Hi Kai, Could you take a look at the @Ignore'd test-case I just committed:
https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=blobdiff;f=kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java;h=7e0d269f6e0c19fb4f750dd98542a4d5011e1dc5;hp=832d59dda4b0b0739ef5a1228da0b7bb20c10ab9;hb=1bce738d;hpb=79d4a584129026bcf920dd1ae5c28c27c6971412 It gets a SgtTicket using Kerby and tries to get the resulting service token in byte array form to validate with GSS. Running the test leads to: Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) I get the same error if I just do "sgtTicket.getTicket().encode()". Colm. On Thu, Jun 23, 2016 at 9:26 PM, Zheng, Kai <[email protected]> wrote: > I’m just back from my sleep. ☺ > > Regarding how to get the service ticket from SgtTicket object in bytes, > probably you do sgtTicket.getTicket().encode(). If it doesn’t work, please > reference the codes in CredCacheOutputStream.java to see how it store a > ticket in a file. > > Regards, > Kai > > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Thursday, June 23, 2016 11:25 PM > To: Zheng, Kai <[email protected]> > Cc: [email protected] > Subject: Re: JWT pre-authentication - get JWT token on service side > > > On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai <[email protected]<mailto: > [email protected]>> wrote: > I see. Why you want to validate it using GSS on the client side? Because > the client gets it and then should just trust it, right? To validate a > service ticket needs the service key or keytab, which is why I thought it > could be on the server side. > > Just to test that it works! See the unit test called "unitGSSTest" here: > > > https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-kerberos-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authentication/AuthenticationTest.java > Using the GSS API I do: > > byte[] ticket = (byte[]) Subject.doAs(clientSubject, action); > ... > validateServiceTicket(ticket); > > > I got your scenario. Are you able to obtain the service ticket or not? You > seem to because you said you can use a JWT token for that. But then you > asked how to access the service ticket on the client side using the Kerby > API. Did you have the SgtTicket in hand? If yes, I thought then you can > extract something from it to put into the SOAP header. Could you point to > the relevant spec about that? I may then have concrete idea to help. > > Yes I have the SgtTicket in hand. Now I want to extract the service ticket > from this class as an array of bytes, similar to what I get above from > Subject.doAs using the GSS API. I know how to put the Kerberos token in the > SOAP header, my question is how to get it from SgtTicket in the first place > :-) > Thanks again for your help, > > Colm. > > > Regards, > Kai > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > [email protected]>] > Sent: Thursday, June 23, 2016 9:40 PM > To: [email protected]<mailto:[email protected]> > Subject: Re: JWT pre-authentication - get JWT token on service side > > On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <[email protected]<mailto: > [email protected]>> wrote: > > > > > >> How do I extract the token from SgtTicket that I can validate using > GSS? > > Sorry, but where do you want to do this? App client side or server side? > > If on server side, I thought you have already made it, as your > > previous email notified, being able to query/extract the authorization > > data and get token from it. Would you clarify some bit? > > > > On the client side. So what I want to do is use the Kerby API to get a > service ticket (using a JWT token) and then extract the ticket from the KDC > response + validate it using GSS. For example, for SOAP web services, the > service ticket is inserted into the SOAP header of the web services call in > BASE-64 format. So the question is, how can I get access to the service > ticket on the client side using the Kerby API? > > Thanks, > > Colm. > > > > > > Regards, > > Kai > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > [email protected]>] > > Sent: Thursday, June 23, 2016 7:59 PM > > To: Zheng, Kai <[email protected]<mailto:[email protected]>> > > Cc: [email protected]<mailto:[email protected]> > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > Hi Kai, > > > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <[email protected]<mailto: > [email protected]><mailto: > > [email protected]<mailto:[email protected]>>> wrote: > > > > Great question. Here what you need would be a login module using > > token, and the module will send the token to KDC for a TGT to get a > > SGT that's to be used in a GSS session. We have already the module, > > please look at TokenAuthLoginModule. > > > > From what I can see, the TokenAuthLoginModule just gets the TGT and > > not the SGT. However, I can get the service ticket easily enough via > > the Kerby API from this. How do I extract the token from SgtTicket > > that I can validate using GSS? > > > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > [email protected]><mailto: > > [email protected]<mailto:[email protected]>>] > > Sent: Wednesday, June 22, 2016 9:36 PM > > To: [email protected]<mailto:[email protected] > ><mailto:[email protected]<mailto:[email protected]>> > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > Hi all, > > > > Some more questions on this task: > > > > 1) Kai, you mentioned the AuthzToken type. Is this defined somewhere > > so that I can add it in to the AuthorizationType class? > > > > 2) Currently, the TokenIssuer class asks the IdentityService for the > > authorization data. However, the IdentityService doesn't have access > > to the token. Is it reasonable default behaviour to insert the > > received token in the TokenIssuer as the authorization data, and if > > none exists fall back to ask the IdentityService for any authorization > data? > > > > 3) I can extract the token on the service side using the GSS API in > > the way suggested by Kai. However, how can I send the token to the KDC > > on the client side using GSS? > > > > Thanks, > > > > Colm. > > > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <[email protected]<mailto: > [email protected]><mailto: > > [email protected]<mailto:[email protected]>>> wrote: > > > > > It's not a bug. It works that way, the temp value will be there only > > > after you have decode/decrypt the part. > > > > > > Note SGT is used/consumed in app server side, and can be decrypted > > > using the server ticket/key. I suggest you try this in the > > > GssAppTest codes using the example code I provided in my last email, > > > where you should be able to query/extract the authorization data. If > > > you put the token in the authorization data, then after decoding it, > > > you could extract token from it. I remembered we had defined the > > > AuthzToken type for this actually but guess it's not used yet. > > > > > > Regards, > > > Kai > > > > > > -----Original Message----- > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > [email protected]><mailto: > > [email protected]<mailto:[email protected]>>] > > > Sent: Friday, June 17, 2016 7:21 PM > > > To: [email protected]<mailto:[email protected] > ><mailto:[email protected]<mailto:[email protected]>> > > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > > > Thanks Kai and Jiajia! > > > > > > I'm trying to get access to the authorization data using the Kerby > > > API after getting a service ticket: > > > > > > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc, > > > cCacheFile.getPath()); > > > > > > However the following is null: > > > > > > tkt.getTicket().getEncPart() > > > > > > Is this a bug or how else can I parse the ticket to get the > > > authorization data? > > > > > > Colm. > > > > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <[email protected] > <mailto:[email protected]><mailto: > > [email protected]<mailto:[email protected]>>> wrote: > > > > > > > Thanks Jiajia for the first question! > > > > > > > > For the second one, since you're using GSS the even lower level, > > > > which is more fine, and should be totally doable. Ref. the > > > > following > > doc: > > > > > > > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/spec/c > > > > om /s un/security/jgss/ExtendedGSSContext.html > > > > > > > > GSSContext ctxt = m.createContext(...) > > > > // Establishing the context > > > > if (ctxt instanceof ExtendedGSSContext) { > > > > ExtendedGSSContext ex = (ExtendedGSSContext)ctxt; > > > > try { > > > > Key key = (key)ex.inquireSecContext( > > > > InquireType.KRB5_GET_SESSION_KEY); > > > > // read key info > > > > } catch (GSSException gsse) { > > > > // deal with exception > > > > } > > > > } > > > > > > > > As you can see after established the GSS context, you can query > > > > the SESSION_KEY from the layer. You can also query AUTHZ_DATA > > > > field > > > similarly! > > > > After you get authz data, it's up to you to decode it, say using > > > > Kerby library to decode the ASN1 object and extract any info in it > > > > like the > > > token. > > > > > > > > Regards, > > > > Kai > > > > > > > > -----Original Message----- > > > > From: Li, Jiajia [mailto:[email protected]<mailto: > [email protected]><mailto: > > [email protected]<mailto:[email protected]>>] > > > > Sent: Thursday, June 16, 2016 7:50 PM > > > > To: [email protected]<mailto:[email protected] > ><mailto:[email protected]<mailto:[email protected]>>; > > [email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>> > > > > Subject: RE: JWT pre-authentication - get JWT token on service > > > > side > > > > > > > > Hi Colm, > > > > > > > > For the first question: I think now the token has not been put > > > > into the issued service ticket as authorization data. You can look > > > > at issueTicket()#TgsRequest.java in server side for detail. > > > > > > > > Regards, > > > > Jiajia > > > > > > > > -----Original Message----- > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > [email protected]><mailto: > > [email protected]<mailto:[email protected]>>] > > > > Sent: Thursday, June 16, 2016 7:19 PM > > > > To: [email protected]<mailto:[email protected] > ><mailto:[email protected]<mailto:[email protected]>> > > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > > side > > > > > > > > Thanks Kai. A few questions below. > > > > > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai <[email protected] > <mailto:[email protected]> > > <mailto:[email protected]<mailto:[email protected]>>> > > > wrote: > > > > > > > > > > > > > > 1. For issuing service ticket, the token used to do the > > > > > authentication or a token derivation was put into the issued > > > > > service ticket as authorization data. I'm not sure in current > > > > > Kerby impl, it has done this or not. If not, it should be not > > > > > difficult to support it, considering we have some Kerby > > authorization support now. > > > > > > > > > > > > > I can take a look at this. Can you give me some pointers in the > > > > code so that I know where to start? > > > > > > > > > > > > > > > > > > 2. In application server side, it should be able to query and > > > > > extract out the token encapsulated in the authorization data > > > > > field in the service ticket. This should be doable now, because > > > > > a proposal from me quite some ago had already been accepted by > > > > > Oracle Java, as recorded in the following ticket, though I > > > > > hadn't got the chance to verify it using latest JDK update like > JDK8. > > > > > > > > > > JDK-8044085, our extension proposal accepted and committed: > > > > > allowing querying authorization data field of service ticket. > > > > > https://bugs.openjdk.java.net/browse/JDK-8044085 > > > > > > > > > > > > The JDK service ticket only refers to SASL. If I'm just using GSS > > > > on the service side, is it already supported? If so, how can I > extract it? > > > > > > > > Colm. > > > > > > > > > > > > > > > > > > > > > > > So in summary, if you want to try this, I would suggest please > > > > > go ahead since it's doable now. Please let me know if you have > > > > > other > > > > questions. > > > > > > > > > > Regards, > > > > > Kai > > > > > > > > > > -----Original Message----- > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > [email protected]><mailto: > > [email protected]<mailto:[email protected]>>] > > > > > Sent: Thursday, June 16, 2016 5:54 PM > > > > > To: > > > > > [email protected]<mailto:[email protected] > ><mailto:[email protected]<mailto:[email protected]>> > > > > > Subject: JWT pre-authentication - get JWT token on service side > > > > > > > > > > Hi all, > > > > > > > > > > For the JWT pre-authentication use-case, how can I get access to > > > > > the token information on the service side? > > > > > > > > > > From the documentation: "The service authenticates the ticket, > > > > > extracts the token derivation, then enforce any advanced > > > > > authorization by employing the token derivation and token > attributes" > > > > > > > > > > Is there an example in the code to look at? > > > > > > > > > > Colm. > > > > > > > > > > > > > > > -- > > > > > Colm O hEigeartaigh > > > > > > > > > > Talend Community Coder > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
