[ https://issues.apache.org/jira/browse/QPIDJMS-303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16096225#comment-16096225 ]
ASF GitHub Bot commented on QPIDJMS-303: ---------------------------------------- Github user gemmellr commented on a diff in the pull request: https://github.com/apache/qpid-jms/pull/10#discussion_r128747005 --- Diff: qpid-jms-client/src/main/java/org/apache/qpid/jms/sasl/GssapiMechanism.java --- @@ -0,0 +1,163 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.qpid.jms.sasl; + +import javax.security.auth.Subject; +import javax.security.auth.login.AppConfigurationEntry; +import javax.security.auth.login.Configuration; +import javax.security.auth.login.LoginContext; +import javax.security.sasl.Sasl; +import javax.security.sasl.SaslClient; +import javax.security.sasl.SaslException; +import java.security.Principal; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.util.HashMap; +import java.util.Map; + +/** + * Implements the GSSAPI sasl authentication Mechanism. + */ +public class GssapiMechanism extends AbstractMechanism { + + public static final String NAME = "GSSAPI"; + private Subject subject; + private SaslClient saslClient; + private String protocol = "amqp"; + private String server = null; + private String configScope = null; + + // a gss/sasl service name, x@y, morphs to a krbPrincipal a/y@REALM + + @Override + public int getPriority() { + return PRIORITY.LOW.getValue(); + } + + @Override + public String getName() { + return NAME; + } + + @Override + public byte[] getInitialResponse() throws SaslException { + try { + LoginContext loginContext = null; + if (configScope != null) { + loginContext = new LoginContext(configScope); + } else { + // inline keytab config using user as principal + loginContext = new LoginContext("", null, null, + kerb5InlineConfig(getUsername(), true)); + } + loginContext.login(); + subject = loginContext.getSubject(); + + return Subject.doAs(subject, new PrivilegedExceptionAction<byte[]>() { + + @Override + public byte[] run() throws Exception { + saslClient = Sasl.createSaslClient(new String[]{getName()}, null, protocol, server, null, null); --- End diff -- Referencing the constant rather than using getName() might be clearer. > Add support for SASL GSSAPI Kerberos mechanism > ---------------------------------------------- > > Key: QPIDJMS-303 > URL: https://issues.apache.org/jira/browse/QPIDJMS-303 > Project: Qpid JMS > Issue Type: Bug > Components: qpid-jms-client > Reporter: Gary Tully > > It would be great to be able to authenticate using kerberos credentials using > the SASL GSSAPI mechanism. > Authentication would be sufficient leaving TLS to do encryption of the > channel if that is necessary. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org