Sorry for the late. Just got a chance looking at the codes closely.
I thought it's clearly right in the following test, where it logins first via
jaas, then get tgt, then sgt, and then at last you wrap the sgt in a gss token.
It got the gss token (roughly a AppReq (of sgt) in a token wrapper) and then
let it be validated against a server key.
@Test
public void testGss() throws Exception {
Subject clientSubject = loginClientUsingTicketCache();
Set<Principal> clientPrincipals = clientSubject.getPrincipals();
Assert.assertFalse(clientPrincipals.isEmpty());
// Get the TGT
Set<KerberosTicket> privateCredentials =
clientSubject.getPrivateCredentials(KerberosTicket.class);
Assert.assertFalse(privateCredentials.isEmpty());
KerberosTicket tgt = privateCredentials.iterator().next();
Assert.assertNotNull(tgt);
// Get the service ticket
KerberosClientExceptionAction action =
new
KerberosClientExceptionAction(clientPrincipals.iterator().next(),
getServerPrincipal());
byte[] kerberosToken = (byte[]) Subject.doAs(clientSubject, action);
Assert.assertNotNull(kerberosToken);
validateServiceTicket(kerberosToken);
}
I don't think it's right here. The point is the bytes to validate at the last
step shouldn’t be the sgt directly, instead, it should be a gss token of AppReq
of the sgt. But you might ask how to generate the gss token? I don't have
better idea than the way used in the above test method, that's to say, better
to use GSSAPI layer in JRE directly, since the Kerby one hasn't been ready yet.
But how you proceed in the way as above? As you told in previous emails, you
don’t want to use jaas login modules, but rather use the Kerby client api
directly. I would suggest you still go starting with jaas, doing everything you
want in a jaas login module (like calling kerby client api) and obtain a valid
logined subject or security context, and then do the left as you did in the
above test method. It should be able to work, like we did or will do in the
token login module.
@Test
@org.junit.Ignore
public void testKerbyClientAndGssService() throws Exception {
KrbClient client = getKrbClient();
client.init();
try {
// Get a service ticket using Kerby APIs
TgtTicket tgt = client.requestTgt(getClientPrincipal(),
getClientPassword());
Assert.assertTrue(tgt != null);
SgtTicket tkt = client.requestSgt(tgt, getServerPrincipal());
Assert.assertTrue(tkt != null);
Credential credential = new Credential(tkt,
tgt.getClientPrincipal());
CredentialCache cCache = new CredentialCache();
cCache.addCredential(credential);
cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
ByteArrayOutputStream bout = new ByteArrayOutputStream();
CredCacheOutputStream os = new CredCacheOutputStream(bout);
cCache.store(bout);
os.close();
// Now validate the ticket using GSS
validateServiceTicket(bout.toByteArray());
} catch (Exception e) {
e.printStackTrace();
Assert.fail();
}
}
-----Original Message-----
From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: Wednesday, June 29, 2016 4:37 PM
To: [email protected]
Subject: Re: JWT pre-authentication - get JWT token on service side
Sure, no rush :-)
Colm.
On Wed, Jun 29, 2016 at 2:48 AM, Zheng, Kai <[email protected]> wrote:
> Hi Colm, I will look at this late of today. Hope it works for you.
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:[email protected]]
> Sent: Tuesday, June 28, 2016 10:00 PM
> To: [email protected]
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
> Hi Kai,
>
> Could you take a look at the @Ignore'd test-case I just committed:
>
>
> https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=blob
> diff;f=kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerbero
> s/kerb/server/GssInteropTest.java;h=7e0d269f6e0c19fb4f750dd98542a4d501
> 1e1dc5;hp=832d59dda4b0b0739ef5a1228da0b7bb20c10ab9;hb=1bce738d;hpb=79d
> 4a584129026bcf920dd1ae5c28c27c6971412
>
> It gets a SgtTicket using Kerby and tries to get the resulting service
> token in byte array form to validate with GSS. Running the test leads to:
>
> Caused by: GSSException: Defective token detected (Mechanism level:
> GSSHeader did not find the right tag)
>
> I get the same error if I just do "sgtTicket.getTicket().encode()".
>
> Colm.
>
> On Thu, Jun 23, 2016 at 9:26 PM, Zheng, Kai <[email protected]> wrote:
>
> > I’m just back from my sleep. ☺
> >
> > Regarding how to get the service ticket from SgtTicket object in
> > bytes, probably you do sgtTicket.getTicket().encode(). If it doesn’t
> > work, please reference the codes in CredCacheOutputStream.java to
> > see how it store a ticket in a file.
> >
> > Regards,
> > Kai
> >
> > From: Colm O hEigeartaigh [mailto:[email protected]]
> > Sent: Thursday, June 23, 2016 11:25 PM
> > To: Zheng, Kai <[email protected]>
> > Cc: [email protected]
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> >
> > On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai <[email protected]<mailto:
> > [email protected]>> wrote:
> > I see. Why you want to validate it using GSS on the client side?
> > Because the client gets it and then should just trust it, right? To
> > validate a service ticket needs the service key or keytab, which is
> > why I thought it could be on the server side.
> >
> > Just to test that it works! See the unit test called "unitGSSTest" here:
> >
> >
> > https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-ker
> > be
> > ros-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authenticat
> > io
> > n/AuthenticationTest.java
> > Using the GSS API I do:
> >
> > byte[] ticket = (byte[]) Subject.doAs(clientSubject, action); ...
> > validateServiceTicket(ticket);
> >
> >
> > I got your scenario. Are you able to obtain the service ticket or not?
> You
> > seem to because you said you can use a JWT token for that. But then
> > you asked how to access the service ticket on the client side using
> > the Kerby API. Did you have the SgtTicket in hand? If yes, I thought
> > then you can extract something from it to put into the SOAP header.
> > Could you point to the relevant spec about that? I may then have concrete
> > idea to help.
> >
> > Yes I have the SgtTicket in hand. Now I want to extract the service
> ticket
> > from this class as an array of bytes, similar to what I get above
> > from Subject.doAs using the GSS API. I know how to put the Kerberos
> > token in
> the
> > SOAP header, my question is how to get it from SgtTicket in the
> > first
> place
> > :-)
> > Thanks again for your help,
> >
> > Colm.
> >
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:[email protected]<mailto:
> > [email protected]>]
> > Sent: Thursday, June 23, 2016 9:40 PM
> > To: [email protected]<mailto:[email protected]>
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> > On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <[email protected]<mailto:
> > [email protected]>> wrote:
> >
> > >
> > > >> How do I extract the token from SgtTicket that I can validate
> > > >> using
> > GSS?
> > > Sorry, but where do you want to do this? App client side or server
> side?
> > > If on server side, I thought you have already made it, as your
> > > previous email notified, being able to query/extract the
> > > authorization data and get token from it. Would you clarify some bit?
> > >
> >
> > On the client side. So what I want to do is use the Kerby API to get
> > a service ticket (using a JWT token) and then extract the ticket
> > from the
> KDC
> > response + validate it using GSS. For example, for SOAP web
> > services, the service ticket is inserted into the SOAP header of the
> > web services call
> in
> > BASE-64 format. So the question is, how can I get access to the
> > service ticket on the client side using the Kerby API?
> >
> > Thanks,
> >
> > Colm.
> >
> >
> > >
> > > Regards,
> > > Kai
> > >
> > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto:
> > [email protected]>]
> > > Sent: Thursday, June 23, 2016 7:59 PM
> > > To: Zheng, Kai <[email protected]<mailto:[email protected]>>
> > > Cc: [email protected]<mailto:[email protected]>
> > > Subject: Re: JWT pre-authentication - get JWT token on service
> > > side
> > >
> > > Hi Kai,
> > >
> > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <[email protected]
> <mailto:
> > [email protected]><mailto:
> > > [email protected]<mailto:[email protected]>>> wrote:
> > >
> > > Great question. Here what you need would be a login module using
> > > token, and the module will send the token to KDC for a TGT to get
> > > a SGT that's to be used in a GSS session. We have already the
> > > module, please look at TokenAuthLoginModule.
> > >
> > > From what I can see, the TokenAuthLoginModule just gets the TGT
> > > and not the SGT. However, I can get the service ticket easily
> > > enough via the Kerby API from this. How do I extract the token
> > > from SgtTicket that I can validate using GSS?
> > >
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto:
> > [email protected]><mailto:
> > > [email protected]<mailto:[email protected]>>]
> > > Sent: Wednesday, June 22, 2016 9:36 PM
> > > To: [email protected]<mailto:[email protected]
> > ><mailto:[email protected]<mailto:[email protected]
> > >g>>
> > > Subject: Re: JWT pre-authentication - get JWT token on service
> > >side
> > >
> > > Hi all,
> > >
> > > Some more questions on this task:
> > >
> > > 1) Kai, you mentioned the AuthzToken type. Is this defined
> > > somewhere so that I can add it in to the AuthorizationType class?
> > >
> > > 2) Currently, the TokenIssuer class asks the IdentityService for
> > > the authorization data. However, the IdentityService doesn't have
> > > access to the token. Is it reasonable default behaviour to insert
> > > the received token in the TokenIssuer as the authorization data,
> > > and if none exists fall back to ask the IdentityService for any
> > > authorization
> > data?
> > >
> > > 3) I can extract the token on the service side using the GSS API
> > > in the way suggested by Kai. However, how can I send the token to
> > > the KDC on the client side using GSS?
> > >
> > > Thanks,
> > >
> > > Colm.
> > >
> > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <[email protected]
> <mailto:
> > [email protected]><mailto:
> > > [email protected]<mailto:[email protected]>>> wrote:
> > >
> > > > It's not a bug. It works that way, the temp value will be there
> > > > only after you have decode/decrypt the part.
> > > >
> > > > Note SGT is used/consumed in app server side, and can be
> > > > decrypted using the server ticket/key. I suggest you try this in
> > > > the GssAppTest codes using the example code I provided in my
> > > > last email, where you should be able to query/extract the
> > > > authorization data. If you put the token in the authorization
> > > > data, then after decoding it, you could extract token from it. I
> > > > remembered we had defined the AuthzToken type for this actually but
> > > > guess it's not used yet.
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto:
> > [email protected]><mailto:
> > > [email protected]<mailto:[email protected]>>]
> > > > Sent: Friday, June 17, 2016 7:21 PM
> > > > To: [email protected]<mailto:[email protected]
> > ><mailto:[email protected]<mailto:[email protected]
> > >g>>
> > > > Subject: Re: JWT pre-authentication - get JWT token on service
> > > > side
> > > >
> > > > Thanks Kai and Jiajia!
> > > >
> > > > I'm trying to get access to the authorization data using the
> > > > Kerby API after getting a service ticket:
> > > >
> > > > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc,
> > > > cCacheFile.getPath());
> > > >
> > > > However the following is null:
> > > >
> > > > tkt.getTicket().getEncPart()
> > > >
> > > > Is this a bug or how else can I parse the ticket to get the
> > > > authorization data?
> > > >
> > > > Colm.
> > > >
> > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <[email protected]
> > <mailto:[email protected]><mailto:
> > > [email protected]<mailto:[email protected]>>> wrote:
> > > >
> > > > > Thanks Jiajia for the first question!
> > > > >
> > > > > For the second one, since you're using GSS the even lower
> > > > > level, which is more fine, and should be totally doable. Ref.
> > > > > the following
> > > doc:
> > > > >
> > > > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/sp
> > > > > ec/c om /s un/security/jgss/ExtendedGSSContext.html
> > > > >
> > > > > GSSContext ctxt = m.createContext(...)
> > > > > // Establishing the context
> > > > > if (ctxt instanceof ExtendedGSSContext) {
> > > > > ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
> > > > > try {
> > > > > Key key = (key)ex.inquireSecContext(
> > > > > InquireType.KRB5_GET_SESSION_KEY);
> > > > > // read key info
> > > > > } catch (GSSException gsse) {
> > > > > // deal with exception
> > > > > }
> > > > > }
> > > > >
> > > > > As you can see after established the GSS context, you can
> > > > > query the SESSION_KEY from the layer. You can also query
> > > > > AUTHZ_DATA field
> > > > similarly!
> > > > > After you get authz data, it's up to you to decode it, say
> > > > > using Kerby library to decode the ASN1 object and extract any
> > > > > info in it like the
> > > > token.
> > > > >
> > > > > Regards,
> > > > > Kai
> > > > >
> > > > > -----Original Message-----
> > > > > From: Li, Jiajia [mailto:[email protected]<mailto:
> > [email protected]><mailto:
> > > [email protected]<mailto:[email protected]>>]
> > > > > Sent: Thursday, June 16, 2016 7:50 PM
> > > > > To:
> > > > > [email protected]<mailto:[email protected]
> > ><mailto:[email protected]<mailto:[email protected]
> > >g>>;
> > > [email protected]<mailto:[email protected]><mailto:
> > [email protected]<mailto:[email protected]>>
> > > > > Subject: RE: JWT pre-authentication - get JWT token on service
> > > > > side
> > > > >
> > > > > Hi Colm,
> > > > >
> > > > > For the first question: I think now the token has not been put
> > > > > into the issued service ticket as authorization data. You can
> > > > > look at issueTicket()#TgsRequest.java in server side for detail.
> > > > >
> > > > > Regards,
> > > > > Jiajia
> > > > >
> > > > > -----Original Message-----
> > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto:
> > [email protected]><mailto:
> > > [email protected]<mailto:[email protected]>>]
> > > > > Sent: Thursday, June 16, 2016 7:19 PM
> > > > > To:
> > > > > [email protected]<mailto:[email protected]
> > ><mailto:[email protected]<mailto:[email protected]
> > >g>>
> > > > > Subject: Re: JWT pre-authentication - get JWT token on service
> > > > > side
> > > > >
> > > > > Thanks Kai. A few questions below.
> > > > >
> > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai
> > > > > <[email protected]
> > <mailto:[email protected]>
> > > <mailto:[email protected]<mailto:[email protected]>>>
> > > > wrote:
> > > > >
> > > > > >
> > > > > > 1. For issuing service ticket, the token used to do the
> > > > > > authentication or a token derivation was put into the issued
> > > > > > service ticket as authorization data. I'm not sure in
> > > > > > current Kerby impl, it has done this or not. If not, it
> > > > > > should be not difficult to support it, considering we have
> > > > > > some Kerby
> > > authorization support now.
> > > > > >
> > > > >
> > > > > I can take a look at this. Can you give me some pointers in
> > > > > the code so that I know where to start?
> > > > >
> > > > >
> > > > > >
> > > > > > 2. In application server side, it should be able to query
> > > > > > and extract out the token encapsulated in the authorization
> > > > > > data field in the service ticket. This should be doable now,
> > > > > > because a proposal from me quite some ago had already been
> > > > > > accepted by Oracle Java, as recorded in the following
> > > > > > ticket, though I hadn't got the chance to verify it using
> > > > > > latest JDK update like
> > JDK8.
> > > > > >
> > > > > > JDK-8044085, our extension proposal accepted and committed:
> > > > > > allowing querying authorization data field of service ticket.
> > > > > > https://bugs.openjdk.java.net/browse/JDK-8044085
> > > > >
> > > > >
> > > > > The JDK service ticket only refers to SASL. If I'm just using
> > > > > GSS on the service side, is it already supported? If so, how
> > > > > can I
> > extract it?
> > > > >
> > > > > Colm.
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > So in summary, if you want to try this, I would suggest
> > > > > > please go ahead since it's doable now. Please let me know if
> > > > > > you have other
> > > > > questions.
> > > > > >
> > > > > > Regards,
> > > > > > Kai
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto:
> > [email protected]><mailto:
> > > [email protected]<mailto:[email protected]>>]
> > > > > > Sent: Thursday, June 16, 2016 5:54 PM
> > > > > > To:
> > > > > > [email protected]<mailto:[email protected]
> > ><mailto:[email protected]<mailto:[email protected]
> > >g>>
> > > > > > Subject: JWT pre-authentication - get JWT token on service
> > > > > > side
> > > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > For the JWT pre-authentication use-case, how can I get
> > > > > > access to the token information on the service side?
> > > > > >
> > > > > > From the documentation: "The service authenticates the
> > > > > > ticket, extracts the token derivation, then enforce any
> > > > > > advanced authorization by employing the token derivation and
> > > > > > token
> > attributes"
> > > > > >
> > > > > > Is there an example in the code to look at?
> > > > > >
> > > > > > Colm.
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Colm O hEigeartaigh
> > > > > >
> > > > > > Talend Community Coder
> > > > > > http://coders.talend.com
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Colm O hEigeartaigh
> > > > >
> > > > > Talend Community Coder
> > > > > http://coders.talend.com
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
