On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai <[email protected]> wrote:
> I see. Why you want to validate it using GSS on the client side? Because > the client gets it and then should just trust it, right? To validate a > service ticket needs the service key or keytab, which is why I thought it > could be on the server side. > Just to test that it works! See the unit test called "unitGSSTest" here: https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-kerberos-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authentication/AuthenticationTest.java Using the GSS API I do: byte[] ticket = (byte[]) Subject.doAs(clientSubject, action); ... validateServiceTicket(ticket); > > I got your scenario. Are you able to obtain the service ticket or not? You > seem to because you said you can use a JWT token for that. But then you > asked how to access the service ticket on the client side using the Kerby > API. Did you have the SgtTicket in hand? If yes, I thought then you can > extract something from it to put into the SOAP header. Could you point to > the relevant spec about that? I may then have concrete idea to help. > Yes I have the SgtTicket in hand. Now I want to extract the service ticket from this class as an array of bytes, similar to what I get above from Subject.doAs using the GSS API. I know how to put the Kerberos token in the SOAP header, my question is how to get it from SgtTicket in the first place :-) Thanks again for your help, Colm. > > Regards, > Kai > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Thursday, June 23, 2016 9:40 PM > To: [email protected] > Subject: Re: JWT pre-authentication - get JWT token on service side > > On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <[email protected]> wrote: > > > > > >> How do I extract the token from SgtTicket that I can validate using > GSS? > > Sorry, but where do you want to do this? App client side or server side? > > If on server side, I thought you have already made it, as your > > previous email notified, being able to query/extract the authorization > > data and get token from it. Would you clarify some bit? > > > > On the client side. So what I want to do is use the Kerby API to get a > service ticket (using a JWT token) and then extract the ticket from the KDC > response + validate it using GSS. For example, for SOAP web services, the > service ticket is inserted into the SOAP header of the web services call in > BASE-64 format. So the question is, how can I get access to the service > ticket on the client side using the Kerby API? > > Thanks, > > Colm. > > > > > > Regards, > > Kai > > > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Thursday, June 23, 2016 7:59 PM > > To: Zheng, Kai <[email protected]> > > Cc: [email protected] > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > Hi Kai, > > > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <[email protected]<mailto: > > [email protected]>> wrote: > > > > Great question. Here what you need would be a login module using > > token, and the module will send the token to KDC for a TGT to get a > > SGT that's to be used in a GSS session. We have already the module, > > please look at TokenAuthLoginModule. > > > > From what I can see, the TokenAuthLoginModule just gets the TGT and > > not the SGT. However, I can get the service ticket easily enough via > > the Kerby API from this. How do I extract the token from SgtTicket > > that I can validate using GSS? > > > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > [email protected]>] > > Sent: Wednesday, June 22, 2016 9:36 PM > > To: [email protected]<mailto:[email protected]> > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > Hi all, > > > > Some more questions on this task: > > > > 1) Kai, you mentioned the AuthzToken type. Is this defined somewhere > > so that I can add it in to the AuthorizationType class? > > > > 2) Currently, the TokenIssuer class asks the IdentityService for the > > authorization data. However, the IdentityService doesn't have access > > to the token. Is it reasonable default behaviour to insert the > > received token in the TokenIssuer as the authorization data, and if > > none exists fall back to ask the IdentityService for any authorization > data? > > > > 3) I can extract the token on the service side using the GSS API in > > the way suggested by Kai. However, how can I send the token to the KDC > > on the client side using GSS? > > > > Thanks, > > > > Colm. > > > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <[email protected]<mailto: > > [email protected]>> wrote: > > > > > It's not a bug. It works that way, the temp value will be there only > > > after you have decode/decrypt the part. > > > > > > Note SGT is used/consumed in app server side, and can be decrypted > > > using the server ticket/key. I suggest you try this in the > > > GssAppTest codes using the example code I provided in my last email, > > > where you should be able to query/extract the authorization data. If > > > you put the token in the authorization data, then after decoding it, > > > you could extract token from it. I remembered we had defined the > > > AuthzToken type for this actually but guess it's not used yet. > > > > > > Regards, > > > Kai > > > > > > -----Original Message----- > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > [email protected]>] > > > Sent: Friday, June 17, 2016 7:21 PM > > > To: [email protected]<mailto:[email protected]> > > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > > > Thanks Kai and Jiajia! > > > > > > I'm trying to get access to the authorization data using the Kerby > > > API after getting a service ticket: > > > > > > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc, > > > cCacheFile.getPath()); > > > > > > However the following is null: > > > > > > tkt.getTicket().getEncPart() > > > > > > Is this a bug or how else can I parse the ticket to get the > > > authorization data? > > > > > > Colm. > > > > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <[email protected] > <mailto: > > [email protected]>> wrote: > > > > > > > Thanks Jiajia for the first question! > > > > > > > > For the second one, since you're using GSS the even lower level, > > > > which is more fine, and should be totally doable. Ref. the > > > > following > > doc: > > > > > > > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/spec/c > > > > om /s un/security/jgss/ExtendedGSSContext.html > > > > > > > > GSSContext ctxt = m.createContext(...) > > > > // Establishing the context > > > > if (ctxt instanceof ExtendedGSSContext) { > > > > ExtendedGSSContext ex = (ExtendedGSSContext)ctxt; > > > > try { > > > > Key key = (key)ex.inquireSecContext( > > > > InquireType.KRB5_GET_SESSION_KEY); > > > > // read key info > > > > } catch (GSSException gsse) { > > > > // deal with exception > > > > } > > > > } > > > > > > > > As you can see after established the GSS context, you can query > > > > the SESSION_KEY from the layer. You can also query AUTHZ_DATA > > > > field > > > similarly! > > > > After you get authz data, it's up to you to decode it, say using > > > > Kerby library to decode the ASN1 object and extract any info in it > > > > like the > > > token. > > > > > > > > Regards, > > > > Kai > > > > > > > > -----Original Message----- > > > > From: Li, Jiajia [mailto:[email protected]<mailto: > > [email protected]>] > > > > Sent: Thursday, June 16, 2016 7:50 PM > > > > To: [email protected]<mailto:[email protected]>; > > [email protected]<mailto:[email protected]> > > > > Subject: RE: JWT pre-authentication - get JWT token on service > > > > side > > > > > > > > Hi Colm, > > > > > > > > For the first question: I think now the token has not been put > > > > into the issued service ticket as authorization data. You can look > > > > at issueTicket()#TgsRequest.java in server side for detail. > > > > > > > > Regards, > > > > Jiajia > > > > > > > > -----Original Message----- > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > [email protected]>] > > > > Sent: Thursday, June 16, 2016 7:19 PM > > > > To: [email protected]<mailto:[email protected]> > > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > > side > > > > > > > > Thanks Kai. A few questions below. > > > > > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai <[email protected] > > <mailto:[email protected]>> > > > wrote: > > > > > > > > > > > > > > 1. For issuing service ticket, the token used to do the > > > > > authentication or a token derivation was put into the issued > > > > > service ticket as authorization data. I'm not sure in current > > > > > Kerby impl, it has done this or not. If not, it should be not > > > > > difficult to support it, considering we have some Kerby > > authorization support now. > > > > > > > > > > > > > I can take a look at this. Can you give me some pointers in the > > > > code so that I know where to start? > > > > > > > > > > > > > > > > > > 2. In application server side, it should be able to query and > > > > > extract out the token encapsulated in the authorization data > > > > > field in the service ticket. This should be doable now, because > > > > > a proposal from me quite some ago had already been accepted by > > > > > Oracle Java, as recorded in the following ticket, though I > > > > > hadn't got the chance to verify it using latest JDK update like > JDK8. > > > > > > > > > > JDK-8044085, our extension proposal accepted and committed: > > > > > allowing querying authorization data field of service ticket. > > > > > https://bugs.openjdk.java.net/browse/JDK-8044085 > > > > > > > > > > > > The JDK service ticket only refers to SASL. If I'm just using GSS > > > > on the service side, is it already supported? If so, how can I > extract it? > > > > > > > > Colm. > > > > > > > > > > > > > > > > > > > > > > > So in summary, if you want to try this, I would suggest please > > > > > go ahead since it's doable now. Please let me know if you have > > > > > other > > > > questions. > > > > > > > > > > Regards, > > > > > Kai > > > > > > > > > > -----Original Message----- > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > [email protected]>] > > > > > Sent: Thursday, June 16, 2016 5:54 PM > > > > > To: > > > > > [email protected]<mailto:[email protected]> > > > > > Subject: JWT pre-authentication - get JWT token on service side > > > > > > > > > > Hi all, > > > > > > > > > > For the JWT pre-authentication use-case, how can I get access to > > > > > the token information on the service side? > > > > > > > > > > From the documentation: "The service authenticates the ticket, > > > > > extracts the token derivation, then enforce any advanced > > > > > authorization by employing the token derivation and token > attributes" > > > > > > > > > > Is there an example in the code to look at? > > > > > > > > > > Colm. > > > > > > > > > > > > > > > -- > > > > > Colm O hEigeartaigh > > > > > > > > > > Talend Community Coder > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
