All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.wss4j.dom.validate.KerberosTokenValidator Maven / Gradle / Ivy

There is a newer version: 3.0.4
Show newest version
/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.wss4j.dom.validate;

import java.security.Key;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Set;

import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.ext.WSSecurityException.ErrorCode;
import org.apache.wss4j.common.kerberos.KerberosServiceContext;
import org.apache.wss4j.common.kerberos.KerberosServiceExceptionAction;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoder;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoderException;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.KerberosSecurity;

/**
 */
public class KerberosTokenValidator implements Validator {

    private static final org.slf4j.Logger LOG =
        org.slf4j.LoggerFactory.getLogger(KerberosTokenValidator.class);

    private String serviceName;
    private CallbackHandler callbackHandler;
    private String contextName;
    private KerberosTokenDecoder kerberosTokenDecoder;
    private boolean isUsernameServiceNameForm;
    private boolean spnego;

    /**
     * Get the JAAS Login context name to use.
     * @return the JAAS Login context name to use
     */
    public String getContextName() {
        return contextName;
    }

    /**
     * Set the JAAS Login context name to use.
     * @param contextName the JAAS Login context name to use
     */
    public void setContextName(String contextName) {
        this.contextName = contextName;
    }

    /**
     * Get the CallbackHandler to use with the LoginContext
     * @return the CallbackHandler to use with the LoginContext
     */
    public CallbackHandler getCallbackHandler() {
        return callbackHandler;
    }

    /**
     * Set the CallbackHandler to use with the LoginContext. It can be null.
     * @param callbackHandler the CallbackHandler to use with the LoginContext
     */
    public void setCallbackHandler(CallbackHandler callbackHandler) {
        this.callbackHandler = callbackHandler;
    }

    /**
     * The name of the service to use when contacting the KDC. This value can be null, in which
     * case it defaults to the current principal name.
     * @param serviceName the name of the service to use when contacting the KDC
     */
    public void setServiceName(String serviceName) {
        this.serviceName = serviceName;
    }

    /**
     * Get the name of the service to use when contacting the KDC. This value can be null, in which
     * case it defaults to the current principal name.
     * @return the name of the service to use when contacting the KDC
     */
    public String getServiceName() {
        return serviceName;
    }

    /**
     * Get the KerberosTokenDecoder instance used to extract a session key from the received Kerberos
     * token.
     * @return the KerberosTokenDecoder instance used to extract a session key
     */
    public KerberosTokenDecoder getKerberosTokenDecoder() {
        return kerberosTokenDecoder;
    }

    /**
     * Set the KerberosTokenDecoder instance used to extract a session key from the received Kerberos
     * token.
     * @param kerberosTokenDecoder the KerberosTokenDecoder instance used to extract a session key
     */
    public void setKerberosTokenDecoder(KerberosTokenDecoder kerberosTokenDecoder) {
        this.kerberosTokenDecoder = kerberosTokenDecoder;
    }

    /**
     * Validate the credential argument. It must contain a non-null BinarySecurityToken.
     *
     * @param credential the Credential to be validated
     * @param data the RequestData associated with the request
     * @throws WSSecurityException on a failed validation
     */
    public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
        if (credential == null || credential.getBinarySecurityToken() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential");
        }

        BinarySecurity binarySecurity = credential.getBinarySecurityToken();
        if (!(binarySecurity instanceof KerberosSecurity)) {
            return credential;
        }

        if (LOG.isDebugEnabled()) {
            try {
                String jaasAuth = System.getProperty("java.security.auth.login.config");
                String krbConf = System.getProperty("java.security.krb5.conf");
                LOG.debug("KerberosTokenValidator - Using JAAS auth login file: " + jaasAuth);
                LOG.debug("KerberosTokenValidator - Using KRB conf file: " + krbConf);
            } catch (SecurityException ex) {
                LOG.debug(ex.getMessage(), ex);
            }
        }

        // Get a TGT from the KDC using JAAS
        LoginContext loginContext = null;
        try {
            if (callbackHandler != null) {
                loginContext = new LoginContext(getContextName(), callbackHandler);
            } else if (data.getCallbackHandler() != null) {
                loginContext = new LoginContext(getContextName(), data.getCallbackHandler());
            } else {
                loginContext = new LoginContext(getContextName());
            }
            loginContext.login();
        } catch (LoginException ex) {
            LOG.debug(ex.getMessage(), ex);
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.FAILURE, ex,
                "kerberosLoginError",
                new Object[] {ex.getMessage()}
            );
        }
        LOG.debug("Successfully authenticated to the TGT");

        byte[] token = binarySecurity.getToken();

        // Get the service name to use - fall back on the principal
        Subject subject = loginContext.getSubject();
        String service = serviceName;
        if (service == null) {
            Set principals = subject.getPrincipals();
            if (principals.isEmpty()) {
                throw new WSSecurityException(
                    WSSecurityException.ErrorCode.FAILURE,
                    "kerberosLoginError",
                    new Object[] {"No Client principals found after login"});
            }
            service = principals.iterator().next().getName();
        }

        // Validate the ticket
        KerberosServiceExceptionAction action =
            new KerberosServiceExceptionAction(token, service,
                                               isUsernameServiceNameForm(), spnego);
        KerberosServiceContext krbServiceCtx = null;
        try {
            krbServiceCtx = Subject.doAs(subject, action);
        } catch (PrivilegedActionException e) {
            Throwable cause = e.getCause();
            if (cause instanceof WSSecurityException) {
                throw (WSSecurityException) cause;
            } else {
                throw new WSSecurityException(
                    ErrorCode.FAILURE, new Exception(cause), "kerberosTicketValidationError"
                );
            }
        }

        credential.setPrincipal(krbServiceCtx.getPrincipal());
        credential.setDelegationCredential(krbServiceCtx.getDelegationCredential());

        // Check to see if the session key is available in KerberosServiceContext
        LOG.debug("Trying to obtain the Session Key from the KerberosServiceContext.");
        Key sessionKey = krbServiceCtx.getSessionKey();
        if (null != sessionKey) {
            LOG.debug("Found session key in the KerberosServiceContext.");
            credential.setSecretKey(sessionKey.getEncoded());
        } else {
            LOG.debug("Session key is not found in the KerberosServiceContext.");
        }

        // Otherwise, try to extract the session key from the token if a KerberosTokenDecoder implementation is
        // available
        if (null == credential.getSecretKey() && kerberosTokenDecoder != null) {
            LOG.debug("KerberosTokenDecoder is set.Trying to obtain the session key from it.");
            kerberosTokenDecoder.clear();
            kerberosTokenDecoder.setToken(token);
            kerberosTokenDecoder.setSubject(subject);
            try {
                byte[] key = kerberosTokenDecoder.getSessionKey();
                if (null != key) {
                    LOG.debug("Session key obtained from the KerberosTokenDecoder.");
                    credential.setSecretKey(key);
                } else {
                    LOG.debug("Session key could not be obtained from the KerberosTokenDecoder.");
                }
            } catch (KerberosTokenDecoderException e) {
                // TODO
                throw new WSSecurityException(ErrorCode.FAILURE, e, "Error retrieving session key.");
            }
        } else {
            LOG.debug("KerberosTokenDecoder is not set.");
        }

        LOG.debug("Successfully validated a ticket");

        return credential;
    }

    /**
     * SPN can be configured to be in either "hostbased" or "username" form.
* - "hostbased" - specifies that the service principal name should be interpreted as a "host-based" name as specified in GSS API Rfc, section "4.1: Host-Based Service Name Form" - The service name, as it is specified in LDAP/AD, as it is listed in the KDC.
* - "username" - specifies that the service principal name should be interpreted as a "username" name as specified in GSS API Rfc, section "4.2: User Name Form" � This is usually the client username in LDAP/AD used for authentication to the KDC. * *

Default is "hostbased". * * @return the isUsernameServiceNameForm */ public boolean isUsernameServiceNameForm() { return isUsernameServiceNameForm; } /** * If true - sets the SPN form to "username" *
If false(default) - the SPN form is "hostbased" * * @see KerberosSecurity#retrieveServiceTicket(String, CallbackHandler, String, boolean) * * @param isUsernameServiceNameForm the isUsernameServiceNameForm to set */ public void setUsernameServiceNameForm(boolean isUsernameServiceNameForm) { this.isUsernameServiceNameForm = isUsernameServiceNameForm; } public boolean isSpnego() { return spnego; } public void setSpnego(boolean spnego) { this.spnego = spnego; } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy