You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2004/10/31 22:57:38 UTC
svn commit: rev 56161 - in incubator/directory/kerberos/trunk/source/main/org/apache/kerberos: kdc/jaas kdc/store util
Author: erodriguez
Date: Sun Oct 31 13:57:38 2004
New Revision: 56161
Added:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcLoginModule.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/util/CallbackHandlerBean.java
- copied, changed from rev 55216, incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java
Removed:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcSubject.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcSubjectLogin.java
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
Log:
Added custom LoginModule for KDC to obtain initial TGT for secure SASL-GSSAPI connection to LDAP servers.
Added: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcLoginModule.java
==============================================================================
--- (empty file)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcLoginModule.java Sun Oct 31 13:57:38 2004
@@ -0,0 +1,159 @@
+/*
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.jaas;
+
+import sun.security.krb5.*;
+
+import java.io.*;
+import java.util.*;
+
+import javax.security.auth.*;
+import javax.security.auth.callback.*;
+import javax.security.auth.kerberos.*;
+import javax.security.auth.login.*;
+import javax.security.auth.spi.*;
+
+public class KdcLoginModule implements LoginModule {
+
+ private Subject _subject;
+
+ // the authentication status
+ private boolean succeeded = false;
+ private boolean commitSucceeded = false;
+
+ private Credentials credential;
+ private KerberosTicket ticketGrantingTicket;
+
+ public void initialize(Subject subject, CallbackHandler notNeeded, Map ignored, Map notUsed) {
+ _subject = subject;
+ }
+
+ public boolean login() throws LoginException {
+ try {
+ attemptAuthentication();
+ succeeded = true;
+ return true;
+ } catch (LoginException le) {
+ succeeded = false;
+ throw le;
+ }
+ }
+
+ private void attemptAuthentication() throws LoginException {
+ try {
+ // TODO - iterate looking for KDC principal from configuration
+ Iterator it = _subject.getPrincipals(KerberosPrincipal.class).iterator();
+ KerberosPrincipal kerberosPrincipal = (KerberosPrincipal)it.next();
+ PrincipalName principalName = new PrincipalName(kerberosPrincipal.getName(),
+ PrincipalName.KRB_NT_PRINCIPAL);
+
+ // TODO - iterate looking for KDC principal's key from configuration
+ it = _subject.getPrivateCredentials(KerberosKey.class).iterator();
+ KerberosKey key = (KerberosKey)it.next();
+ EncryptionKey encKey = new EncryptionKey(key.getEncoded());
+
+ credential = Credentials.acquireTGT(principalName, encKey);
+
+ if (credential == null) {
+ throw new LoginException("TGT was not retrieved from KDC");
+ }
+
+ } catch (KrbException ke) {
+ LoginException le = new LoginException(ke.getMessage());
+ le.initCause(ke);
+ throw le;
+ } catch (IOException ioe) {
+ LoginException le = new LoginException(ioe.getMessage());
+ le.initCause(ioe);
+ throw le;
+ }
+ }
+
+ public boolean commit() throws LoginException {
+
+ if (succeeded == false) {
+ return false;
+ }
+
+ Set privateCredentials = _subject.getPrivateCredentials();
+
+ if (credential == null) {
+ succeeded = false;
+ throw new LoginException("TGT was not retrieved from KDC");
+ }
+
+ EncryptionKey sessionKey = credential.getSessionKey();
+ ticketGrantingTicket = new KerberosTicket(credential.getEncoded(), new KerberosPrincipal(
+ credential.getClient().getName()), new KerberosPrincipal(credential.getServer().getName()),
+ sessionKey.getBytes(), sessionKey.getEType(), credential.getFlags(),
+ credential.getAuthTime(), credential.getStartTime(), credential.getEndTime(),
+ credential.getRenewTill(), credential.getClientAddresses());
+
+ if (!privateCredentials.contains(ticketGrantingTicket)) {
+ privateCredentials.add(ticketGrantingTicket);
+ }
+
+ commitSucceeded = true;
+ return true;
+ }
+
+ public boolean abort() throws LoginException {
+ if (succeeded == false) {
+ return false;
+ } else if (succeeded == true && commitSucceeded == false) {
+ // login succeeded but overall authentication failed
+ succeeded = false;
+ try {
+ if (ticketGrantingTicket != null) {
+ ticketGrantingTicket.destroy();
+ }
+ } catch (DestroyFailedException e) {
+ throw new LoginException("Destroy failed on Kerberos private credentials");
+ }
+ ticketGrantingTicket = null;
+ } else {
+ logout();
+ }
+ return true;
+ }
+
+ public boolean logout() throws LoginException {
+
+ // remove all Kerberos credentials stored in the Subject
+ Iterator it = _subject.getPrivateCredentials().iterator();
+ while (it.hasNext()) {
+ Object o = it.next();
+ if (o instanceof KerberosTicket || o instanceof KerberosKey) {
+ it.remove();
+ }
+ }
+
+ try {
+ if (ticketGrantingTicket != null) {
+ ticketGrantingTicket.destroy();
+ }
+ } catch (DestroyFailedException e) {
+ throw new LoginException("Destroy failed on Kerberos private credentials");
+ }
+
+ ticketGrantingTicket = null;
+ succeeded = false;
+ commitSucceeded = false;
+ return true;
+ }
+}
+
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java Sun Oct 31 13:57:38 2004
@@ -27,12 +27,9 @@
public Krb5Configuration() {
- String loginModule = "com.sun.security.auth.module.Krb5LoginModule";
+ String loginModule = "org.apache.kerberos.kdc.jaas.KdcLoginModule";
LoginModuleControlFlag flag = LoginModuleControlFlag.REQUIRED;
- Map options = new HashMap();
- options.put("storeKey", "true");
-
- _configList[0] = new AppConfigurationEntry(loginModule, flag, options);
+ _configList[0] = new AppConfigurationEntry(loginModule, flag, new HashMap());
}
/**
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java Sun Oct 31 13:57:38 2004
@@ -25,6 +25,7 @@
import javax.naming.directory.*;
import javax.security.auth.*;
import javax.security.auth.kerberos.*;
+import javax.security.auth.login.*;
public class LdapStore implements PrincipalStore {
@@ -45,14 +46,20 @@
private Subject _subject;
public LdapStore(KdcConfiguration config) {
- _config = config;
+ _config = config;
+ _subject = _config.getKdcSubject();
}
public void init() {
- if (_subject == null) {
- KdcSubject subjectLogin = new KdcSubjectLogin(_config.getKdcPrincipal(),
- _config.getKdcPassPhrase());
- _subject = subjectLogin.getSubject();
+
+ Configuration.setConfiguration(new Krb5Configuration());
+
+ LoginContext lc = null;
+ try {
+ lc = new LoginContext(LdapStore.class.getName(), _subject);
+ lc.login();
+ } catch (LoginException le) {
+ System.err.println("Authentication attempt failed" + le);
}
}
Copied: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/util/CallbackHandlerBean.java (from rev 55216, incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java)
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/util/CallbackHandlerBean.java Sun Oct 31 13:57:38 2004
@@ -14,7 +14,7 @@
* limitations under the License.
*
*/
-package org.apache.kerberos.kdc.jaas;
+package org.apache.kerberos.util;
import java.io.*;