All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.wss4j.common.spnego.SpnegoTokenContext Maven / Gradle / Ivy

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.wss4j.common.spnego;

import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Set;

import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.ext.WSSecurityException.ErrorCode;
import org.apache.wss4j.common.kerberos.KerberosClientExceptionAction;
import org.apache.wss4j.common.kerberos.KerberosContext;
import org.apache.wss4j.common.kerberos.KerberosServiceContext;
import org.apache.wss4j.common.kerberos.KerberosServiceExceptionAction;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.MessageProp;

/**
 * This class wraps a GSSContext and provides some functionality to obtain and validate spnego tokens.
 */
public class SpnegoTokenContext {

    private static final org.slf4j.Logger LOG =
        org.slf4j.LoggerFactory.getLogger(SpnegoTokenContext.class);

    private GSSContext secContext;
    private byte[] token;
    private boolean mutualAuth;
    private SpnegoClientAction clientAction;
    private SpnegoServiceAction serviceAction;
    private GSSCredential delegationCredential;
    private Principal spnegoPrincipal;

    /**
     * Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
     * BinarySecurityToken.
     * @param jaasLoginModuleName the JAAS Login Module name to use
     * @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
     * @param serviceName the desired Kerberized service
     * @throws WSSecurityException
     */
    public void retrieveServiceTicket(
        String jaasLoginModuleName,
        CallbackHandler callbackHandler,
        String serviceName
    ) throws WSSecurityException {
        retrieveServiceTicket(jaasLoginModuleName, callbackHandler, serviceName, false);
    }


    /**
     * Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
     * BinarySecurityToken.
     * @param jaasLoginModuleName the JAAS Login Module name to use
     * @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
     * @param serviceName the desired Kerberized service
     * @param isUsernameServiceNameForm
     * @throws WSSecurityException
     */
    public void retrieveServiceTicket(
        String jaasLoginModuleName,
        CallbackHandler callbackHandler,
        String serviceName,
        boolean isUsernameServiceNameForm
    ) throws WSSecurityException {
        retrieveServiceTicket(jaasLoginModuleName, callbackHandler, serviceName,
                              isUsernameServiceNameForm, false, null);
    }

    /**
     * Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
     * BinarySecurityToken.
     * @param jaasLoginModuleName the JAAS Login Module name to use
     * @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
     * @param serviceName the desired Kerberized service
     * @param isUsernameServiceNameForm
     * @param requestCredDeleg Whether to request credential delegation or not
     * @param delegationCredential The delegation credential to use
     * @throws WSSecurityException
     */
    public void retrieveServiceTicket(
        String jaasLoginModuleName,
        CallbackHandler callbackHandler,
        String serviceName,
        boolean isUsernameServiceNameForm,
        boolean requestCredDeleg,
        GSSCredential delegationCredential
    ) throws WSSecurityException {

        // Get a TGT from the KDC using JAAS
        LoginContext loginContext = null;
        try {
            if (callbackHandler == null) {
                loginContext = new LoginContext(jaasLoginModuleName);
            } else {
                loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
            }
            loginContext.login();
        } catch (LoginException ex) {
            LOG.debug(ex.getMessage(), ex);
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.FAILURE, ex, "kerberosLoginError",
                new Object[] {ex.getMessage()});
        }
        LOG.debug("Successfully authenticated to the TGT");

        Subject clientSubject = loginContext.getSubject();
        Set clientPrincipals = clientSubject.getPrincipals();
        if (clientPrincipals.isEmpty()) {
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.FAILURE,
                "kerberosLoginError",
                new Object[] {"No Client principals found after login"});
        }

        // Get the service ticket
        if (clientAction != null) {
            clientAction.setServiceName(serviceName);
            clientAction.setMutualAuth(mutualAuth);
            clientAction.setUserNameServiceForm(isUsernameServiceNameForm);
            token = Subject.doAs(clientSubject, clientAction);
            if (token == null) {
                throw new WSSecurityException(
                    WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
                );
            }

            secContext = clientAction.getContext();
        } else {
            KerberosClientExceptionAction action =
                new KerberosClientExceptionAction(null, serviceName,
                                                  isUsernameServiceNameForm,
                                                  requestCredDeleg,
                                                  delegationCredential,
                                                  true,
                                                  mutualAuth);
            KerberosContext krbCtx = null;
            try {
                krbCtx = (KerberosContext) Subject.doAs(clientSubject, action);

                token = krbCtx.getKerberosToken();
                if (token == null) {
                    throw new WSSecurityException(
                        WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
                    );
                }

                secContext = krbCtx.getGssContext();
            } catch (PrivilegedActionException e) {
                Throwable cause = e.getCause();
                if (cause instanceof WSSecurityException) {
                    throw (WSSecurityException) cause;
                } else {
                    throw new WSSecurityException(
                         ErrorCode.FAILURE, new Exception(cause), "kerberosServiceTicketError"
                    );
                }
            }
        }

        LOG.debug("Successfully retrieved a service ticket");
    }

    /**
     * Validate a service ticket.
     * @param jaasLoginModuleName
     * @param callbackHandler
     * @param serviceName
     * @param ticket
     * @throws WSSecurityException
     */
    public void validateServiceTicket(
        String jaasLoginModuleName,
        CallbackHandler callbackHandler,
        String serviceName,
        byte[] ticket
    ) throws WSSecurityException {
        validateServiceTicket(jaasLoginModuleName, callbackHandler, serviceName, false, ticket);
     }

    /**
     * Validate a service ticket.
     * @param jaasLoginModuleName
     * @param callbackHandler
     * @param serviceName
     * @param ticket
     * @throws WSSecurityException
     */
    public void validateServiceTicket(
        String jaasLoginModuleName,
        CallbackHandler callbackHandler,
        String serviceName,
        boolean isUsernameServiceNameForm,
        byte[] ticket
    ) throws WSSecurityException {
        // Get a TGT from the KDC using JAAS
        LoginContext loginContext = null;
        try {
            if (callbackHandler == null) {
                loginContext = new LoginContext(jaasLoginModuleName);
            } else {
                loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
            }
            loginContext.login();
        } catch (LoginException ex) {
            LOG.debug(ex.getMessage(), ex);
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.FAILURE, ex, "kerberosLoginError",
                new Object[] {ex.getMessage()});
        }
        LOG.debug("Successfully authenticated to the TGT");

        // Get the service name to use - fall back on the principal
        Subject subject = loginContext.getSubject();
        String service = serviceName;
        if (service == null) {
            Set principals = subject.getPrincipals();
            if (principals.isEmpty()) {
                throw new WSSecurityException(
                    WSSecurityException.ErrorCode.FAILURE,
                    "kerberosLoginError",
                    new Object[] {"No Client principals found after login"});
            }
            service = principals.iterator().next().getName();
        }

        // Validate the ticket
        if (serviceAction != null) {
            serviceAction.setTicket(ticket);
            serviceAction.setServiceName(service);
            serviceAction.setUsernameServiceNameForm(isUsernameServiceNameForm);
            token = Subject.doAs(subject, serviceAction);
            secContext = serviceAction.getContext();
        } else {
            KerberosServiceExceptionAction action =
                new KerberosServiceExceptionAction(ticket, service,
                                                   isUsernameServiceNameForm, true);
            KerberosServiceContext krbCtx = null;
            try {
                krbCtx = (KerberosServiceContext) Subject.doAs(subject, action);

                token = krbCtx.getKerberosToken();
                if (token == null) {
                    throw new WSSecurityException(
                        WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
                    );
                }

                secContext = krbCtx.getGssContext();
                delegationCredential = krbCtx.getDelegationCredential();
                spnegoPrincipal = krbCtx.getPrincipal();
            } catch (PrivilegedActionException e) {
                Throwable cause = e.getCause();
                if (cause instanceof WSSecurityException) {
                    throw (WSSecurityException) cause;
                } else {
                    throw new WSSecurityException(
                         ErrorCode.FAILURE, new Exception(cause), "kerberosServiceTicketError"
                    );
                }
            }
        }

        LOG.debug("Successfully validated a service ticket");
    }

    /**
     * Whether to enable mutual authentication or not. This only applies to retrieve service ticket.
     */
    public void setMutualAuth(boolean mutualAuthentication) {
        mutualAuth = mutualAuthentication;
    }

    /**
     * Get the SPNEGO token that was created.
     */
    public byte[] getToken() {
        return token;
    }

    /**
     * Whether a connection has been established (at the service side)
     */
    public boolean isEstablished() {
        if (secContext == null) {
            return false;
        }
        return secContext.isEstablished();
    }

    /**
     * Unwrap a key
     */
    public byte[] unwrapKey(byte[] secret) throws WSSecurityException {
        MessageProp mProp = new MessageProp(0, true);
        try {
            return secContext.unwrap(secret, 0, secret.length, mProp);
        } catch (GSSException e) {
            LOG.debug("Error in cleaning up a GSS context", e);
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.FAILURE, e, "spnegoKeyError"
            );
        }
    }

    /**
     * Wrap a key
     */
    public byte[] wrapKey(byte[] secret) throws WSSecurityException {
        MessageProp mProp = new MessageProp(0, true);
        try {
            return secContext.wrap(secret, 0, secret.length, mProp);
        } catch (GSSException e) {
            LOG.debug("Error in cleaning up a GSS context", e);
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.FAILURE, e, "spnegoKeyError"
            );
        }
    }

    /**
     * Set a custom SpnegoClientAction implementation to use
     */
    public void setSpnegoClientAction(SpnegoClientAction spnegoClientAction) {
        this.clientAction = spnegoClientAction;
    }

    /**
     * Set a custom SpnegoServiceAction implementation to use
     */
    public void setSpnegoServiceAction(SpnegoServiceAction spnegoServiceAction) {
        this.serviceAction = spnegoServiceAction;
    }

    public void clear() {
        token = null;
        mutualAuth = false;
        delegationCredential = null;
        spnegoPrincipal = null;
        try {
            secContext.dispose();
        } catch (GSSException e) {
            LOG.debug("Error in cleaning up a GSS context", e);
        }
    }

    public GSSCredential getDelegationCredential() {
        return delegationCredential;
    }

    public Principal getSpnegoPrincipal() {
        return spnegoPrincipal;
    }

}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy