Author: erodriguez
Date: Sun Oct 31 13:57:38 2004
New Revision: 56161
Added:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcLoginModule.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/util/CallbackHandlerBean.java
- copied, changed from rev 55216,
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java
Removed:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcSubject.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcSubjectLogin.java
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
Log:
Added custom LoginModule for KDC to obtain initial TGT for secure SASL-GSSAPI
connection to LDAP servers.
Added:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcLoginModule.java
==============================================================================
--- (empty file)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcLoginModule.java
Sun Oct 31 13:57:38 2004
@@ -0,0 +1,159 @@
+/*
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.jaas;
+
+import sun.security.krb5.*;
+
+import java.io.*;
+import java.util.*;
+
+import javax.security.auth.*;
+import javax.security.auth.callback.*;
+import javax.security.auth.kerberos.*;
+import javax.security.auth.login.*;
+import javax.security.auth.spi.*;
+
+public class KdcLoginModule implements LoginModule {
+
+ private Subject _subject;
+
+ // the authentication status
+ private boolean succeeded = false;
+ private boolean commitSucceeded = false;
+
+ private Credentials credential;
+ private KerberosTicket ticketGrantingTicket;
+
+ public void initialize(Subject subject, CallbackHandler notNeeded, Map
ignored, Map notUsed) {
+ _subject = subject;
+ }
+
+ public boolean login() throws LoginException {
+ try {
+ attemptAuthentication();
+ succeeded = true;
+ return true;
+ } catch (LoginException le) {
+ succeeded = false;
+ throw le;
+ }
+ }
+
+ private void attemptAuthentication() throws LoginException {
+ try {
+ // TODO - iterate looking for KDC principal from
configuration
+ Iterator it =
_subject.getPrincipals(KerberosPrincipal.class).iterator();
+ KerberosPrincipal kerberosPrincipal =
(KerberosPrincipal)it.next();
+ PrincipalName principalName = new
PrincipalName(kerberosPrincipal.getName(),
+ PrincipalName.KRB_NT_PRINCIPAL);
+
+ // TODO - iterate looking for KDC principal's key from
configuration
+ it =
_subject.getPrivateCredentials(KerberosKey.class).iterator();
+ KerberosKey key = (KerberosKey)it.next();
+ EncryptionKey encKey = new
EncryptionKey(key.getEncoded());
+
+ credential = Credentials.acquireTGT(principalName,
encKey);
+
+ if (credential == null) {
+ throw new LoginException("TGT was not retrieved
from KDC");
+ }
+
+ } catch (KrbException ke) {
+ LoginException le = new LoginException(ke.getMessage());
+ le.initCause(ke);
+ throw le;
+ } catch (IOException ioe) {
+ LoginException le = new
LoginException(ioe.getMessage());
+ le.initCause(ioe);
+ throw le;
+ }
+ }
+
+ public boolean commit() throws LoginException {
+
+ if (succeeded == false) {
+ return false;
+ }
+
+ Set privateCredentials = _subject.getPrivateCredentials();
+
+ if (credential == null) {
+ succeeded = false;
+ throw new LoginException("TGT was not retrieved from
KDC");
+ }
+
+ EncryptionKey sessionKey = credential.getSessionKey();
+ ticketGrantingTicket = new
KerberosTicket(credential.getEncoded(), new KerberosPrincipal(
+ credential.getClient().getName()), new
KerberosPrincipal(credential.getServer().getName()),
+ sessionKey.getBytes(), sessionKey.getEType(),
credential.getFlags(),
+ credential.getAuthTime(), credential.getStartTime(),
credential.getEndTime(),
+ credential.getRenewTill(),
credential.getClientAddresses());
+
+ if (!privateCredentials.contains(ticketGrantingTicket)) {
+ privateCredentials.add(ticketGrantingTicket);
+ }
+
+ commitSucceeded = true;
+ return true;
+ }
+
+ public boolean abort() throws LoginException {
+ if (succeeded == false) {
+ return false;
+ } else if (succeeded == true && commitSucceeded == false) {
+ // login succeeded but overall authentication failed
+ succeeded = false;
+ try {
+ if (ticketGrantingTicket != null) {
+ ticketGrantingTicket.destroy();
+ }
+ } catch (DestroyFailedException e) {
+ throw new LoginException("Destroy failed on
Kerberos private credentials");
+ }
+ ticketGrantingTicket = null;
+ } else {
+ logout();
+ }
+ return true;
+ }
+
+ public boolean logout() throws LoginException {
+
+ // remove all Kerberos credentials stored in the Subject
+ Iterator it = _subject.getPrivateCredentials().iterator();
+ while (it.hasNext()) {
+ Object o = it.next();
+ if (o instanceof KerberosTicket || o instanceof
KerberosKey) {
+ it.remove();
+ }
+ }
+
+ try {
+ if (ticketGrantingTicket != null) {
+ ticketGrantingTicket.destroy();
+ }
+ } catch (DestroyFailedException e) {
+ throw new LoginException("Destroy failed on Kerberos
private credentials");
+ }
+
+ ticketGrantingTicket = null;
+ succeeded = false;
+ commitSucceeded = false;
+ return true;
+ }
+}
+
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java
==============================================================================
---
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java
(original)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java
Sun Oct 31 13:57:38 2004
@@ -27,12 +27,9 @@
public Krb5Configuration() {
- String loginModule =
"com.sun.security.auth.module.Krb5LoginModule";
+ String loginModule =
"org.apache.kerberos.kdc.jaas.KdcLoginModule";
LoginModuleControlFlag flag = LoginModuleControlFlag.REQUIRED;
- Map options = new HashMap();
- options.put("storeKey", "true");
-
- _configList[0] = new AppConfigurationEntry(loginModule, flag,
options);
+ _configList[0] = new AppConfigurationEntry(loginModule, flag,
new HashMap());
}
/**
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
==============================================================================
---
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
(original)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
Sun Oct 31 13:57:38 2004
@@ -25,6 +25,7 @@
import javax.naming.directory.*;
import javax.security.auth.*;
import javax.security.auth.kerberos.*;
+import javax.security.auth.login.*;
public class LdapStore implements PrincipalStore {
@@ -45,14 +46,20 @@
private Subject _subject;
public LdapStore(KdcConfiguration config) {
- _config = config;
+ _config = config;
+ _subject = _config.getKdcSubject();
}
public void init() {
- if (_subject == null) {
- KdcSubject subjectLogin = new
KdcSubjectLogin(_config.getKdcPrincipal(),
- _config.getKdcPassPhrase());
- _subject = subjectLogin.getSubject();
+
+ Configuration.setConfiguration(new Krb5Configuration());
+
+ LoginContext lc = null;
+ try {
+ lc = new LoginContext(LdapStore.class.getName(),
_subject);
+ lc.login();
+ } catch (LoginException le) {
+ System.err.println("Authentication attempt failed" +
le);
}
}
Copied:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/util/CallbackHandlerBean.java
(from rev 55216,
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java)
==============================================================================
---
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java
(original)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/util/CallbackHandlerBean.java
Sun Oct 31 13:57:38 2004
@@ -14,7 +14,7 @@
* limitations under the License.
*
*/
-package org.apache.kerberos.kdc.jaas;
+package org.apache.kerberos.util;
import java.io.*;
