>t icketCache </code>. | |
117 | * For Win dows, if a ticket ca nnot be re trieved fr om the fil e ticket c ache, | |
118 | * it will use Local Security Authority (LSA) API to get the TGT. | |
119 | * <dt><b> <code>tick etCache</c ode></b>:< /dt> | |
120 | * <dd>Set this to t he name of the ticke t | |
121 | * cache t hat conta ins user's TGT. | |
122 | * If this is set, <code>useT icketCache </code> | |
123 | * must al so be set to true; O therwise a configura tion error will | |
124 | * be retu rned.</dd> | |
125 | * <dt><b> <code>rene wTGT</code ></b>:</dt > | |
126 | * <dd>Set this to t rue, if yo u want to renew | |
127 | * the TGT . If this is set, <c ode>useTic ketCache</ code> must also be | |
128 | * set to true; othe rwise a co nfiguratio n error wi ll be retu rned.</dd> | |
129 | * <dt><b> <code>doNo tPrompt</c ode></b>:< /dt> | |
130 | * <dd>Set this to t rue if you do not wa nt to be | |
131 | * prompte d for the password | |
132 | * if cred entials ca n not be o btained fr om the cac he, the ke ytab, | |
133 | * or thro ugh shared state.(De fault is f alse) | |
134 | * If set to true, c redential must be ob tained thr ough cache , keytab, | |
135 | * or shar ed state. Otherwise, authentic ation will fail.</dd > | |
136 | * <dt><b> <code>useK eyTab</cod e></b>:</d t> | |
137 | * <dd>Set this to t rue if you | |
138 | * want th e module t o get the principal' s key from the | |
139 | * the key tab.(defau lt value i s False) | |
140 | * If <cod e>keytab</ code> | |
141 | * is not set then | |
142 | * the mod ule will l ocate the keytab fro m the | |
143 | * Kerbero s configur ation file . | |
144 | * If it i s not spec ified in t he Kerbero s configur ation file | |
145 | * then it will look for the f ile | |
146 | * <code>{ user.home} {file.sepa rator}</co de>krb5.ke ytab.</dd> | |
147 | * <dt><b> <code>keyT ab</code>< /b>:</dt> | |
148 | * <dd>Set this to t he file na me of the | |
149 | * keytab to get pri ncipal's PW key.</dd> | |
150 | * <dt><b> <code>stor eKey</code ></b>:</dt > | |
151 | * <dd>Set this to t rue to if you want t he keytab or the | |
152 | * princip al's key t o be store d in the S ubject's p rivate cre dentials. | |
153 | * For <co de>isIniti ator</code > being fa lse, if <c ode>princi pal</code> | |
154 | * is "*", the {@lin k KeyTab} stored can be used b y anyone, otherwise, | |
155 | * it's re stricted t o be used by the spe cified pri ncipal onl y.</dd> | |
156 | * <dt><b> <code>prin cipal</cod e></b>:</d t> | |
157 | * <dd>The name of t he princip al that sh ould | |
158 | * be used . The prin cipal can be a simpl e username such as | |
159 | * "<code> testuser</ code>" or a service name such as | |
160 | * "<code> host/testh ost.eng.su n.com</cod e>". You c an use the | |
161 | * <code>p rincipal</ code> opt ion to set the princ ipal when there are | |
162 | * credent ials for m ultiple pr incipals i n the | |
163 | * <code>k eyTab</cod e> or when you want a specific ticket ca che only. | |
164 | * The pri ncipal can also be s et using t he system property | |
165 | * <code>s un.securit y.krb5.pri ncipal</co de>. In ad dition, if this | |
166 | * system property i s defined, then it w ill be use d. If this property | |
167 | * is not set, then the princi pal name f rom the co nfiguratio n will be | |
168 | * used. | |
169 | * The pri ncipal nam e can be s et to "*" when <code >isInitiat or</code> is false. | |
170 | * In this case, the acceptor is not bou nd to a si ngle princ ipal. It c an | |
171 | * act as any princi pal an ini tiator req uests if k eys for th at princip al | |
172 | * can be found. Whe n <code>is Initiator< /code> is true, the principal name | |
173 | * cannot be set to "*". | |
174 | * </dd> | |
175 | * <dt><b> <code>isIn itiator</c ode></b>:< /dt> | |
176 | * <dd>Set this to t rue, if in itiator. S et this to false, if acceptor only. | |
177 | * (Defaul t is true) . | |
178 | * Note: D o not set this value to false for initia tors.</dd> | |
179 | * </dl></ blockquote > | |
180 | * | |
181 | * <p> Thi s <code>Lo ginModule< /code> als o recogniz es the fol lowing add itional | |
182 | * <code>C onfigurati on</code> | |
183 | * options that enab le you to share user name and p asswords a cross diff erent | |
184 | * authent ication mo dules: | |
185 | * <blockq uote><dl> | |
186 | * | |
187 | * <dt> <b><code>u seFirstPas s</code></ b>:</dt> | |
188 | * <dd>if, t rue, this LoginModul e retrieve s the | |
189 | * username and passwo rd from th e module's shared st ate, | |
190 | * using "ja vax.securi ty.auth.lo gin.name" and | |
191 | * "javax.se curity.aut h.login.pa ssword" as the respe ctive | |
192 | * keys. The retrieved values ar e used for authentic ation. | |
193 | * If authen tication f ails, no a ttempt for a retry | |
194 | * is made, and the fa ilure is r eported ba ck to the | |
195 | * calling a pplication .</dd> | |
196 | * | |
197 | * <dt> <b><code>t ryFirstPas s</code></ b>:</dt> | |
198 | * <dd>if, t rue, this LoginModul e retrieve s the | |
199 | * the usern ame and pa ssword fro m the modu le's share d | |
200 | * state usi ng "javax. security.a uth.login. name" and | |
201 | * "javax.se curity.aut h.login.pa ssword" as the respe ctive | |
202 | * keys. Th e retrieve d values a re used fo r | |
203 | * authentic ation. | |
204 | * If authen tication f ails, the module use s the | |
205 | * CallbackH andler to retrieve a new usern ame | |
206 | * and passw ord, and a nother att empt to au thenticate | |
207 | * is made. If the aut henticatio n fails, | |
208 | * the failu re is repo rted back to the cal ling appli cation</dd > | |
209 | * | |
210 | * <dt> <b><code>s torePass</ code></b>: </dt> | |
211 | * <dd>if, t rue, this LoginModul e stores t he usernam e and | |
212 | * password obtained f rom the Ca llbackHand ler in the | |
213 | * modules s hared stat e, using | |
214 | * "javax.se curity.aut h.login.na me" and | |
215 | * "javax.se curity.aut h.login.pa ssword" as the respe ctive | |
216 | * keys. Th is is not performed if existin g values a lready | |
217 | * exist for the usern ame and pa ssword in the shared | |
218 | * state, or if authen tication f ails.</dd> | |
219 | * | |
220 | * <dt> <b><code>c learPass</ code></b>: </dt> | |
221 | * <dd>if, t rue, this LoginModul e clears t he | |
222 | * username and passwo rd stored in the mod ule's shar ed | |
223 | * state af ter both p hases of a uthenticat ion | |
224 | * (login an d commit) have compl eted.</dd> | |
225 | * </dl></ blockquote > | |
226 | * <p>If t he princip al system property o r key is a lready pro vided, the value of | |
227 | * "javax. security.a uth.login. name" in t he shared state is i gnored. | |
228 | * <p>When multiple mechanisms to retrie ve a ticke t or key i s provided , the | |
229 | * prefere nce order is: | |
230 | * <ol> | |
231 | * <li>tic ket cache | |
232 | * <li>key tab | |
233 | * <li>sha red state | |
234 | * <li>use r prompt | |
235 | * </ol> | |
236 | * <p>Note that if a ny step fa ils, it wi ll fallbac k to the n ext step. | |
237 | * There's only one exception, if the sh ared state step fail s and | |
238 | * <code>u seFirstPas s</code>=t rue, no us er prompt is made. | |
239 | * <p>Exam ples of so me configu ration val ues for Kr b5LoginMod ule in | |
240 | * JAAS co nfig file and the re sults are: | |
241 | * <ul> | |
242 | * <p> <co de>doNotPr ompt</code >=true; | |
243 | * </ul> | |
244 | * <p> Thi s is an il legal comb ination si nce none o f <code>us eTicketCac he</code>, | |
245 | * <code>u seKeyTab</ code>, <co de>useFirs tPass</cod e> and <co de>tryFirs tPass</cod e> | |
246 | * is set and the us er can not be prompt ed for the password. | |
247 | *<ul> | |
248 | * <p> <co de>ticketC ache</code > = <fi lename> ; | |
249 | *</ul> | |
250 | * <p> Thi s is an il legal comb ination si nce <code> useTicketC ache</code > | |
251 | * is not set to tru e and the ticketCach e is set. A configur ation erro r | |
252 | * will oc cur. | |
253 | * <ul> | |
254 | * <p> <co de>renewTG T</code>=t rue; | |
255 | *</ul> | |
256 | * <p> Thi s is an il legal comb ination si nce <code> useTicketC ache</code > is | |
257 | * not set to true a nd renewTG T is set. A configur ation erro r will occ ur. | |
258 | * <ul> | |
259 | * <p> <co de>storeKe y</code>=t rue | |
260 | * <code>u seTicketCa che</code> = true | |
261 | * <code>d oNotPrompt </code>=tr ue;; | |
262 | *</ul> | |
263 | * <p> Thi s is an il legal comb ination si nce <code >storeKey< /code> is set to | |
264 | * true bu t the key can not be obtained either by prompting the user o r from | |
265 | * the key tab, or fr om the sha red state. A configu ration err or will oc cur. | |
266 | * <ul> | |
267 | * <p> <c ode>keyTab </code> = <filena me> <co de>doNotPr ompt</code >=true ; | |
268 | * </ul> | |
269 | * <p>This is an ill egal combi nation sin ce useKeyT ab is not set to tru e and | |
270 | * the key Tab is set . A config uration er ror will o ccur. | |
271 | * <ul> | |
272 | * <p> <co de>debug=t rue </code > | |
273 | *</ul> | |
274 | * <p> Pro mpt the us er for the principal name and the passwo rd. | |
275 | * Use the authentic ation exch ange to ge t TGT from the KDC a nd | |
276 | * populat e the <cod e>Subject< /code> wit h the prin cipal and TGT. | |
277 | * Output debug mess ages. | |
278 | * <ul> | |
279 | * <p> <co de>useTick etCache</c ode> = tru e <code>do NotPrompt< /code>=tru e; | |
280 | *</ul> | |
281 | * <p>Chec k the defa ult cache for TGT an d populate the <code >Subject</ code> | |
282 | * with th e principa l and TGT. If the TG T is not a vailable, | |
283 | * do not prompt the user, ins tead fail the authen tication. | |
284 | * <ul> | |
285 | * <p><cod e>principa l</code>=& lt;name> ;<code>use TicketCach e</code> = true | |
286 | * <code>d oNotPrompt </code>=tr ue; | |
287 | *</ul> | |
288 | * <p> Get the TGT f rom the de fault cach e for the principal and popula te the | |
289 | * Subject 's princip al and pri vate creds set. If t icket cach e is | |
290 | * not ava ilable or does not c ontain the principal 's TGT | |
291 | * authent ication wi ll fail. | |
292 | * <ul> | |
293 | * <p> <co de>useTick etCache</c ode> = tru e | |
294 | * <code>t icketCache </code>=&l t;file nam e><code >useKeyTab </code> = true | |
295 | * <code> keyTab</co de>=<ke ytab filen ame> | |
296 | * <code>p rincipal</ code> = &l t;principa l name> | |
297 | * <code>d oNotPrompt </code>=tr ue; | |
298 | *</ul> | |
299 | * <p> Se arch the c ache for t he princip al's TGT. If it is n ot availab le | |
300 | * use the key in th e keytab t o perform authentica tion excha nge with t he | |
301 | * KDC and acquire t he TGT. | |
302 | * The Sub ject will be populat ed with th e principa l and the TGT. | |
303 | * If the key is not available or valid then authe ntication will fail. | |
304 | * <ul> | |
305 | * <p><cod e>useTicke tCache</co de> = true | |
306 | * <code>t icketCache </code>=&l t;file nam e> | |
307 | *</ul> | |
308 | * <p> The TGT will be obtaine d from the cache spe cified. | |
309 | * The Ker beros prin cipal name used will be the pr incipal na me in | |
310 | * the Tic ket cache. If the TG T is not a vailable i n the | |
311 | * ticket cache the user will be prompte d for the principal name | |
312 | * and the password. The TGT w ill be obt ained usin g the auth entication | |
313 | * exchang e with the KDC. | |
314 | * The Sub ject will be populat ed with th e TGT. | |
315 | *<ul> | |
316 | * <p> <co de>useKeyT ab</code> = true | |
317 | * <code>k eyTab</cod e>=<key tab filena me> | |
318 | * <code>p rincipal</ code>= < ;principal name> | |
319 | * <code>s toreKey</c ode>=true; | |
320 | *</ul> | |
321 | * <p> Th e key for the princi pal will b e retrieve d from the keytab. | |
322 | * If the key is not available in the ke ytab the u ser will b e prompted | |
323 | * for the principal 's passwor d. The Sub ject will be populat ed | |
324 | * with th e principa l's key ei ther from the keytab or derive d from the | |
325 | * passwor d entered. | |
326 | * <ul> | |
327 | * <p> <co de>useKeyT ab</code> = true | |
328 | * <code>k eyTab</cod e>=<key tabname> ; | |
329 | * <code>s toreKey</c ode>=true | |
330 | * <code>d oNotPrompt </code>=fa lse; | |
331 | *</ul> | |
332 | * <p>The user will be prompte d for the service pr incipal na me. | |
333 | * If the principal' s | |
334 | * longter m key is a vailable i n the keyt ab , it wi ll be adde d to the | |
335 | * Subject 's private credentia ls. An aut henticatio n exchange will be | |
336 | * attempt ed with th e principa l name and the key f rom the Ke ytab. | |
337 | * If succ essful the TGT will be added t o the | |
338 | * Subject 's private credentia ls set. Ot herwise th e authenti cation wil l | |
339 | * fail. | |
340 | * <ul> | |
341 | * <p> <co de>isIniti ator</code > = false <code>useK eyTab</cod e> = true | |
342 | * <code>k eyTab</cod e>=<key tabname> ; | |
343 | * <code>s toreKey</c ode>=true | |
344 | * <code>p rincipal</ code>=*; | |
345 | *</ul> | |
346 | * <p>The acceptor w ill be an unbound ac ceptor and it can ac t as any p rincipal | |
347 | * as long that prin cipal has keys in th e keytab. | |
348 | *<ul> | |
349 | * <p> | |
350 | * <code>u seTicketCa che</code> =true | |
351 | * <code>t icketCache </code>=&l t;file nam e>; | |
352 | * <code>u seKeyTab</ code> = tr ue | |
353 | * <code>k eyTab</cod e>=<fil e name> <code>sto reKey</cod e>=true | |
354 | * <code>p rincipal</ code>= < ;principal name> | |
355 | *</ul> | |
356 | * <p> | |
357 | * The cli ent's TGT will be re trieved fr om the tic ket cache and added to the | |
358 | * <code>S ubject</co de>'s priv ate creden tials. If the TGT is not avail able | |
359 | * in the ticket cac he, or the TGT's cli ent name d oes not ma tch the pr incipal | |
360 | * name, J ava will u se a PW key to obt ain the TG T using th e authenti cation | |
361 | * exchang e and adde d to the S ubject's p rivate cre dentials. | |
362 | * This PW key will b e first re trieved fr om the key tab. If th e key | |
363 | * is not available, the user will be pr ompted for the passw ord. In ei ther | |
364 | * case, t he key der ived from the passwo rd will be added to the | |
365 | * Subject 's private credentia ls set. | |
366 | * <ul> | |
367 | * <p><cod e>isInitia tor</code> = false | |
368 | *</ul> | |
369 | * <p>Conf igured to act as acc eptor only , credenti als are no t acquired | |
370 | * via AS exchange. For accept ors only, set this v alue to fa lse. | |
371 | * For ini tiators, d o not set this value to false. | |
372 | * <ul> | |
373 | * <p><cod e>isInitia tor</code> = true | |
374 | *</ul> | |
375 | * <p>Conf igured to act as ini tiator, cr edentials are acquir ed | |
376 | * via AS exchange. For initia tors, set this value to true, or leave t his | |
377 | * option unset, in which case default v alue (true ) will be used. | |
378 | * | |
379 | * @author Ram Marti | |
380 | */ | |
381 | ||
382 | @jdk.Expor ted | |
383 | public cla ss Krb5Log inModule i mplements LoginModul e { | |
384 | ||
385 | // ini tial state | |
386 | privat e Subject subject; | |
387 | privat e Callback Handler ca llbackHand ler; | |
388 | privat e Map<Stri ng, Object > sharedSt ate; | |
389 | privat e Map<Stri ng, ?> opt ions; | |
390 | ||
391 | // con figurable option | |
392 | privat e boolean debug = fa lse; | |
393 | privat e boolean storeKey = false; | |
394 | privat e boolean doNotPromp t = false; | |
395 | privat e boolean useTicketC ache = fal se; | |
396 | privat e boolean useKeyTab = false; | |
397 | privat e String t icketCache Name = nul l; | |
398 | privat e String k eyTabName = null; | |
399 | privat e String p rincName = null; | |
400 | ||
401 | privat e boolean useFirstPa ss = false ; | |
402 | privat e boolean tryFirstPa ss = false ; | |
403 | privat e boolean storePass = false; | |
404 | privat e boolean clearPass = false; | |
405 | privat e boolean refreshKrb 5Config = false; | |
406 | privat e boolean renewTGT = false; | |
407 | ||
408 | // spe cify if in itiator. | |
409 | // per form authe ntication exchange i f initiato r | |
410 | privat e boolean isInitiato r = true; | |
411 | ||
412 | // the authentic ation stat us | |
413 | privat e boolean succeeded = false; | |
414 | privat e boolean commitSucc eeded = fa lse; | |
415 | privat e String u sername; | |
416 | ||
417 | // Enc ryption ke ys calcula ted from p assword. A ssigned wh en storeke y == true | |
418 | // and useKeyTab == false (or true b ut not fou nd) | |
419 | privat e Encrypti onKey[] en cKeys = nu ll; | |
420 | ||
421 | KeyTab ktab = nu ll; | |
422 | ||
423 | privat e Credenti als cred = null; | |
424 | ||
425 | privat e Principa lName prin cipal = nu ll; | |
426 | privat e Kerberos Principal kerbClient Princ = nu ll; | |
427 | privat e Kerberos Ticket ker bTicket = null; | |
428 | privat e Kerberos Key[] kerb Keys = nul l; | |
429 | privat e StringBu ffer krb5P rincName = null; | |
430 | privat e boolean unboundSer ver = fals e; | |
431 | privat e char[] p assword = null; | |
432 | ||
433 | privat e static f inal Strin g NAME = " javax.secu rity.auth. login.name "; | |
434 | privat e static f inal Strin g PWD = "j avax.secur ity.auth.l ogin.passw ord"; | |
435 | privat e static f inal Resou rceBundle rb = Acces sControlle r.doPrivil eged( | |
436 | new Priv ilegedActi on<Resourc eBundle>() { | |
437 | publ ic Resourc eBundle ru n() { | |
438 | return Res ourceBundl e.getBundl e( | |
439 | "s un.securit y.util.Aut hResources "); | |
440 | } | |
441 | } | |
442 | ); | |
443 | ||
444 | /** | |
445 | * Ini tialize th is <code>L oginModule </code>. | |
446 | * | |
447 | * <p> | |
448 | * @pa ram subjec t the <cod e>Subject< /code> to be authent icated. <p > | |
449 | * | |
450 | * @pa ram callba ckHandler a <code>Ca llbackHand ler</code> for | |
451 | * commun ication wi th the end user (pro mpting for | |
452 | * userna mes and pa sswords, f or example ). <p> | |
453 | * | |
454 | * @pa ram shared State shar ed <code>L oginModule </code> st ate. <p> | |
455 | * | |
456 | * @pa ram option s options specified in the log in | |
457 | * <code> Configurat ion</code> for this particular | |
458 | * <code> LoginModul e</code>. | |
459 | */ | |
460 | // Unc hecked war ning from (Map<Strin g, Object> )sharedSta te is safe | |
461 | // sin ce javax.s ecurity.au th.login.L oginContex t passes a raw HashM ap. | |
462 | // Unc hecked war nings from options.g et(String) are safe since we a re | |
463 | // pas sing known keys. | |
464 | @Suppr essWarning s("uncheck ed") | |
465 | public void init ialize(Sub ject subje ct, | |
466 | Cal lbackHandl er callbac kHandler, | |
467 | Map <String, ? > sharedSt ate, | |
468 | Map <String, ? > options) { | |
469 | ||
470 | th is.subject = subject ; | |
471 | th is.callbac kHandler = callbackH andler; | |
472 | th is.sharedS tate = (Ma p<String, Object>)sh aredState; | |
473 | th is.options = options ; | |
474 | ||
475 | // initializ e any conf igured opt ions | |
476 | ||
477 | de bug = "tru e".equalsI gnoreCase( (String)op tions.get( "debug")); | |
478 | st oreKey = " true".equa lsIgnoreCa se((String )options.g et("storeK ey")); | |
479 | do NotPrompt = "true".e qualsIgnor eCase((Str ing)option s.get | |
480 | ("do NotPrompt" )); | |
481 | us eTicketCac he = "true ".equalsIg noreCase(( String)opt ions.get | |
482 | ( "useTicket Cache")); | |
483 | us eKeyTab = "true".equ alsIgnoreC ase((Strin g)options. get("useKe yTab")); | |
484 | ti cketCacheN ame = (Str ing)option s.get("tic ketCache") ; | |
485 | ke yTabName = (String)o ptions.get ("keyTab") ; | |
486 | if (keyTabNa me != null ) { | |
487 | keyTabNa me = sun.s ecurity.kr b5.interna l.ktab.Key Tab.normal ize( | |
488 | keyTa bName); | |
489 | } | |
490 | pr incName = (String)op tions.get( "principal "); | |
491 | re freshKrb5C onfig = | |
492 | "true".e qualsIgnor eCase((Str ing)option s.get("ref reshKrb5Co nfig")); | |
493 | re newTGT = | |
494 | "true".e qualsIgnor eCase((Str ing)option s.get("ren ewTGT")); | |
495 | ||
496 | // check isI nitiator v alue | |
497 | St ring isIni tiatorValu e = ((Stri ng)options .get("isIn itiator")) ; | |
498 | if (isInitia torValue = = null) { | |
499 | // use d efault, if value not set | |
500 | } else { | |
501 | isInitia tor = "tru e".equalsI gnoreCase( isInitiato rValue); | |
502 | } | |
503 | ||
504 | tr yFirstPass = | |
505 | "true".e qualsIgnor eCase | |
506 | ((String )options.g et("tryFir stPass")); | |
507 | us eFirstPass = | |
508 | "true".e qualsIgnor eCase | |
509 | ((String )options.g et("useFir stPass")); | |
510 | st orePass = | |
511 | "true".e qualsIgnor eCase((Str ing)option s.get("sto rePass")); | |
512 | cl earPass = | |
513 | "true".e qualsIgnor eCase((Str ing)option s.get("cle arPass")); | |
514 | if (debug) { | |
515 | System.o ut.print(" Debug is " + debug | |
516 | + " storeKe y " + stor eKey | |
517 | + " useTick etCache " + useTicke tCache | |
518 | + " useKeyT ab " + use KeyTab | |
519 | + " doNotPr ompt " + d oNotPrompt | |
520 | + " ticketC ache is " + ticketCa cheName | |
521 | + " isIniti ator " + i sInitiator | |
522 | + " KeyTab is " + key TabName | |
523 | + " refresh Krb5Config is " + re freshKrb5C onfig | |
524 | + " princip al is " + princName | |
525 | + " tryFirs tPass is " + tryFirs tPass | |
526 | + " useFirs tPass is " + useFirs tPass | |
527 | + " storePa ss is " + storePass | |
528 | + " clearPa ss is " + clearPass + "\n"); | |
529 | } | |
530 | } | |
531 | ||
532 | ||
533 | /** | |
534 | * Aut henticate the user | |
535 | * | |
536 | * <p> | |
537 | * | |
538 | * @re turn true in all cas es since t his <code> LoginModul e</code> | |
539 | * shou ld not be ignored. | |
540 | * | |
541 | * @ex ception Fa iledLoginE xception i f the auth entication fails. <p > | |
542 | * | |
543 | * @ex ception Lo ginExcepti on if this <code>Log inModule</ code> | |
544 | * is u nable to p erform the authentic ation. | |
545 | */ | |
546 | public boolean l ogin() thr ows LoginE xception { | |
547 | ||
548 | if (refreshK rb5Config) { | |
549 | try { | |
550 | if ( debug) { | |
551 | System.out .println(" Refreshing Kerberos configurat ion"); | |
552 | } | |
553 | sun. security.k rb5.Config .refresh() ; | |
554 | } catch (KrbExcept ion ke) { | |
555 | Logi nException le = new LoginExcep tion(ke.ge tMessage() ); | |
556 | le.i nitCause(k e); | |
557 | thro w le; | |
558 | } | |
559 | } | |
560 | St ring princ ipalProper ty = Syste m.getPrope rty | |
561 | ("sun.se curity.krb 5.principa l"); | |
562 | if (principa lProperty != null) { | |
563 | krb5Prin cName = ne w StringBu ffer(princ ipalProper ty); | |
564 | } else { | |
565 | if (prin cName != n ull) { | |
566 | krb5 PrincName = new Stri ngBuffer(p rincName); | |
567 | } | |
568 | } | |
569 | ||
570 | va lidateConf iguration( ); | |
571 | ||
572 | if (krb5Prin cName != n ull && krb 5PrincName .toString( ).equals(" *")) { | |
573 | unboundS erver = tr ue; | |
574 | } | |
575 | ||
576 | if (tryFirst Pass) { | |
577 | try { | |
578 | atte mptAuthent ication(tr ue); | |
579 | if ( debug) | |
580 | System.out .println(" \t\t[Krb5L oginModule ] " + | |
581 | " authentica tion succe eded"); | |
582 | succ eeded = tr ue; | |
583 | clea nState(); | |
584 | retu rn true; | |
585 | } catch (LoginExce ption le) { | |
586 | // a uthenticat ion failed -- try ag ain below by prompti ng | |
587 | clea nState(); | |
588 | if ( debug) { | |
589 | System.out .println(" \t\t[Krb5L oginModule ] " + | |
590 | " tryFirstPa ss failed with:" + | |
591 | l e.getMessa ge()); | |
592 | } | |
593 | } | |
594 | } else if (u seFirstPas s) { | |
595 | try { | |
596 | atte mptAuthent ication(tr ue); | |
597 | succ eeded = tr ue; | |
598 | clea nState(); | |
599 | retu rn true; | |
600 | } catch (LoginExce ption e) { | |
601 | // a uthenticat ion failed -- clean out state | |
602 | if ( debug) { | |
603 | System.out .println(" \t\t[Krb5L oginModule ] " + | |
604 | " authentica tion faile d \n" + | |
605 | e .getMessag e()); | |
606 | } | |
607 | succ eeded = fa lse; | |
608 | clea nState(); | |
609 | thro w e; | |
610 | } | |
611 | } | |
612 | ||
613 | // attempt t he authent ication by getting t he usernam e and pwd | |
614 | // by prompt ing or con figuration i.e. not from share d state | |
615 | ||
616 | tr y { | |
617 | attemptA uthenticat ion(false) ; | |
618 | succeede d = true; | |
619 | cleanSta te(); | |
620 | return t rue; | |
621 | } catch (Log inExceptio n e) { | |
622 | // authe ntication failed -- clean out state | |
623 | if (debu g) { | |
624 | Syst em.out.pri ntln("\t\t [Krb5Login Module] " + | |
625 | "auth entication failed \n " + | |
626 | e.get Message()) ; | |
627 | } | |
628 | succeede d = false; | |
629 | cleanSta te(); | |
630 | throw e; | |
631 | } | |
632 | } | |
633 | /** | |
634 | * pro cess the c onfigurati on options | |
635 | * Get the TGT e ither out of | |
636 | * cac he or from the KDC u sing the p assword en tered | |
637 | * Che ck the pe rmission b efore gett ing the TG T | |
638 | */ | |
639 | ||
640 | privat e void att emptAuthen tication(b oolean get PasswdFrom SharedStat e) | |
641 | th rows Login Exception { | |
642 | ||
643 | /* | |
644 | * Check the creds cac he to see whether | |
645 | * we have T GT for thi s client p rincipal | |
646 | * / | |
647 | if (krb5Prin cName != n ull) { | |
648 | try { | |
649 | prin cipal = ne w Principa lName | |
650 | (krb5Princ Name.toStr ing(), | |
651 | Principal Name.KRB_N T_PRINCIPA L); | |
652 | } catch (KrbExcept ion e) { | |
653 | Logi nException le = new LoginExcep tion(e.get Message()) ; | |
654 | le.i nitCause(e ); | |
655 | thro w le; | |
656 | } | |
657 | } | |
658 | ||
659 | tr y { | |
660 | if (useT icketCache ) { | |
661 | // t icketCache Name == nu ll implies the defau lt cache | |
662 | if ( debug) | |
663 | System.out .println(" Acquire TG T from Cac he"); | |
664 | cred = Creden tials.acqu ireTGTFrom Cache | |
665 | (principal , ticketCa cheName); | |
666 | ||
667 | if ( cred != nu ll) { | |
668 | // check t o renew cr edentials | |
669 | if (!isCur rent(cred) ) { | |
670 | if (re newTGT) { | |
671 | cr ed = renew Credential s(cred); | |
672 | } else { | |
673 | // credentia ls have ex pired | |
674 | cr ed = null; | |
675 | if (debug) | |
676 | System.o ut.println ("Credenti als are" + | |
677 | " no longer valid"); | |
678 | } | |
679 | } | |
680 | } | |
681 | ||
682 | if ( cred != nu ll) { | |
683 | / / get the principal name from the ticket cache | |
684 | i f (princip al == null ) { | |
685 | princi pal = cred .getClient (); | |
686 | } | |
687 | } | |
688 | if ( debug) { | |
689 | System.out .println(" Principal is " + pri ncipal); | |
690 | if (cred = = null) { | |
691 | System .out.print ln | |
692 | (" null crede ntials fro m Ticket C ache"); | |
693 | } | |
694 | } | |
695 | } | |
696 | ||
697 | // cred = null ind icates tha t we didn' t get the creds | |
698 | // from the cache or useTick etCache wa s false | |
699 | ||
700 | if (cred == null) { | |
701 | // W e need the principal name whet her we use keytab | |
702 | // o r AS Excha nge | |
703 | if ( principal == null) { | |
704 | promptForN ame(getPas swdFromSha redState); | |
705 | principal = new Prin cipalName | |
706 | (krb5P rincName.t oString(), | |
707 | Princ ipalName.K RB_NT_PRIN CIPAL); | |
708 | } | |
709 | ||
710 | /* | |
711 | * B efore dyna mic KeyTab support ( 6894072), here we ch eck if | |
712 | * t he keytab contains k eys for th e principa l. If no, keytab | |
713 | * w ill not be used and password i s prompted for. | |
714 | * | |
715 | * A fter 68940 72, we nor mally don' t check it , and expe ct the | |
716 | * k eys can be populated until a r eal connec tion is ma de. The | |
717 | * c heck is st ill done w hen isInit iator == t rue, where the keys | |
718 | * w ill be use d right no w. | |
719 | * | |
720 | * P robably tr icky relat ions: | |
721 | * | |
722 | * u seKeyTab i s config f lag, but w hen it's t rue but th e ktab | |
723 | * d oes not co ntains key s for prin cipal, we would use password | |
724 | * a nd keep th e flag unc hanged (fo r reuse?). In this m ethod, | |
725 | * w e use (kta b != null) to check whether ke ytab is us ed. | |
726 | * A fter this method (an d when sto reKey == t rue), we u se | |
727 | * ( encKeys == null) to check. | |
728 | */ | |
729 | if ( useKeyTab) { | |
730 | if (!unbou ndServer) { | |
731 | Kerber osPrincipa l kp = | |
732 | new Kerb erosPrinci pal(princi pal.getNam e()); | |
733 | ktab = (keyTabNa me == null ) | |
734 | ? KeyTab .getInstan ce(kp) | |
735 | : KeyTab .getInstan ce(kp, new File(keyT abName)); | |
736 | } else { | |
737 | ktab = (keyTabNa me == null ) | |
738 | ? KeyTab .getUnboun dInstance( ) | |
739 | : KeyTab .getUnboun dInstance( new File(k eyTabName) ); | |
740 | } | |
741 | if (isInit iator) { | |
742 | if (Kr b5Util.key sFromJavax KeyTab(kta b, princip al).length | |
743 | == 0) { | |
744 | kt ab = null; | |
745 | if (debug) { | |
746 | System.o ut.println | |
747 | ("Ke y for the principal " + | |
748 | pri ncipal + | |
749 | " n ot availab le in " + | |
750 | ((k eyTabName == null) ? | |
751 | "d efault key tab" : ke yTabName)) ; | |
752 | } | |
753 | } | |
754 | } | |
755 | } | |
756 | ||
757 | KrbA sReqBuilde r builder; | |
758 | ||
759 | if ( ktab == nu ll) { | |
760 | promptForP ass(getPas swdFromSha redState); | |
761 | builder = new KrbAsR eqBuilder( principal, password) ; | |
762 | if (isInit iator) { | |
763 | // XXX Even if i sInitiator =false, it might be | |
764 | // bet ter to do an AS-REQ so that ke ys can be | |
765 | // upd ated with PA info | |
766 | cred = builder.a ction().ge tCreds(); | |
767 | } | |
768 | if (storeK ey) { | |
769 | encKey s = builde r.getKeys( isInitiato r); | |
770 | // Whe n encKeys is empty, the login actually f ails. | |
771 | // For compatibi lity, exce ption is t hrown in c ommit(). | |
772 | } | |
773 | } el se { | |
774 | builder = new KrbAsR eqBuilder( principal, ktab); | |
775 | if (isInit iator) { | |
776 | cred = builder.a ction().ge tCreds(); | |
777 | } | |
778 | } | |
779 | buil der.destro y(); | |
780 | ||
781 | if ( debug) { | |
782 | System.out .println(" principal is " + pri ncipal); | |
783 | HexDumpEnc oder hd = new HexDum pEncoder() ; | |
784 | if (ktab ! = null) { | |
785 | System .out.print ln("Will u se keytab" ); | |
786 | } else if (storeKey) { | |
787 | for (i nt i = 0; i < encKey s.length; i++) { | |
788 | Sy stem.out.p rintln("En cryptionKe y: keyType =" + | |
789 | encKeys[ i].getETyp e() + | |
790 | " keyByt es (hex du mp)=" + | |
791 | hd.encod eBuffer(en cKeys[i].g etBytes()) ); | |
792 | } | |
793 | } | |
794 | } | |
795 | ||
796 | // w e should h ava a non- null cred | |
797 | if ( isInitiato r && (cred == null)) { | |
798 | throw new LoginExcep tion | |
799 | ("TGT Can not be obtained from the K DC "); | |
800 | } | |
801 | ||
802 | } | |
803 | } catch (Krb Exception e) { | |
804 | LoginExc eption le = new Logi nException (e.getMess age()); | |
805 | le.initC ause(e); | |
806 | throw le ; | |
807 | } catch (IOE xception i oe) { | |
808 | LoginExc eption ie = new Logi nException (ioe.getMe ssage()); | |
809 | ie.initC ause(ioe); | |
810 | throw ie ; | |
811 | } | |
812 | } | |
813 | ||
814 | privat e void pro mptForName (boolean g etPasswdFr omSharedSt ate) | |
815 | th rows Login Exception { | |
816 | kr b5PrincNam e = new St ringBuffer (""); | |
817 | if (getPassw dFromShare dState) { | |
818 | // use t he name sa ved by the first mod ule in the stack | |
819 | username = (String )sharedSta te.get(NAM E); | |
820 | if (debu g) { | |
821 | Syst em.out.pri ntln | |
822 | ("username from shar ed state i s " + user name + "\n "); | |
823 | } | |
824 | if (user name == nu ll) { | |
825 | Syst em.out.pri ntln | |
826 | ("username from shar ed state i s null\n") ; | |
827 | thro w new Logi nException | |
828 | ("Username can not b e obtained from shar edstate ") ; | |
829 | } | |
830 | if (debu g) { | |
831 | Syst em.out.pri ntln | |
832 | ("username from shar ed state i s " + user name + "\n "); | |
833 | } | |
834 | if (user name != nu ll && user name.lengt h() > 0) { | |
835 | krb5 PrincName. insert(0, username); | |
836 | retu rn; | |
837 | } | |
838 | } | |
839 | ||
840 | if (doNotPro mpt) { | |
841 | throw ne w LoginExc eption | |
842 | ("Un able to ob tain Princ ipal Name for authen tication " ); | |
843 | } else { | |
844 | if (call backHandle r == null) | |
845 | thro w new Logi nException ("No Callb ackHandler " | |
846 | + "availa ble " | |
847 | + "to gar ner authen tication " | |
848 | + "inform ation from the user" ); | |
849 | try { | |
850 | Stri ng defUser name = Sys tem.getPro perty("use r.name"); | |
851 | ||
852 | Call back[] cal lbacks = n ew Callbac k[1]; | |
853 | Mess ageFormat form = new MessageFo rmat( | |
854 | r b.getStrin g( | |
855 | " Kerberos.u sername.de fUsername. ")); | |
856 | Obje ct[] sourc e = {defU sername}; | |
857 | call backs[0] = new NameC allback(fo rm.format( source)); | |
858 | call backHandle r.handle(c allbacks); | |
859 | user name = ((N ameCallbac k)callback s[0]).getN ame(); | |
860 | if ( username = = null || username.l ength() == 0) | |
861 | username = defUserna me; | |
862 | krb5 PrincName. insert(0, username); | |
863 | ||
864 | } catch (java.io.I OException ioe) { | |
865 | thro w new Logi nException (ioe.getMe ssage()); | |
866 | } catch (Unsupport edCallback Exception uce) { | |
867 | thro w new Logi nException | |
868 | (uce.getMe ssage() | |
869 | +" not av ailable to garner " | |
870 | +" authen tication i nformation " | |
871 | +" from t he user"); | |
872 | } | |
873 | } | |
874 | } | |
875 | ||
876 | privat e void pro mptForPass (boolean g etPasswdFr omSharedSt ate) | |
877 | th rows Login Exception { | |
878 | ||
879 | if (getPassw dFromShare dState) { | |
880 | // use t he passwor d saved by the first module in the stack | |
881 | password = (char[] )sharedSta te.get(PWD ); | |
882 | if (pass word == nu ll) { | |
883 | if ( debug) { | |
884 | System.out .println | |
885 | ("Pass word from shared sta te is null "); | |
886 | } | |
887 | thro w new Logi nException | |
888 | ("Password can not b e obtained from shar edstate ") ; | |
889 | } | |
890 | if (debu g) { | |
891 | Syst em.out.pri ntln | |
892 | ("password is " + ne w String(p assword)); | |
893 | } | |
894 | return; | |
895 | } | |
896 | if (doNotPro mpt) { | |
897 | throw ne w LoginExc eption | |
898 | ("Un able to ob tain passw ord from u ser\n"); | |
899 | } else { | |
900 | if (call backHandle r == null) | |
901 | thro w new Logi nException ("No Callb ackHandler " | |
902 | + "availa ble " | |
903 | + "to gar ner authen tication " | |
904 | + "inform ation from the user" ); | |
905 | try { | |
906 | Call back[] cal lbacks = n ew Callbac k[1]; | |
907 | Stri ng userNam e = krb5Pr incName.to String(); | |
908 | Mess ageFormat form = new MessageFo rmat( | |
909 | rb.getStr ing( | |
910 | "Kerberos .password. for.userna me.")); | |
911 | Obje ct[] sourc e = {userN ame}; | |
912 | call backs[0] = new Passw ordCallbac k( | |
913 | form.for mat(source ), | |
914 | false); | |
915 | call backHandle r.handle(c allbacks); | |
916 | char [] tmpPass word = ((P asswordCal lback) | |
917 | ca llbacks[0] ).getPassw ord(); | |
918 | if ( tmpPasswor d == null) { | |
919 | throw new LoginExcep tion("No p assword pr ovided"); | |
920 | } | |
921 | pass word = new char[tmpP assword.le ngth]; | |
922 | Syst em.arrayco py(tmpPass word, 0, | |
923 | passwor d, 0, tmpP assword.le ngth); | |
924 | ((Pa sswordCall back)callb acks[0]).c learPasswo rd(); | |
925 | ||
926 | ||
927 | // c lear tmpPa ssword | |
928 | for (int i = 0 ; i < tmpP assword.le ngth; i++) | |
929 | tmpPasswor d[i] = ' ' ; | |
930 | tmpP assword = null; | |
931 | if ( debug) { | |
932 | System.out .println(" \t\t[Krb5L oginModule ] " + | |
933 | " user enter ed usernam e: " + | |
934 | k rb5PrincNa me); | |
935 | System.out .println() ; | |
936 | } | |
937 | } catch (java.io.I OException ioe) { | |
938 | thro w new Logi nException (ioe.getMe ssage()); | |
939 | } catch (Unsupport edCallback Exception uce) { | |
940 | thro w new Logi nException (uce.getMe ssage() | |
941 | +" not av ailable to garner " | |
942 | +" authen tication i nformation " | |
943 | + "from t he user"); | |
944 | } | |
945 | } | |
946 | } | |
947 | ||
948 | privat e void val idateConfi guration() throws Lo ginExcepti on { | |
949 | if (doNotPro mpt && !us eTicketCac he && !use KeyTab | |
950 | && ! tryFirstPa ss && !use FirstPass) | |
951 | throw ne w LoginExc eption | |
952 | ("Co nfiguratio n Error" | |
953 | + " - either doNotPromp t should b e " | |
954 | + " false or at least o ne of useT icketCache , " | |
955 | + " useKeyTab , tryFirst Pass and u seFirstPas s" | |
956 | + " should be true"); | |
957 | if (ticketCa cheName != null && ! useTicketC ache) | |
958 | throw ne w LoginExc eption | |
959 | ("Co nfiguratio n Error " | |
960 | + " - useTick etCache sh ould be se t " | |
961 | + " to true to use the t icket cach e" | |
962 | + t icketCache Name); | |
963 | if (keyTabNa me != null & !useKey Tab) | |
964 | throw ne w LoginExc eption | |
965 | ("Co nfiguratio n Error - useKeyTab should be set to tru e " | |
966 | + " to use the keytab" + keyTabNam e); | |
967 | if (storeKey && doNotP rompt && ! useKeyTab | |
968 | && ! tryFirstPa ss && !use FirstPass) | |
969 | throw ne w LoginExc eption | |
970 | ("Co nfiguratio n Error - either doN otPrompt s hould be s et to " | |
971 | + " false or at least o ne of tryF irstPass, useFirstPa ss " | |
972 | + " or useKeyT ab must be set to tr ue for sto reKey opti on"); | |
973 | if (renewTGT && !useTi cketCache) | |
974 | throw ne w LoginExc eption | |
975 | ("Co nfiguratio n Error" | |
976 | + " - either useTicketC ache shoul d be " | |
977 | + " true or r enewTGT sh ould be fa lse"); | |
978 | if (krb5Prin cName != n ull && krb 5PrincName .toString( ).equals(" *")) { | |
979 | if (isIn itiator) { | |
980 | thro w new Logi nException | |
981 | ("Configur ation Erro r" | |
982 | + " - prin cipal cann ot be * wh en isIniti ator is tr ue"); | |
983 | } | |
984 | } | |
985 | } | |
986 | ||
987 | privat e boolean isCurrent( Credential s creds) | |
988 | { | |
989 | Da te endTime = creds.g etEndTime( ); | |
990 | if (endTime != null) { | |
991 | return ( System.cur rentTimeMi llis() <= endTime.ge tTime()); | |
992 | } | |
993 | re turn true; | |
994 | } | |
995 | ||
996 | privat e Credenti als renewC redentials (Credentia ls creds) | |
997 | { | |
998 | Cr edentials lcreds; | |
999 | tr y { | |
1000 | if (!cre ds.isRenew able()) | |
1001 | thro w new Refr eshFailedE xception(" This ticke t" + | |
1002 | " is not renewable "); | |
1003 | if (Syst em.current TimeMillis () > cred. getRenewTi ll().getTi me()) | |
1004 | thro w new Refr eshFailedE xception(" This ticke t is past " | |
1005 | + "it s last ren ewal time. "); | |
1006 | lcreds = creds.ren ew(); | |
1007 | if (debu g) | |
1008 | Syst em.out.pri ntln("Rene wed Kerber os Ticket" ); | |
1009 | } catch (Exc eption e) { | |
1010 | lcreds = null; | |
1011 | if (debu g) | |
1012 | Syst em.out.pri ntln("Tick et could n ot be rene wed : " | |
1013 | + e.getM essage()); | |
1014 | } | |
1015 | re turn lcred s; | |
1016 | } | |
1017 | ||
1018 | /** | |
1019 | * <p> This meth od is call ed if the LoginConte xt's | |
1020 | * ove rall authe ntication succeeded | |
1021 | * (th e relevant REQUIRED, REQUISITE , SUFFICIE NT and OPT IONAL | |
1022 | * Log inModules succeeded) . | |
1023 | * | |
1024 | * <p> If this L oginModule 's own aut henticatio n attempt | |
1025 | * suc ceeded (ch ecked by r etrieving the privat e state sa ved by the | |
1026 | * <co de>login</ code> meth od), then this metho d associat es a | |
1027 | * <co de>Krb5Pri ncipal</co de> | |
1028 | * wit h the <cod e>Subject< /code> loc ated in th e | |
1029 | * <co de>LoginMo dule</code >. It adds Kerberos Credential s to the | |
1030 | * th e Subject' s private credential s set. If this Login Module's o wn | |
1031 | * aut henticatio n attempte d failed, then this method rem oves | |
1032 | * any state tha t was orig inally sav ed. | |
1033 | * | |
1034 | * <p> | |
1035 | * | |
1036 | * @ex ception Lo ginExcepti on if the commit fai ls. | |
1037 | * | |
1038 | * @re turn true if this Lo ginModule' s own logi n and comm it | |
1039 | * atte mpts succe eded, or f alse other wise. | |
1040 | */ | |
1041 | ||
1042 | public boolean c ommit() th rows Login Exception { | |
1043 | ||
1044 | /* | |
1045 | * Let us ad d the Krb5 Creds to the Subjec t's | |
1046 | * private c redentials . The cred entials ar e of type | |
1047 | * KerberosK ey or Kerb erosTicket | |
1048 | * / | |
1049 | if (succeede d == false ) { | |
1050 | return f alse; | |
1051 | } else { | |
1052 | ||
1053 | if (isIn itiator && (cred == null)) { | |
1054 | succ eeded = fa lse; | |
1055 | thro w new Logi nException ("Null Cli ent Creden tial"); | |
1056 | } | |
1057 | ||
1058 | if (subj ect.isRead Only()) { | |
1059 | clea nKerberosC red(); | |
1060 | thro w new Logi nException ("Subject is Readonl y"); | |
1061 | } | |
1062 | ||
1063 | /* | |
1064 | * Add t he Princip al (authen ticated id entity) | |
1065 | * to th e Subject' s principa l set and | |
1066 | * add t he credent ials (TGT or Service key) to t he | |
1067 | * Subje ct's priva te credent ials | |
1068 | */ | |
1069 | ||
1070 | Set<Obje ct> privCr edSet = s ubject.get PrivateCre dentials() ; | |
1071 | Set<java .security. Principal> princSet = subject .getPrinci pals(); | |
1072 | kerbClie ntPrinc = new Kerber osPrincipa l(principa l.getName( )); | |
1073 | ||
1074 | // creat e Kerberos Ticket | |
1075 | if (isIn itiator) { | |
1076 | kerb Ticket = K rb5Util.cr edsToTicke t(cred); | |
1077 | } | |
1078 | ||
1079 | if (stor eKey && en cKeys != n ull) { | |
1080 | if ( encKeys.le ngth == 0) { | |
1081 | succeeded = false; | |
1082 | throw new LoginExcep tion("Null Server Ke y "); | |
1083 | } | |
1084 | ||
1085 | kerb Keys = new KerberosK ey[encKeys .length]; | |
1086 | for (int i = 0 ; i < encK eys.length ; i ++) { | |
1087 | Integer te mp = encKe ys[i].getK eyVersionN umber(); | |
1088 | kerbKeys[i ] = new Ke rberosKey( kerbClient Princ, | |
1089 | encKeys[ i].getByte s(), | |
1090 | encKeys[ i].getETyp e(), | |
1091 | (temp == null? | |
1092 | 0: temp. intValue() )); | |
1093 | } | |
1094 | ||
1095 | } | |
1096 | // Let u s add the kerbClient Princ,kerb Ticket and KeyTab/Ke rbKey (if | |
1097 | // store Key is tru e) | |
1098 | ||
1099 | // We wo n't add "* " as a Ker berosPrinc ipal | |
1100 | if (!unb oundServer && | |
1101 | !princSet. contains(k erbClientP rinc)) { | |
1102 | prin cSet.add(k erbClientP rinc); | |
1103 | } | |
1104 | ||
1105 | // add t he TGT | |
1106 | if (kerb Ticket != null) { | |
1107 | if ( !privCredS et.contain s(kerbTick et)) | |
1108 | privCredSe t.add(kerb Ticket); | |
1109 | } | |
1110 | ||
1111 | if (stor eKey) { | |
1112 | if ( encKeys == null) { | |
1113 | if (ktab ! = null) { | |
1114 | if (!p rivCredSet .contains( ktab)) { | |
1115 | pr ivCredSet. add(ktab); | |
1116 | } | |
1117 | } else { | |
1118 | succee ded = fals e; | |
1119 | throw new LoginE xception(" No key to store"); | |
1120 | } | |
1121 | } el se { | |
1122 | for (int i = 0; i < kerbKeys.l ength; i + +) { | |
1123 | if (!p rivCredSet .contains( kerbKeys[i ])) { | |
1124 | pr ivCredSet. add(kerbKe ys[i]); | |
1125 | } | |
1126 | encKey s[i].destr oy(); | |
1127 | encKey s[i] = nul l; | |
1128 | if (de bug) { | |
1129 | Sy stem.out.p rintln("Ad ded server 's key" | |
1130 | + kerb Keys[i]); | |
1131 | Sy stem.out.p rintln("\t \t[Krb5Log inModule] " + | |
1132 | "added Krb5Princi pal " + | |
1133 | kerbCli entPrinc.t oString() | |
1134 | + " to Subject"); | |
1135 | } | |
1136 | } | |
1137 | } | |
1138 | } | |
1139 | } | |
1140 | co mmitSuccee ded = true ; | |
1141 | if (debug) | |
1142 | System.o ut.println ("Commit S ucceeded \ n"); | |
1143 | re turn true; | |
1144 | } | |
1145 | ||
1146 | /** | |
1147 | * <p> This meth od is call ed if the LoginConte xt's | |
1148 | * ove rall authe ntication failed. | |
1149 | * (th e relevant REQUIRED, REQUISITE , SUFFICIE NT and OPT IONAL | |
1150 | * Log inModules did not su cceed). | |
1151 | * | |
1152 | * <p> If this L oginModule 's own aut henticatio n attempt | |
1153 | * suc ceeded (ch ecked by r etrieving the privat e state sa ved by the | |
1154 | * <co de>login</ code> and <code>comm it</code> methods), | |
1155 | * the n this met hod cleans up any st ate that w as origina lly saved. | |
1156 | * | |
1157 | * <p> | |
1158 | * | |
1159 | * @ex ception Lo ginExcepti on if the abort fail s. | |
1160 | * | |
1161 | * @re turn false if this L oginModule 's own log in and/or commit att empts | |
1162 | * fail ed, and tr ue otherwi se. | |
1163 | */ | |
1164 | ||
1165 | public boolean a bort() thr ows LoginE xception { | |
1166 | if (succeede d == false ) { | |
1167 | return f alse; | |
1168 | } else if (s ucceeded = = true && commitSucc eeded == f alse) { | |
1169 | // login succeeded but overa ll authent ication fa iled | |
1170 | succeede d = false; | |
1171 | cleanKer berosCred( ); | |
1172 | } else { | |
1173 | // overa ll authent ication su cceeded an d commit s ucceeded, | |
1174 | // but s omeone els e's commit failed | |
1175 | logout() ; | |
1176 | } | |
1177 | re turn true; | |
1178 | } | |
1179 | ||
1180 | /** | |
1181 | * Log out the us er. | |
1182 | * | |
1183 | * <p> This meth od removes the <code >Krb5Princ ipal</code > | |
1184 | * tha t was adde d by the < code>commi t</code> m ethod. | |
1185 | * | |
1186 | * <p> | |
1187 | * | |
1188 | * @ex ception Lo ginExcepti on if the logout fai ls. | |
1189 | * | |
1190 | * @re turn true in all cas es since t his <code> LoginModul e</code> | |
1191 | * shou ld not be ignored. | |
1192 | */ | |
1193 | public boolean l ogout() th rows Login Exception { | |
1194 | ||
1195 | if (debug) { | |
1196 | System.o ut.println ("\t\t[Krb 5LoginModu le]: " + | |
1197 | "Ent ering logo ut"); | |
1198 | } | |
1199 | ||
1200 | if (subject. isReadOnly ()) { | |
1201 | cleanKer berosCred( ); | |
1202 | throw ne w LoginExc eption("Su bject is R eadonly"); | |
1203 | } | |
1204 | ||
1205 | su bject.getP rincipals( ).remove(k erbClientP rinc); | |
1206 | // Let us remove al l Kerberos credentia ls stored in the Sub ject | |
1207 | It erator<Obj ect> it = subject.ge tPrivateCr edentials( ).iterator (); | |
1208 | wh ile (it.ha sNext()) { | |
1209 | Object o = it.next (); | |
1210 | if (o in stanceof K erberosTic ket || | |
1211 | o instance of Kerbero sKey || | |
1212 | o instance of KeyTab) { | |
1213 | it.r emove(); | |
1214 | } | |
1215 | } | |
1216 | // clean the kerberos ticket and keys | |
1217 | cl eanKerbero sCred(); | |
1218 | ||
1219 | su cceeded = false; | |
1220 | co mmitSuccee ded = fals e; | |
1221 | if (debug) { | |
1222 | System.o ut.println ("\t\t[Krb 5LoginModu le]: " + | |
1223 | "logged o ut Subject "); | |
1224 | } | |
1225 | re turn true; | |
1226 | } | |
1227 | ||
1228 | /** | |
1229 | * Cle an Kerbero s credenti als | |
1230 | */ | |
1231 | privat e void cle anKerberos Cred() thr ows LoginE xception { | |
1232 | // Clean the ticket an d server k ey | |
1233 | tr y { | |
1234 | if (kerb Ticket != null) | |
1235 | kerb Ticket.des troy(); | |
1236 | if (kerb Keys != nu ll) { | |
1237 | for (int i = 0 ; i < kerb Keys.lengt h; i++) { | |
1238 | kerbKeys[i ].destroy( ); | |
1239 | } | |
1240 | } | |
1241 | } catch (Des troyFailed Exception e) { | |
1242 | throw ne w LoginExc eption | |
1243 | ("De stroy Fail ed on Kerb eros Priva te Credent ials"); | |
1244 | } | |
1245 | ke rbTicket = null; | |
1246 | ke rbKeys = n ull; | |
1247 | ke rbClientPr inc = null ; | |
1248 | } | |
1249 | ||
1250 | /** | |
1251 | * Cle an out the state | |
1252 | */ | |
1253 | privat e void cle anState() { | |
1254 | ||
1255 | // save inpu t as share d state on ly if | |
1256 | // authentic ation succ eeded | |
1257 | if (succeede d) { | |
1258 | if (stor ePass && | |
1259 | !sha redState.c ontainsKey (NAME) && | |
1260 | !sha redState.c ontainsKey (PWD)) { | |
1261 | shar edState.pu t(NAME, us ername); | |
1262 | shar edState.pu t(PWD, pas sword); | |
1263 | } | |
1264 | } else { | |
1265 | // remov e temp res ults for t he next tr y | |
1266 | encKeys = null; | |
1267 | ktab = n ull; | |
1268 | principa l = null; | |
1269 | } | |
1270 | us ername = n ull; | |
1271 | pa ssword = n ull; | |
1272 | if (krb5Prin cName != n ull && krb 5PrincName .length() != 0) | |
1273 | krb5Prin cName.dele te(0, krb5 PrincName. length()); | |
1274 | kr b5PrincNam e = null; | |
1275 | if (clearPas s) { | |
1276 | sharedSt ate.remove (NAME); | |
1277 | sharedSt ate.remove (PWD); | |
1278 | } | |
1279 | } | |
1280 | } |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.