You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2017/09/14 12:54:53 UTC
[1/6] directory-kerby git commit: DIRKRB-651 - Add support to send a
JWT AccessToken via the GSS API
Repository: directory-kerby
Updated Branches:
refs/heads/cross-realm c4c43ced6 -> 2b0e56920
DIRKRB-651 - Add support to send a JWT AccessToken via the GSS API
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/515b3f2f
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/515b3f2f
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/515b3f2f
Branch: refs/heads/cross-realm
Commit: 515b3f2f86f6d5a20714a04bedca5757fa832280
Parents: c4c43ce
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Sep 5 12:09:03 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Sep 5 12:09:03 2017 +0100
----------------------------------------------------------------------
.../integration/test/KerbyTokenAppTest.java | 126 +++++++++++++++++++
.../kerb/integration/test/TokenAppTest.java | 88 +++++++++++++
.../kerberos/kerb/gss/impl/GssContext.java | 4 +-
.../kerberos/kerb/gss/impl/GssInitCred.java | 19 ++-
.../kerby/kerberos/kerb/gss/impl/GssUtil.java | 54 ++++++--
5 files changed, 275 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/515b3f2f/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
new file mode 100644
index 0000000..b0033f4
--- /dev/null
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
@@ -0,0 +1,126 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.integration.test;
+
+import java.io.InputStream;
+import java.security.PrivateKey;
+import java.security.PrivilegedAction;
+import java.security.Provider;
+import java.security.interfaces.RSAPrivateKey;
+import java.util.Collections;
+
+import javax.security.auth.Subject;
+
+import org.apache.kerby.kerberos.kerb.KrbRuntime;
+import org.apache.kerby.kerberos.kerb.common.PrivateKeyReader;
+import org.apache.kerby.kerberos.kerb.gss.KerbyGssProvider;
+import org.apache.kerby.kerberos.kerb.integration.test.gss.GssAppClient;
+import org.apache.kerby.kerberos.kerb.integration.test.gss.GssAppServer;
+import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
+import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
+import org.apache.kerby.kerberos.kerb.type.base.KrbToken;
+import org.apache.kerby.kerberos.kerb.type.base.TokenFormat;
+import org.apache.kerby.kerberos.provider.token.JwtTokenEncoder;
+import org.junit.Before;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import static org.junit.Assert.assertTrue;
+
+public class KerbyTokenAppTest extends TokenAppTest {
+
+ private static final Logger LOG = LoggerFactory.getLogger(KerbyGssAppTest.class);
+
+ @Before
+ @Override
+ public void setUp() throws Exception {
+ Provider provider = new KerbyGssProvider();
+ java.security.Security.insertProviderAt(provider, 1);
+ super.setUp();
+ }
+
+ // Here the client is sending a JWT token to the service as an "access token", to be
+ // inserted into the AuthorizationData part of the service ticket.
+ @Test
+ public void testJwtAccessToken() throws Exception {
+ runAppClientWithToken(createAppClient());
+ }
+
+ private void runAppClientWithToken(final AppClient appClient) throws Exception {
+ Subject subject = loginClientUsingPassword();
+
+ // Get an AuthToken
+ AuthToken authToken = issueToken(getClientPrincipal());
+ authToken.isAcToken(true);
+ authToken.isIdToken(false);
+ authToken.setAudiences(Collections.singletonList(getServerPrincipal()));
+ KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
+
+ // Sign it
+ try (InputStream is = this.getClass().getResource("/private_key.pem").openStream()) {
+ PrivateKey signKey = PrivateKeyReader.loadPrivateKey(is);
+ krbToken.setTokenValue(signToken(authToken, signKey));
+ }
+
+ // Add KrbToken to the private creds
+ subject.getPrivateCredentials().add(krbToken);
+
+ Subject.doAs(subject, new PrivilegedAction<Object>() {
+ @Override
+ public Object run() {
+ try {
+ appClient.run();
+ } catch (Exception ex) {
+ LOG.error(ex.toString());
+ }
+ return null;
+ }
+ });
+
+ assertTrue("Client successfully connected and authenticated to server",
+ appClient.isTestOK());
+ }
+
+ private byte[] signToken(AuthToken authToken, PrivateKey signKey) throws Exception {
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ assertTrue(tokenEncoder instanceof JwtTokenEncoder);
+
+ ((JwtTokenEncoder) tokenEncoder).setSignKey((RSAPrivateKey) signKey);
+ return tokenEncoder.encodeAsBytes(authToken);
+ }
+
+ @Override
+ protected AppServer createAppServer() throws Exception {
+ return new GssAppServer(new String[] {
+ String.valueOf(getServerPort()),
+ getServerPrincipal()
+ });
+ }
+
+ private AppClient createAppClient() throws Exception {
+ return new GssAppClient(new String[] {
+ getHostname(),
+ String.valueOf(getServerPort()),
+ getClientPrincipal(),
+ getServerPrincipal()
+ });
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/515b3f2f/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenAppTest.java
new file mode 100644
index 0000000..55298f9
--- /dev/null
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenAppTest.java
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.integration.test;
+
+import org.apache.kerby.util.NetworkUtil;
+import org.junit.Assert;
+import org.junit.Before;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.security.auth.Subject;
+import java.security.PrivilegedAction;
+
+public abstract class TokenAppTest extends TokenLoginTestBase {
+ private static final Logger LOG = LoggerFactory.getLogger(TokenAppTest.class);
+ private int serverPort;
+ protected AppServer appServer;
+
+ @Before
+ @Override
+ public void setUp() throws Exception {
+ super.setUp();
+
+ serverPort = NetworkUtil.getServerPort();
+
+ setupAppServer();
+ }
+
+ protected int getServerPort() {
+ return serverPort;
+ }
+
+ protected void setupAppServer() throws Exception {
+ Subject subject = loginServiceUsingKeytab();
+ Subject.doAs(subject, new PrivilegedAction<Object>() {
+ @Override
+ public Object run() {
+ try {
+ appServer = createAppServer();
+ appServer.start();
+ } catch (Exception ex) {
+ LOG.error(ex.toString());
+ }
+
+ return null;
+ }
+ });
+ }
+
+ protected abstract AppServer createAppServer() throws Exception;
+
+ protected void runAppClient(final AppClient appClient) throws Exception {
+ Subject subject = loginClientUsingTicketCache();
+ Subject.doAs(subject, new PrivilegedAction<Object>() {
+ @Override
+ public Object run() {
+ try {
+ appClient.run();
+ } catch (Exception ex) {
+ LOG.error(ex.toString());
+ }
+ return null;
+ }
+ });
+
+ Assert.assertTrue("Client successfully connected and authenticated to server",
+ appClient.isTestOK());
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/515b3f2f/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
index 138bdd2..3da77d2 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
@@ -278,7 +278,9 @@ public class GssContext implements GSSContextSpi {
sgtTicket = GssUtil.getSgtCredentialFromContext(caller, clientPrincipal.getName(), serviceName);
if (sgtTicket == null) {
- sgtTicket = GssUtil.applySgtCredential(((GssInitCred) myCred).getKerberosTicket(), serviceName);
+ sgtTicket = GssUtil.applySgtCredential(((GssInitCred) myCred).getKerberosTicket(),
+ ((GssInitCred) myCred).getKrbToken(),
+ serviceName);
// add this service credential to context
final KerberosTicket ticket =
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/515b3f2f/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java
index 225e581..aa41718 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java
@@ -19,32 +19,41 @@
*/
package org.apache.kerby.kerberos.kerb.gss.impl;
+import org.apache.kerby.kerberos.kerb.type.base.KrbToken;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
import sun.security.jgss.GSSCaller;
+import java.util.Set;
+
import javax.security.auth.kerberos.KerberosTicket;
public final class GssInitCred extends GssCredElement {
private KerberosTicket ticket;
+ private KrbToken krbToken;
- private GssInitCred(GSSCaller caller, GssNameElement name, KerberosTicket ticket, int lifeTime) {
+ private GssInitCred(GSSCaller caller, GssNameElement name,
+ KerberosTicket ticket, KrbToken krbToken, int lifeTime) {
super(caller, name);
this.ticket = ticket;
this.initLifeTime = lifeTime;
+ this.krbToken = krbToken;
}
public static GssInitCred getInstance(GSSCaller caller, GssNameElement name, int lifeTime) throws GSSException {
+ Set<KrbToken> krbTokens = CredUtils.getContextCredentials(KrbToken.class);
+ KrbToken krbToken = krbTokens != null && !krbTokens.isEmpty() ? krbTokens.iterator().next() : null;
+
if (name == null) {
KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, null, null);
GssNameElement clientName = GssNameElement.getInstance(ticket.getClient().getName(), GSSName.NT_USER_NAME);
- return new GssInitCred(caller, clientName, ticket, lifeTime);
+ return new GssInitCred(caller, clientName, ticket, krbToken, lifeTime);
}
KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, name.getPrincipalName().getName(), null);
- return new GssInitCred(caller, name, ticket, lifeTime);
+ return new GssInitCred(caller, name, ticket, krbToken, lifeTime);
}
public boolean isInitiatorCredential() throws GSSException {
@@ -58,4 +67,8 @@ public final class GssInitCred extends GssCredElement {
public KerberosTicket getKerberosTicket() {
return ticket;
}
+
+ public KrbToken getKrbToken() {
+ return krbToken;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/515b3f2f/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
index 099c79b..ca3c509 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
@@ -21,12 +21,14 @@ package org.apache.kerby.kerberos.kerb.gss.impl;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbClientBase;
+import org.apache.kerby.kerberos.kerb.client.KrbTokenClient;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.HostAddress;
import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
+import org.apache.kerby.kerberos.kerb.type.base.KrbToken;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
@@ -217,22 +219,37 @@ public class GssUtil {
/**
* Apply SgtTicket by sending TGS_REQ to KDC
* @param ticket
+ * @param krbToken
* @param service
* @return
*/
- public static SgtTicket applySgtCredential(KerberosTicket ticket, String service) throws GSSException {
+ public static SgtTicket applySgtCredential(KerberosTicket ticket, KrbToken krbToken,
+ String service) throws GSSException {
TgtTicket tgt = getTgtTicketFromKerberosTicket(ticket);
- return applySgtCredential(tgt, service);
+ if (krbToken == null) {
+ return applySgtCredential(tgt, service);
+ }
+
+ return applySgtCredential(tgt, krbToken, service);
}
public static SgtTicket applySgtCredential(TgtTicket tgt, String server) throws GSSException {
KrbClientBase client = getKrbClient();
- SgtTicket sgt = null;
try {
client.init();
- sgt = client.requestSgt(tgt, server);
- return sgt;
+ return client.requestSgt(tgt, server);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ }
+
+ public static SgtTicket applySgtCredential(TgtTicket tgt, KrbToken krbToken, String server) throws GSSException {
+ KrbTokenClient client = getKrbTokenClient();
+
+ try {
+ client.init();
+ return client.requestSgt(krbToken, server, tgt);
} catch (KrbException e) {
throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
}
@@ -302,21 +319,34 @@ public class GssUtil {
}
public static KrbClientBase getKrbClient() {
- KrbClientBase client;
try {
String systemProperty = getSystemProperty("java.security.krb5.conf");
if (systemProperty != null) {
File confSpecified = new File(systemProperty);
if (confSpecified.exists()) {
- client = new KrbClientBase(confSpecified);
- } else {
- client = new KrbClientBase(); // get configure file from environment variable or default path
+ return new KrbClientBase(confSpecified);
+ }
+ }
+
+ // get configuration file from environment variable or default path
+ return new KrbClientBase();
+ } catch (KrbException e) {
+ return null;
+ }
+ }
+
+ public static KrbTokenClient getKrbTokenClient() {
+ try {
+ String systemProperty = getSystemProperty("java.security.krb5.conf");
+ if (systemProperty != null) {
+ File confSpecified = new File(systemProperty);
+ if (confSpecified.exists()) {
+ return new KrbTokenClient(confSpecified);
}
- } else {
- client = new KrbClientBase();
}
- return client;
+ // get configuration file from environment variable or default path
+ return new KrbTokenClient();
} catch (KrbException e) {
return null;
}
[3/6] directory-kerby git commit: DIRKRB-653 Implement kinit -c -S to
get service ticket. Contributed by Frank Zeng.
Posted by pl...@apache.org.
DIRKRB-653 Implement kinit -c -S to get service ticket. Contributed by Frank Zeng.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/d37de32e
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/d37de32e
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/d37de32e
Branch: refs/heads/cross-realm
Commit: d37de32e442090709c9d78c85a53b30ac6b08117
Parents: c90672d
Author: plusplusjiajia <ji...@intel.com>
Authored: Thu Sep 7 10:13:25 2017 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Thu Sep 7 10:13:25 2017 +0800
----------------------------------------------------------------------
.../kerberos/kerb/client/KrbClientBase.java | 84 ++++++++++++--------
.../kerberos/kerb/ccache/CredentialCache.java | 5 ++
.../kerby/kerberos/tool/kinit/KinitTool.java | 53 ++++++++++--
3 files changed, 105 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d37de32e/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
index d05fee2..cc05a25 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
@@ -215,13 +215,16 @@ public class KrbClientBase {
/**
* Request a service ticket
* @param ccFile The credential cache file
+ * @param servicePrincipal The service principal
* @return service ticket
* @throws KrbException e
*/
- public SgtTicket requestSgt(File ccFile) throws KrbException {
+ public SgtTicket requestSgt(File ccFile, String servicePrincipal) throws KrbException {
Credential credential = getCredentialFromFile(ccFile);
- String servicePrincipal = credential.getServicePrincipal().getName();
TgtTicket tgt = getTgtTicketFromCredential(credential);
+ if (servicePrincipal == null) {
+ servicePrincipal = credential.getServicePrincipal().getName();
+ }
KOptions requestOptions = new KOptions();
requestOptions.add(KrbKdcOption.RENEW);
@@ -243,21 +246,7 @@ public class KrbClientBase {
File ccacheFile) throws KrbException {
LOG.info("Storing the tgt to the credential cache file.");
if (!ccacheFile.exists()) {
- try {
- if (!ccacheFile.createNewFile()) {
- throw new KrbException("Failed to create ccache file "
- + ccacheFile.getAbsolutePath());
- }
- // sets read-write permissions to owner only
- ccacheFile.setReadable(false, false);
- ccacheFile.setReadable(true, true);
- if (!ccacheFile.setWritable(true, true)) {
- throw new KrbException("Cache file is not readable.");
- }
- } catch (IOException e) {
- throw new KrbException("Failed to create ccache file "
- + ccacheFile.getAbsolutePath(), e);
- }
+ createCacheFile(ccacheFile);
}
if (ccacheFile.exists() && ccacheFile.canWrite()) {
CredentialCache cCache = new CredentialCache(tgtTicket);
@@ -281,32 +270,65 @@ public class KrbClientBase {
public void storeTicket(SgtTicket sgtTicket, File ccacheFile) throws KrbException {
LOG.info("Storing the sgt to the credential cache file.");
if (!ccacheFile.exists()) {
+ createCacheFile(ccacheFile);
+ }
+ if (ccacheFile.exists() && ccacheFile.canWrite()) {
+ CredentialCache cCache = new CredentialCache();
try {
- if (!ccacheFile.createNewFile()) {
- throw new KrbException("Failed to create ccache file "
- + ccacheFile.getAbsolutePath());
- }
- // sets read-write permissions to owner only
- ccacheFile.setReadable(false, false);
- ccacheFile.setReadable(true, true);
- if (!ccacheFile.setWritable(true, true)) {
- throw new KrbException("Cache file is not readable.");
- }
+ cCache.load(ccacheFile);
+ cCache.addCredential(new Credential(sgtTicket, sgtTicket.getClientPrincipal()));
+ cCache.setPrimaryPrincipal(sgtTicket.getClientPrincipal());
+ cCache.store(ccacheFile);
} catch (IOException e) {
- throw new KrbException("Failed to create ccache file "
- + ccacheFile.getAbsolutePath(), e);
+ throw new KrbException("Failed to store sgt", e);
}
+ } else {
+ throw new IllegalArgumentException("Invalid ccache file, "
+ + "not exist or writable: " + ccacheFile.getAbsolutePath());
+ }
+ }
+
+ /**
+ * Store sgt into the specified credential cache file.
+ * @param sgtTicket The sgt ticket
+ * @param ccacheFile The credential cache file
+ * @throws KrbException e
+ */
+ public void renewTicket(SgtTicket sgtTicket, File ccacheFile) throws KrbException {
+ LOG.info("Renewing the ticket to the credential cache file.");
+ if (!ccacheFile.exists()) {
+ createCacheFile(ccacheFile);
}
if (ccacheFile.exists() && ccacheFile.canWrite()) {
CredentialCache cCache = new CredentialCache(sgtTicket);
try {
cCache.store(ccacheFile);
} catch (IOException e) {
- throw new KrbException("Failed to store tgt", e);
+ throw new KrbException("Failed to renew ticket", e);
}
} else {
throw new IllegalArgumentException("Invalid ccache file, "
- + "not exist or writable: " + ccacheFile.getAbsolutePath());
+ + "not exist or writable: " + ccacheFile.getAbsolutePath());
+ }
+ }
+
+ /**
+ * Create the specified credential cache file.
+ */
+ private void createCacheFile(File ccacheFile) throws KrbException {
+ try {
+ if (!ccacheFile.createNewFile()) {
+ throw new KrbException("Failed to create ccache file "
+ + ccacheFile.getAbsolutePath());
+ }
+ // sets read-write permissions to owner only
+ ccacheFile.setReadable(true, true);
+ if (!ccacheFile.setWritable(true, true)) {
+ throw new KrbException("Cache file is not readable.");
+ }
+ } catch (IOException e) {
+ throw new KrbException("Failed to create ccache file "
+ + ccacheFile.getAbsolutePath(), e);
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d37de32e/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
index f742649..828a0c5 100644
--- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
+++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
@@ -157,6 +157,11 @@ public class CredentialCache implements KrbCredentialCache {
@Override
public void addCredential(Credential credential) {
if (credential != null) {
+ for (Credential cred : this.credentials) {
+ if (cred.getServerName().getName().equals(credential.getServerName().getName())) {
+ return;
+ }
+ }
this.credentials.add(credential);
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d37de32e/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
----------------------------------------------------------------------
diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
index 8ad13a9..d359f0c 100644
--- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
+++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
@@ -83,13 +83,25 @@ public class KinitTool {
+ "\t\t-X <attribute>[=<value>]\n"
+ "\n";
-
private static void printUsage(String error) {
System.err.println(error + "\n");
System.err.println(USAGE);
System.exit(-1);
}
+ private static final String KVNO_USAGE = (OSUtil.isWindows()
+ ? "Usage: bin\\kinit.cmd" : "Usage: sh bin/kinit.sh")
+ + " <-conf conf_dir> <-c cachename> <-S service_name>\n\n"
+ + "\tDESCRIPTION:\n"
+ + "\t\tkinit obtains a service ticket for the specified principal and prints out the key version number.\n"
+ + "\n";
+
+ private static void printKvnoUsage(String error) {
+ System.err.println(error + "\n");
+ System.err.println(KVNO_USAGE);
+ System.exit(-1);
+ }
+
/**
* Get password for the input principal from console
*/
@@ -135,13 +147,13 @@ public class KinitTool {
SgtTicket sgtTicket = null;
try {
- sgtTicket = krbClient.requestSgt(ccFile);
+ sgtTicket = krbClient.requestSgt(ccFile, null);
} catch (KrbException e) {
System.err.println("kinit: " + e.getKrbErrorCode().getMessage());
}
try {
- krbClient.storeTicket(sgtTicket, ccFile);
+ krbClient.renewTicket(sgtTicket, ccFile);
} catch (KrbException e) {
System.err.println("kinit: " + e.getKrbErrorCode().getMessage());
}
@@ -151,6 +163,30 @@ public class KinitTool {
return;
}
+ if (ktOptions.contains(KinitOption.SERVICE) && ktOptions.contains(KinitOption.KRB5_CACHE)) {
+ String ccName = ktOptions.getStringOption(KinitOption.KRB5_CACHE);
+ File ccFile = new File(ccName);
+ if (ccFile.exists()) {
+ System.out.println("Use credential cache to request a service ticket.");
+ String servicePrincipal = ktOptions.getStringOption(KinitOption.SERVICE);
+ SgtTicket sgtTicket = null;
+ try {
+ sgtTicket = krbClient.requestSgt(ccFile, servicePrincipal);
+ } catch (KrbException e) {
+ System.err.println("kinit: " + e.getKrbErrorCode().getMessage());
+ }
+
+ try {
+ krbClient.storeTicket(sgtTicket, ccFile);
+ } catch (KrbException e) {
+ System.err.println("kinit: " + e.getKrbErrorCode().getMessage());
+ }
+
+ System.out.println(sgtTicket.getEncKdcRepPart().getSname().getName() + ": knvo = "
+ + sgtTicket.getTicket().getEncryptedEncPart().getKvno());
+ return;
+ }
+ }
if (ktOptions.contains(KinitOption.ANONYMOUS)) {
ktOptions.add(PkinitOption.USE_ANONYMOUS);
@@ -189,7 +225,9 @@ public class KinitTool {
System.out.println("Successfully requested and stored ticket in "
+ ccacheFile.getAbsolutePath());
+
if (ktOptions.contains(KinitOption.SERVICE)) {
+ System.out.println("Use tgt to request a service ticket.");
String servicePrincipal = ktOptions.getStringOption(KinitOption.SERVICE);
SgtTicket sgtTicket;
try {
@@ -198,8 +236,9 @@ public class KinitTool {
System.err.println("kinit: " + e.getKrbErrorCode().getMessage());
return;
}
- System.out.println("Successfully requested the service ticket for " + servicePrincipal
- + "\nKey version: " + sgtTicket.getTicket().getTktvno());
+
+ System.out.println(sgtTicket.getEncKdcRepPart().getSname().getName() + ": knvo = "
+ + sgtTicket.getTicket().getEncryptedEncPart().getKvno());
}
}
@@ -270,8 +309,10 @@ public class KinitTool {
if (principal == null) {
if (ktOptions.contains(KinitOption.ANONYMOUS)) {
principal = KrbConstant.ANONYMOUS_PRINCIPAL;
- } else if (!ktOptions.contains(KinitOption.KRB5_CACHE)) {
+ } else if (!ktOptions.contains(KinitOption.SERVICE) && !ktOptions.contains(KinitOption.KRB5_CACHE)) {
printUsage("No principal is specified");
+ } else if (ktOptions.contains(KinitOption.SERVICE) && !ktOptions.contains(KinitOption.KRB5_CACHE)) {
+ printKvnoUsage("No credential cache file given.");
}
}
[4/6] directory-kerby git commit: DIRKRB-654 - Adding tests for the
JWT Access Token case using GSS
Posted by pl...@apache.org.
DIRKRB-654 - Adding tests for the JWT Access Token case using GSS
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/f56fc968
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/f56fc968
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/f56fc968
Branch: refs/heads/cross-realm
Commit: f56fc9681c5068db2de0b25d199ca47d63457369
Parents: d37de32
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Sep 8 11:36:06 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Sep 8 11:36:06 2017 +0100
----------------------------------------------------------------------
.../kerb/integration/test/gss/GssAppServer.java | 22 ++++++++++++++++++++
.../integration/test/KerbyTokenAppTest.java | 7 +++++++
2 files changed, 29 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f56fc968/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/gss/GssAppServer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/gss/GssAppServer.java b/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/gss/GssAppServer.java
index c7b5ae4..0eb2aae 100644
--- a/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/gss/GssAppServer.java
+++ b/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/gss/GssAppServer.java
@@ -22,6 +22,8 @@ package org.apache.kerby.kerberos.kerb.integration.test.gss;
import org.apache.kerby.kerberos.kerb.integration.test.AppServer;
import org.apache.kerby.kerberos.kerb.integration.test.AppUtil;
import org.apache.kerby.kerberos.kerb.integration.test.Transport;
+import org.apache.kerby.kerberos.kerb.type.ad.AdToken;
+import org.apache.kerby.kerberos.kerb.type.base.KrbToken;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
@@ -29,11 +31,16 @@ import org.ietf.jgss.GSSName;
import org.ietf.jgss.MessageProp;
import org.ietf.jgss.Oid;
+import com.sun.security.jgss.AuthorizationDataEntry;
+import com.sun.security.jgss.ExtendedGSSContext;
+import com.sun.security.jgss.InquireType;
+
public class GssAppServer extends AppServer {
private String serverPrincipal;
private GSSManager manager;
private GSSContext context;
private boolean createContextWithCred = true;
+ private KrbToken receivedAccessToken;
public GssAppServer(String[] args) throws Exception {
super(args);
@@ -87,6 +94,17 @@ public class GssAppServer extends AppServer {
doWith(context, conn);
+ // Store any received access token for later retrieval
+ ExtendedGSSContext extendedContext = (ExtendedGSSContext) context;
+ AuthorizationDataEntry[] authzDataEntries =
+ (AuthorizationDataEntry[]) extendedContext.inquireSecContext(InquireType.KRB5_GET_AUTHZ_DATA);
+ if (authzDataEntries != null && authzDataEntries.length > 0) {
+ byte[] data = authzDataEntries[0].getData();
+ AdToken adToken = new AdToken();
+ adToken.decode(data);
+ receivedAccessToken = adToken.getToken();
+ }
+
context.dispose();
}
@@ -116,4 +134,8 @@ public class GssAppServer extends AppServer {
public void setCreateContextWithCred(boolean createContextWithCred) {
this.createContextWithCred = createContextWithCred;
}
+
+ public KrbToken getReceivedAccessToken() {
+ return receivedAccessToken;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f56fc968/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
index 897e084..5696b89 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
@@ -43,6 +43,8 @@ import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
public class KerbyTokenAppTest extends TokenAppTest {
@@ -62,6 +64,11 @@ public class KerbyTokenAppTest extends TokenAppTest {
@Test
public void testJwtAccessToken() throws Exception {
runAppClientWithToken(createAppClient());
+
+ KrbToken receivedToken = ((GssAppServer) appServer).getReceivedAccessToken();
+ assertNotNull(receivedToken);
+ assertEquals(getClientPrincipal(), receivedToken.getSubject());
+ assertEquals(getServerPrincipal(), receivedToken.getAudiences().get(0));
}
private void runAppClientWithToken(final AppClient appClient) throws Exception {
[5/6] directory-kerby git commit: Trivial whitespace change
Posted by pl...@apache.org.
Trivial whitespace change
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/276905dd
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/276905dd
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/276905dd
Branch: refs/heads/cross-realm
Commit: 276905dde9ac19e9a5975d9fbfe1365f236d710a
Parents: f56fc96
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Sep 8 12:25:31 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Sep 8 12:25:31 2017 +0100
----------------------------------------------------------------------
.../java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/276905dd/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
index 5f625ff..3a06b20 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
@@ -174,7 +174,7 @@ public class KdcHandler {
private KrbMessage handleRecoverableException(KdcRecoverableException e,
KdcRequest kdcRequest)
throws KrbException {
- LOG.info("KRB error occurred while processing request:"
+ LOG.info("KRB error occurred while processing request: "
+ e.getMessage());
KrbError error = e.getKrbError();
[2/6] directory-kerby git commit: DIRKRB-652 Support dynamic load
token provider.
Posted by pl...@apache.org.
DIRKRB-652 Support dynamic load token provider.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/c90672d6
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/c90672d6
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/c90672d6
Branch: refs/heads/cross-realm
Commit: c90672d6d3ae1893edd0b27dc26488d53aff98f5
Parents: 515b3f2
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Sep 6 14:10:55 2017 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Wed Sep 6 14:10:55 2017 +0800
----------------------------------------------------------------------
.../kerby/kerberos/kdc/TokenKdcTestBase.java | 12 +---
.../kerb/integration/test/JWTTokenTest.java | 2 +-
.../integration/test/KerbyTokenAppTest.java | 2 +-
.../integration/test/TokenLoginTestBase.java | 15 ++---
.../kerb/client/jaas/TokenAuthLoginModule.java | 4 +-
.../apache/kerby/kerberos/kerb/KrbRuntime.java | 5 +-
.../kerberos/kerb/TokenProviderRegistry.java | 63 ++++++++++++++++++++
.../kerberos/kerb/provider/TokenProvider.java | 7 +++
.../kerby/kerberos/kerb/type/base/KrbToken.java | 12 ++--
.../kerb/server/preauth/token/TokenPreauth.java | 2 +-
.../provider/token/JwtTokenProvider.java | 8 +++
...e.kerby.kerberos.kerb.provider.TokenProvider | 16 +++++
.../kerberos/provider/token/TokenTest.java | 58 ++++++++----------
.../kerby/kerberos/tool/token/TokenInit.java | 11 +---
14 files changed, 145 insertions(+), 72 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java
index b53495a..d330abf 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java
@@ -33,8 +33,6 @@ import org.apache.kerby.kerberos.kerb.type.base.TokenFormat;
import org.apache.kerby.kerberos.kerb.type.ticket.KrbTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
import org.apache.kerby.kerberos.provider.token.JwtTokenEncoder;
-import org.apache.kerby.kerberos.provider.token.JwtTokenProvider;
-import org.junit.Before;
import java.io.File;
import java.io.IOException;
@@ -56,12 +54,6 @@ public class TokenKdcTestBase extends KdcTestBase {
private File cCacheFile;
private KrbToken krbToken;
- @Before
- public void setUp() throws Exception {
- KrbRuntime.setTokenProvider(new JwtTokenProvider());
- super.setUp();
- }
-
@Override
protected void configKdcSeverAndClient() {
super.configKdcSeverAndClient();
@@ -90,7 +82,7 @@ public class TokenKdcTestBase extends KdcTestBase {
protected AuthToken prepareToken(String audience, String issuer,
PrivateKey signingKey, PublicKey encryptionKey) {
- AuthToken authToken = KrbRuntime.getTokenProvider().createTokenFactory().createToken();
+ AuthToken authToken = KrbRuntime.getTokenProvider("JWT").createTokenFactory().createToken();
authToken.setIssuer(issuer);
authToken.setSubject(SUBJECT);
@@ -112,7 +104,7 @@ public class TokenKdcTestBase extends KdcTestBase {
Date iat = now;
authToken.setIssueTime(iat);
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
if (tokenEncoder instanceof JwtTokenEncoder && signingKey != null) {
tokenEncoder.setSignKey(signingKey);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
index 792e23a..116185a 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
@@ -512,7 +512,7 @@ public class JWTTokenTest extends TokenLoginTestBase {
}
private byte[] signToken(AuthToken authToken, PrivateKey signKey) throws Exception {
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
assertTrue(tokenEncoder instanceof JwtTokenEncoder);
((JwtTokenEncoder) tokenEncoder).setSignKey((RSAPrivateKey) signKey);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
index b0033f4..897e084 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyTokenAppTest.java
@@ -100,7 +100,7 @@ public class KerbyTokenAppTest extends TokenAppTest {
}
private byte[] signToken(AuthToken authToken, PrivateKey signKey) throws Exception {
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
assertTrue(tokenEncoder instanceof JwtTokenEncoder);
((JwtTokenEncoder) tokenEncoder).setSignKey((RSAPrivateKey) signKey);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
index 044870b..e064b20 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/TokenLoginTestBase.java
@@ -20,20 +20,19 @@
package org.apache.kerby.kerberos.kerb.integration.test;
import org.apache.kerby.kerberos.kerb.KrbRuntime;
-import org.apache.kerby.kerberos.kerb.common.KrbUtil;
import org.apache.kerby.kerberos.kerb.client.jaas.TokenCache;
import org.apache.kerby.kerberos.kerb.client.jaas.TokenJaasKrbUtil;
+import org.apache.kerby.kerberos.kerb.common.KrbUtil;
import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
import org.apache.kerby.kerberos.kerb.server.KdcConfigKey;
import org.apache.kerby.kerberos.kerb.server.LoginTestBase;
import org.apache.kerby.kerberos.kerb.server.TestKdcServer;
import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
-import org.apache.kerby.kerberos.provider.token.JwtTokenProvider;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.junit.After;
import org.junit.Before;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import javax.security.auth.Subject;
import java.io.File;
@@ -52,10 +51,6 @@ public class TokenLoginTestBase extends LoginTestBase {
static final String GROUP = "sales-group";
static final String ROLE = "ADMIN";
- static {
- KrbRuntime.setTokenProvider(new JwtTokenProvider());
- }
-
@Before
@Override
public void setUp() throws Exception {
@@ -89,7 +84,7 @@ public class TokenLoginTestBase extends LoginTestBase {
TokenEncoder tokenEncoder = null;
try {
- tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
} catch (Exception e) {
LOG.error("Failed to create token. " + e.toString());
}
@@ -107,7 +102,7 @@ public class TokenLoginTestBase extends LoginTestBase {
}
protected AuthToken issueToken(String principal) {
- AuthToken authToken = KrbRuntime.getTokenProvider().createTokenFactory().createToken();
+ AuthToken authToken = KrbRuntime.getTokenProvider("JWT").createTokenFactory().createToken();
String iss = "token-service";
authToken.setIssuer(iss);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/jaas/TokenAuthLoginModule.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/jaas/TokenAuthLoginModule.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/jaas/TokenAuthLoginModule.java
index bb98a46..472fecd 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/jaas/TokenAuthLoginModule.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/jaas/TokenAuthLoginModule.java
@@ -263,13 +263,13 @@ public class TokenAuthLoginModule implements LoginModule {
// Sign the token.
if (signKeyFile != null) {
try {
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
try {
authToken = tokenDecoder.decodeFromString(tokenStr);
} catch (IOException e) {
LOG.error("Token decode failed. " + e.toString());
}
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
if (tokenEncoder instanceof JwtTokenEncoder) {
PrivateKey signKey = null;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
index ff36235..c1a668d 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
@@ -35,7 +35,10 @@ public class KrbRuntime {
* Set up token provider, should be done at very initial time
* @return token provider
*/
- public static synchronized TokenProvider getTokenProvider() {
+ public static synchronized TokenProvider getTokenProvider(String tokenType) {
+ if (tokenProvider == null || !tokenType.equals(tokenProvider.getTokenType())) {
+ tokenProvider = TokenProviderRegistry.createProvider(tokenType);
+ }
if (tokenProvider == null) {
throw new RuntimeException("No token provider is available");
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/TokenProviderRegistry.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/TokenProviderRegistry.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/TokenProviderRegistry.java
new file mode 100644
index 0000000..55bc076
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/TokenProviderRegistry.java
@@ -0,0 +1,63 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.kerby.kerberos.kerb;
+
+import org.apache.kerby.kerberos.kerb.provider.TokenProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Collections;
+import java.util.Map;
+import java.util.ServiceLoader;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class TokenProviderRegistry {
+ static final Logger LOG = LoggerFactory.getLogger(TokenProviderRegistry.class);
+
+ private static Map<String, Class> allProvider = new ConcurrentHashMap<>();
+
+ static {
+ ServiceLoader<TokenProvider> providers = ServiceLoader.load(TokenProvider.class);
+
+ for (TokenProvider provider : providers) {
+ allProvider.put(provider.getTokenType(), provider.getClass());
+ }
+ }
+
+ public static Set<String> registeredProviders() {
+ return Collections.unmodifiableSet(allProvider.keySet());
+ }
+
+ public static boolean registeredProvider(String name) {
+ return allProvider.containsKey(name);
+ }
+
+ public static TokenProvider createProvider(String name) {
+ if (!registeredProvider(name)) {
+ LOG.error("Unregistered token provider " + name);
+ throw new RuntimeException("Unregistered token provider " + name);
+ }
+ try {
+ return (TokenProvider) allProvider.get(name).newInstance();
+ } catch (Exception e) {
+ LOG.error("Create {} token provider failed", name, e);
+ throw new RuntimeException("Create " + name + "token provider failed" + e);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenProvider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenProvider.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenProvider.java
index 0ff548f..6a64c37 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenProvider.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenProvider.java
@@ -27,6 +27,13 @@ package org.apache.kerby.kerberos.kerb.provider;
public interface TokenProvider extends KrbProvider {
/**
+ * Get the token type
+ *
+ * @return login type
+ */
+ String getTokenType();
+
+ /**
* Create a token encoder.
* @return token encoder
*/
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbToken.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbToken.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbToken.java
index d1637b5..dbc99d7 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbToken.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbToken.java
@@ -63,7 +63,7 @@ public class KrbToken extends KrbTokenBase implements AuthToken {
setTokenType();
setTokenFormat(format);
try {
- setTokenValue(getTokenEncoder().encodeAsBytes(innerToken));
+ setTokenValue(getTokenEncoder(format).encodeAsBytes(innerToken));
} catch (KrbException e) {
throw new RuntimeException("Failed to encode AuthToken", e);
}
@@ -93,7 +93,7 @@ public class KrbToken extends KrbTokenBase implements AuthToken {
public void decode(Asn1ParseResult parseResult) throws IOException {
super.decode(parseResult);
if (getTokenValue() != null) {
- this.innerToken = getTokenDecoder().decodeFromBytes(getTokenValue());
+ this.innerToken = getTokenDecoder(getTokenFormat()).decodeFromBytes(getTokenValue());
setTokenType();
}
}
@@ -114,9 +114,9 @@ public class KrbToken extends KrbTokenBase implements AuthToken {
* Get token encoder.
* @return The token encoder
*/
- protected static TokenEncoder getTokenEncoder() {
+ protected static TokenEncoder getTokenEncoder(TokenFormat format) {
if (tokenEncoder == null) {
- tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ tokenEncoder = KrbRuntime.getTokenProvider(format.getName()).createTokenEncoder();
}
return tokenEncoder;
}
@@ -125,9 +125,9 @@ public class KrbToken extends KrbTokenBase implements AuthToken {
* Get token decoder.
* @return The token decoder
*/
- protected static TokenDecoder getTokenDecoder() {
+ protected static TokenDecoder getTokenDecoder(TokenFormat format) {
if (tokenDecoder == null) {
- tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ tokenDecoder = KrbRuntime.getTokenProvider(format.getName()).createTokenDecoder();
}
return tokenDecoder;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index e508023..2b703bb 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -91,7 +91,7 @@ public class TokenPreauth extends AbstractPreauthPlugin {
}
// Configure keys
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
configureKeys(tokenDecoder, kdcRequest, issuer);
AuthToken authToken = null;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenProvider.java
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenProvider.java b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenProvider.java
index 036443e..91f795b 100644
--- a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenProvider.java
+++ b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenProvider.java
@@ -34,6 +34,14 @@ public class JwtTokenProvider implements TokenProvider {
* {@inheritDoc}
*/
@Override
+ public String getTokenType() {
+ return "JWT";
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
public TokenEncoder createTokenEncoder() {
return new JwtTokenEncoder();
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-provider/token-provider/src/main/resources/META-INF/services/org.apache.kerby.kerberos.kerb.provider.TokenProvider
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/src/main/resources/META-INF/services/org.apache.kerby.kerberos.kerb.provider.TokenProvider b/kerby-provider/token-provider/src/main/resources/META-INF/services/org.apache.kerby.kerberos.kerb.provider.TokenProvider
new file mode 100644
index 0000000..18dbdd5
--- /dev/null
+++ b/kerby-provider/token-provider/src/main/resources/META-INF/services/org.apache.kerby.kerberos.kerb.provider.TokenProvider
@@ -0,0 +1,16 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+org.apache.kerby.kerberos.provider.token.JwtTokenProvider
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-provider/token-provider/src/test/java/org/apache/kerby/kerberos/provider/token/TokenTest.java
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/src/test/java/org/apache/kerby/kerberos/provider/token/TokenTest.java b/kerby-provider/token-provider/src/test/java/org/apache/kerby/kerberos/provider/token/TokenTest.java
index d6b07bf..ba544f7 100644
--- a/kerby-provider/token-provider/src/test/java/org/apache/kerby/kerberos/provider/token/TokenTest.java
+++ b/kerby-provider/token-provider/src/test/java/org/apache/kerby/kerberos/provider/token/TokenTest.java
@@ -19,6 +19,8 @@
*/
package org.apache.kerby.kerberos.provider.token;
+import com.nimbusds.jose.JWEAlgorithm;
+import com.nimbusds.jose.JWSAlgorithm;
import org.apache.kerby.kerberos.kerb.KrbRuntime;
import org.apache.kerby.kerberos.kerb.provider.TokenDecoder;
import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
@@ -27,9 +29,7 @@ import org.assertj.core.api.Assertions;
import org.junit.Before;
import org.junit.Test;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.JWSAlgorithm;
-
+import javax.crypto.KeyGenerator;
import java.io.IOException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
@@ -40,14 +40,8 @@ import java.util.ArrayList;
import java.util.Date;
import java.util.List;
-import javax.crypto.KeyGenerator;
-
public class TokenTest {
- static {
- KrbRuntime.setTokenProvider(new JwtTokenProvider());
- }
-
static final String SUBJECT = "test-sub";
static final String AUDIENCE = "krbtgt@EXAMPLE.COM";
static final String ISSUER = "oauth2.com";
@@ -59,7 +53,7 @@ public class TokenTest {
@Before
public void setUp() {
- authToken = KrbRuntime.getTokenProvider().createTokenFactory().createToken();
+ authToken = KrbRuntime.getTokenProvider("JWT").createTokenFactory().createToken();
authToken.setIssuer(ISSUER);
authToken.setSubject(SUBJECT);
@@ -84,11 +78,11 @@ public class TokenTest {
@Test
public void testToken() throws Exception {
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
String tokenStr = tokenEncoder.encodeAsString(authToken);
Assertions.assertThat(tokenStr).isNotNull();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
setAudience((JwtTokenDecoder) tokenDecoder, auds);
@@ -99,11 +93,11 @@ public class TokenTest {
@Test
public void testDecodeFromBytes() throws Exception {
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
byte[] tokenStr = tokenEncoder.encodeAsBytes(authToken);
Assertions.assertThat(tokenStr).isNotNull();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
setAudience((JwtTokenDecoder) tokenDecoder, auds);
@@ -114,8 +108,8 @@ public class TokenTest {
@Test
public void testTokenWithEncryptedJWT() throws Exception {
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
setEncryptKey((JwtTokenEncoder) tokenEncoder, (JwtTokenDecoder) tokenDecoder);
setAudience((JwtTokenDecoder) tokenDecoder, auds);
@@ -130,8 +124,8 @@ public class TokenTest {
@Test
public void testTokenWithDirectEncryptedJWT() throws Exception {
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
keyGenerator.init(128);
@@ -165,8 +159,8 @@ public class TokenTest {
@Test
public void testTokenWithSignedJWT() throws Exception {
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
setSignKey((JwtTokenEncoder) tokenEncoder, (JwtTokenDecoder) tokenDecoder);
setAudience((JwtTokenDecoder) tokenDecoder, auds);
@@ -181,8 +175,8 @@ public class TokenTest {
@Test
public void testTokenWithHMACSignedJWT() throws Exception {
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
keyGenerator.init(256);
@@ -212,8 +206,8 @@ public class TokenTest {
@org.junit.Ignore
// TODO: building error with openjdk8: NoSuchAlgorithm EC KeyPairGenerato..
public void testTokenWithECDSASignedJWT() throws Exception {
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
KeyPair keyPair = kpg.generateKeyPair();
@@ -233,8 +227,8 @@ public class TokenTest {
@Test
public void testTokenWithSignedAndEncryptedJWT() throws Exception {
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
setSignKey((JwtTokenEncoder) tokenEncoder, (JwtTokenDecoder) tokenDecoder);
setEncryptKey((JwtTokenEncoder) tokenEncoder, (JwtTokenDecoder) tokenDecoder);
@@ -253,8 +247,8 @@ public class TokenTest {
List<String> audiences = new ArrayList<String>();
audiences.add("invalid@EXAMPLE.COM");
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
setSignKey((JwtTokenEncoder) tokenEncoder, (JwtTokenDecoder) tokenDecoder);
setEncryptKey((JwtTokenEncoder) tokenEncoder, (JwtTokenDecoder) tokenDecoder);
@@ -271,8 +265,8 @@ public class TokenTest {
public void testExpiredJWT() throws Exception {
authToken.setExpirationTime(new Date(new Date().getTime() - 100));
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
setSignKey((JwtTokenEncoder) tokenEncoder, (JwtTokenDecoder) tokenDecoder);
setEncryptKey((JwtTokenEncoder) tokenEncoder, (JwtTokenDecoder) tokenDecoder);
@@ -289,8 +283,8 @@ public class TokenTest {
public void testNotBeforeTime() throws Exception {
authToken.setNotBeforeTime(new Date(new Date().getTime() + 1000 * 60));
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
setSignKey((JwtTokenEncoder) tokenEncoder, (JwtTokenDecoder) tokenDecoder);
setEncryptKey((JwtTokenEncoder) tokenEncoder, (JwtTokenDecoder) tokenDecoder);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c90672d6/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/token/TokenInit.java
----------------------------------------------------------------------
diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/token/TokenInit.java b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/token/TokenInit.java
index d5ff8e1..a1cd5da 100644
--- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/token/TokenInit.java
+++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/token/TokenInit.java
@@ -23,7 +23,6 @@ import org.apache.kerby.kerberos.kerb.KrbRuntime;
import org.apache.kerby.kerberos.kerb.provider.TokenDecoder;
import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
-import org.apache.kerby.kerberos.provider.token.JwtTokenProvider;
import java.util.ArrayList;
import java.util.Date;
@@ -35,12 +34,8 @@ import java.util.List;
*/
public class TokenInit {
- static {
- KrbRuntime.setTokenProvider(new JwtTokenProvider());
- }
-
public static AuthToken issueToken(String principal, String group, String role) {
- AuthToken authToken = KrbRuntime.getTokenProvider().createTokenFactory().createToken();
+ AuthToken authToken = KrbRuntime.getTokenProvider("JWT").createTokenFactory().createToken();
String iss = "token-service";
authToken.setIssuer(iss);
@@ -86,13 +81,13 @@ public class TokenInit {
role = args[2];
}
- TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
AuthToken token = issueToken(principal, group, role);
String tokenStr = tokenEncoder.encodeAsString(token);
TokenCache.writeToken(tokenStr);
System.out.println("Issued token: " + tokenStr);
- TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider("JWT").createTokenDecoder();
AuthToken token2 = tokenDecoder.decodeFromString(tokenStr);
System.out.println("Decoded token's subject: " + token2.getSubject());
}
[6/6] directory-kerby git commit: DIRKRB-656 Compatibility problem
with Kerberos when getting service ticket. Contributed by Frank Zeng.
Posted by pl...@apache.org.
DIRKRB-656 Compatibility problem with Kerberos when getting service ticket. Contributed by Frank Zeng.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/2b0e5692
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/2b0e5692
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/2b0e5692
Branch: refs/heads/cross-realm
Commit: 2b0e56920d935c00b4a7bd6a90e93dafd11254cc
Parents: 276905d
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue Sep 12 11:29:54 2017 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Tue Sep 12 11:29:54 2017 +0800
----------------------------------------------------------------------
.../org/apache/kerby/kerberos/kerb/client/KrbClientBase.java | 6 ++++--
.../java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2b0e5692/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
index cc05a25..602024a 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
@@ -222,12 +222,14 @@ public class KrbClientBase {
public SgtTicket requestSgt(File ccFile, String servicePrincipal) throws KrbException {
Credential credential = getCredentialFromFile(ccFile);
TgtTicket tgt = getTgtTicketFromCredential(credential);
+ KOptions requestOptions = new KOptions();
+
+ // Renew ticket if argument named servicePrincipal is null
if (servicePrincipal == null) {
+ requestOptions.add(KrbKdcOption.RENEW);
servicePrincipal = credential.getServicePrincipal().getName();
}
- KOptions requestOptions = new KOptions();
- requestOptions.add(KrbKdcOption.RENEW);
requestOptions.add(KrbOption.USE_TGT, tgt);
requestOptions.add(KrbOption.SERVER_PRINCIPAL, servicePrincipal);
SgtTicket sgtTicket = innerClient.requestSgt(requestOptions);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2b0e5692/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
index 32fad41..81dc163 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
@@ -93,7 +93,7 @@ public abstract class KrbHandler {
}
/**
- * Process the response messabe from kdc.
+ * Process the response message from kdc.
*
* @param kdcRequest The kdc request
* @param responseMessage The message from kdc