/// <exception cref="System.Exception"/>
public string Call()
{
GSSManager gssManager = GSSManager.GetInstance();
GSSContext gssContext = null;
try
{
string servicePrincipal = KerberosTestUtils.GetServerPrincipal();
Oid oid = KerberosUtil.GetOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.CreateName(servicePrincipal, oid);
oid = KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID");
gssContext = gssManager.CreateContext(serviceName, oid, null, GSSContext.
DefaultLifetime);
gssContext.RequestCredDeleg(true);
gssContext.RequestMutualAuth(true);
byte[] inToken = new byte[0];
byte[] outToken = gssContext.InitSecContext(inToken, 0, inToken.Length);
Base64 base64 = new Base64(0);
return(base64.EncodeToString(outToken));
}
finally
{
if (gssContext != null)
{
gssContext.Dispose();
}
}
}
public virtual void TestDefaultRealmValid()
{
string defaultRealm = KerberosUtil.GetDefaultRealm();
AssertNotEmpty("No default Kerberos Realm", defaultRealm);
Log.Info("Default Realm '{}'", defaultRealm);
}
/// <summary>Set the static configuration to get the rules.</summary>
/// <remarks>
/// Set the static configuration to get the rules.
/// <p/>
/// IMPORTANT: This method does a NOP if the rules have been set already.
/// If there is a need to reset the rules, the
/// <see cref="Org.Apache.Hadoop.Security.Authentication.Util.KerberosName.SetRules(string)
/// "/>
/// method should be invoked directly.
/// </remarks>
/// <param name="conf">the new configuration</param>
/// <exception cref="System.IO.IOException"/>
public static void SetConfiguration(Configuration conf)
{
string defaultRule;
switch (SecurityUtil.GetAuthenticationMethod(conf))
{
case UserGroupInformation.AuthenticationMethod.Kerberos:
case UserGroupInformation.AuthenticationMethod.KerberosSsl:
{
try
{
KerberosUtil.GetDefaultRealm();
}
catch (Exception ke)
{
throw new ArgumentException("Can't get Kerberos realm", ke);
}
defaultRule = "DEFAULT";
break;
}
default:
{
// just extract the simple user name
defaultRule = "RULE:[1:$1] RULE:[2:$1]";
break;
}
}
string ruleString = conf.Get(CommonConfigurationKeysPublic.HadoopSecurityAuthToLocal
, defaultRule);
SetRules(ruleString);
}
/// <summary>
/// Get the default kerberos realm —returning "" if there
/// is no realm or other problem
/// </summary>
/// <returns>
/// the default realm of the system if it
/// could be determined
/// </returns>
public static string GetDefaultRealmInJVM()
{
try
{
return(KerberosUtil.GetDefaultRealm());
}
catch (TypeLoadException)
{
}
catch (MissingMethodException)
{
}
catch (MemberAccessException)
{
}
catch (TargetInvocationException)
{
}
// JDK7
// ignored
// ignored
// ignored
// ignored
return(string.Empty);
}
/// <exception cref="System.Exception"/>
public Void Run()
{
GSSContext gssContext = null;
try
{
GSSManager gssManager = GSSManager.GetInstance();
string servicePrincipal = KerberosUtil.GetServicePrincipal("HTTP", this._enclosing
.url.GetHost());
Oid oid = KerberosUtil.GetOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.CreateName(servicePrincipal, oid);
oid = KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID");
gssContext = gssManager.CreateContext(serviceName, oid, null, GSSContext.
DefaultLifetime);
gssContext.RequestCredDeleg(true);
gssContext.RequestMutualAuth(true);
byte[] inToken = new byte[0];
byte[] outToken;
bool established = false;
while (!established)
{
outToken = gssContext.InitSecContext(inToken, 0, inToken.Length);
if (outToken != null)
{
this._enclosing.SendToken(outToken);
}
if (!gssContext.IsEstablished())
{
inToken = this._enclosing.ReadToken();
}
else
{
established = true;
}
}
}
finally
{
if (gssContext != null)
{
gssContext.Dispose();
gssContext = null;
}
}
return(null);
}
public override AppConfigurationEntry[] GetAppConfigurationEntry(string name)
{
IDictionary <string, string> options = new Dictionary <string, string>();
if (PlatformName.IbmJava)
{
options["useKeytab"] = keytab.StartsWith("file://") ? keytab : "file://" + keytab;
options["principal"] = principal;
options["credsType"] = "acceptor";
}
else
{
options["keyTab"] = keytab;
options["principal"] = principal;
options["useKeyTab"] = "true";
options["storeKey"] = "true";
options["doNotPrompt"] = "true";
options["useTicketCache"] = "true";
options["renewTGT"] = "true";
options["isInitiator"] = "false";
}
options["refreshKrb5Config"] = "true";
string ticketCache = Runtime.Getenv("KRB5CCNAME");
if (ticketCache != null)
{
if (PlatformName.IbmJava)
{
options["useDefaultCcache"] = "true";
// The first value searched when "useDefaultCcache" is used.
Runtime.SetProperty("KRB5CCNAME", ticketCache);
options["renewTGT"] = "true";
options["credsType"] = "both";
}
else
{
options["ticketCache"] = ticketCache;
}
}
if (Log.IsDebugEnabled())
{
options["debug"] = "true";
}
return(new AppConfigurationEntry[] { new AppConfigurationEntry(KerberosUtil.GetKrb5LoginModuleName
(), AppConfigurationEntry.LoginModuleControlFlag.Required, options) });
}
public override AppConfigurationEntry[] GetAppConfigurationEntry(string name)
{
IDictionary <string, string> options = new Dictionary <string, string>();
options["keyTab"] = KerberosTestUtils.GetKeytabFile();
options["principal"] = principal;
options["useKeyTab"] = "true";
options["storeKey"] = "true";
options["doNotPrompt"] = "true";
options["useTicketCache"] = "true";
options["renewTGT"] = "true";
options["refreshKrb5Config"] = "true";
options["isInitiator"] = "true";
string ticketCache = Runtime.Getenv("KRB5CCNAME");
if (ticketCache != null)
{
options["ticketCache"] = ticketCache;
}
options["debug"] = "true";
return(new AppConfigurationEntry[] { new AppConfigurationEntry(KerberosUtil.GetKrb5LoginModuleName
(), AppConfigurationEntry.LoginModuleControlFlag.Required, options) });
}
/// <exception cref="System.Exception"/>
public AuthenticationToken Run()
{
AuthenticationToken token = null;
GSSContext gssContext = null;
GSSCredential gssCreds = null;
try
{
gssCreds = this._enclosing.gssManager.CreateCredential(this._enclosing.gssManager
.CreateName(KerberosUtil.GetServicePrincipal("HTTP", serverName), KerberosUtil.GetOidInstance
("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.IndefiniteLifetime, new Oid[] { KerberosUtil
.GetOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID"
) }, GSSCredential.AcceptOnly);
gssContext = this._enclosing.gssManager.CreateContext(gssCreds);
byte[] serverToken = gssContext.AcceptSecContext(clientToken, 0, clientToken.Length
);
if (serverToken != null && serverToken.Length > 0)
{
string authenticate = base64.EncodeToString(serverToken);
response.SetHeader(KerberosAuthenticator.WwwAuthenticate, KerberosAuthenticator.Negotiate
+ " " + authenticate);
}
if (!gssContext.IsEstablished())
{
response.SetStatus(HttpServletResponse.ScUnauthorized);
KerberosAuthenticationHandler.Log.Trace("SPNEGO in progress");
}
else
{
string clientPrincipal = gssContext.GetSrcName().ToString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
string userName = kerberosName.GetShortName();
token = new AuthenticationToken(userName, clientPrincipal, this._enclosing.GetType
());
response.SetStatus(HttpServletResponse.ScOk);
KerberosAuthenticationHandler.Log.Trace("SPNEGO completed for principal [{}]", clientPrincipal
);
}
}
finally
{
if (gssContext != null)
{
gssContext.Dispose();
}
if (gssCreds != null)
{
gssCreds.Dispose();
}
}
return(token);
}
/// <summary>Initializes the authentication handler instance.</summary>
/// <remarks>
/// Initializes the authentication handler instance.
/// <p>
/// It creates a Kerberos context using the principal and keytab specified in the configuration.
/// <p>
/// This method is invoked by the
/// <see cref="AuthenticationFilter.Init(Javax.Servlet.FilterConfig)"/>
/// method.
/// </remarks>
/// <param name="config">configuration properties to initialize the handler.</param>
/// <exception cref="Javax.Servlet.ServletException">thrown if the handler could not be initialized.
/// </exception>
public override void Init(Properties config)
{
try
{
string principal = config.GetProperty(Principal);
if (principal == null || principal.Trim().Length == 0)
{
throw new ServletException("Principal not defined in configuration");
}
keytab = config.GetProperty(Keytab, keytab);
if (keytab == null || keytab.Trim().Length == 0)
{
throw new ServletException("Keytab not defined in configuration");
}
if (!new FilePath(keytab).Exists())
{
throw new ServletException("Keytab does not exist: " + keytab);
}
// use all SPNEGO principals in the keytab if a principal isn't
// specifically configured
string[] spnegoPrincipals;
if (principal.Equals("*"))
{
spnegoPrincipals = KerberosUtil.GetPrincipalNames(keytab, Pattern.Compile
("HTTP/.*"));
if (spnegoPrincipals.Length == 0)
{
throw new ServletException("Principals do not exist in the keytab");
}
}
else
{
spnegoPrincipals = new string[] { principal };
}
string nameRules = config.GetProperty(NameRules, null);
if (nameRules != null)
{
KerberosName.SetRules(nameRules);
}
foreach (string spnegoPrincipal in spnegoPrincipals)
{
Log.Info("Login using keytab {}, for principal {}", keytab, spnegoPrincipal);
KerberosAuthenticationHandler.KerberosConfiguration kerberosConfiguration = new KerberosAuthenticationHandler.KerberosConfiguration
(keytab, spnegoPrincipal);
LoginContext loginContext = new LoginContext(string.Empty, serverSubject, null, kerberosConfiguration
);
try
{
loginContext.Login();
}
catch (LoginException le)
{
Log.Warn("Failed to login as [{}]", spnegoPrincipal, le);
throw new AuthenticationException(le);
}
loginContexts.AddItem(loginContext);
}
try
{
gssManager = Subject.DoAs(serverSubject, new _PrivilegedExceptionAction_229());
}
catch (PrivilegedActionException ex)
{
throw ex.GetException();
}
}
catch (Exception ex)
{
throw new ServletException(ex);
}
}
