Hi Kai, Thanks for your reply. Ok writing a JAAS LoginModule that wraps the Kerby API is fine with me. However, if I look at the existing TokenAuthLoginModule, it just adds the credential via:
subject.getPublicCredentials().add(krbToken); It looks like GSS needs the TGT to be encoded in the Subject somehow? Please look at the following @Ignore'd test. I'm getting the Subject using the TokenAuthLoginModule and then attempting to get a service ticket using the GSS API and the Subject. It fails with "Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)": https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=commit;h=68933ae0 Colm. On Fri, Jul 1, 2016 at 2:22 AM, Zheng, Kai <[email protected]> wrote: > Sorry for the late. Just got a chance looking at the codes closely. > > I thought it's clearly right in the following test, where it logins first > via jaas, then get tgt, then sgt, and then at last you wrap the sgt in a > gss token. It got the gss token (roughly a AppReq (of sgt) in a token > wrapper) and then let it be validated against a server key. > > @Test > public void testGss() throws Exception { > Subject clientSubject = loginClientUsingTicketCache(); > Set<Principal> clientPrincipals = clientSubject.getPrincipals(); > Assert.assertFalse(clientPrincipals.isEmpty()); > > // Get the TGT > Set<KerberosTicket> privateCredentials = > clientSubject.getPrivateCredentials(KerberosTicket.class); > Assert.assertFalse(privateCredentials.isEmpty()); > KerberosTicket tgt = privateCredentials.iterator().next(); > Assert.assertNotNull(tgt); > > // Get the service ticket > KerberosClientExceptionAction action = > new > KerberosClientExceptionAction(clientPrincipals.iterator().next(), > getServerPrincipal()); > > byte[] kerberosToken = (byte[]) Subject.doAs(clientSubject, > action); > Assert.assertNotNull(kerberosToken); > > validateServiceTicket(kerberosToken); > } > > I don't think it's right here. The point is the bytes to validate at the > last step shouldn’t be the sgt directly, instead, it should be a gss token > of AppReq of the sgt. But you might ask how to generate the gss token? I > don't have better idea than the way used in the above test method, that's > to say, better to use GSSAPI layer in JRE directly, since the Kerby one > hasn't been ready yet. > > But how you proceed in the way as above? As you told in previous emails, > you don’t want to use jaas login modules, but rather use the Kerby client > api directly. I would suggest you still go starting with jaas, doing > everything you want in a jaas login module (like calling kerby client api) > and obtain a valid logined subject or security context, and then do the > left as you did in the above test method. It should be able to work, like > we did or will do in the token login module. > > @Test > @org.junit.Ignore > public void testKerbyClientAndGssService() throws Exception { > KrbClient client = getKrbClient(); > client.init(); > > try { > // Get a service ticket using Kerby APIs > TgtTicket tgt = client.requestTgt(getClientPrincipal(), > getClientPassword()); > Assert.assertTrue(tgt != null); > > SgtTicket tkt = client.requestSgt(tgt, getServerPrincipal()); > Assert.assertTrue(tkt != null); > > Credential credential = new Credential(tkt, > tgt.getClientPrincipal()); > CredentialCache cCache = new CredentialCache(); > cCache.addCredential(credential); > cCache.setPrimaryPrincipal(tgt.getClientPrincipal()); > > ByteArrayOutputStream bout = new ByteArrayOutputStream(); > CredCacheOutputStream os = new CredCacheOutputStream(bout); > cCache.store(bout); > os.close(); > > // Now validate the ticket using GSS > validateServiceTicket(bout.toByteArray()); > } catch (Exception e) { > e.printStackTrace(); > Assert.fail(); > } > } > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Wednesday, June 29, 2016 4:37 PM > To: [email protected] > Subject: Re: JWT pre-authentication - get JWT token on service side > > Sure, no rush :-) > > Colm. > > On Wed, Jun 29, 2016 at 2:48 AM, Zheng, Kai <[email protected]> wrote: > > > Hi Colm, I will look at this late of today. Hope it works for you. > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Tuesday, June 28, 2016 10:00 PM > > To: [email protected] > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > Hi Kai, > > > > Could you take a look at the @Ignore'd test-case I just committed: > > > > > > https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=blob > > diff;f=kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerbero > > s/kerb/server/GssInteropTest.java;h=7e0d269f6e0c19fb4f750dd98542a4d501 > > 1e1dc5;hp=832d59dda4b0b0739ef5a1228da0b7bb20c10ab9;hb=1bce738d;hpb=79d > > 4a584129026bcf920dd1ae5c28c27c6971412 > > > > It gets a SgtTicket using Kerby and tries to get the resulting service > > token in byte array form to validate with GSS. Running the test leads to: > > > > Caused by: GSSException: Defective token detected (Mechanism level: > > GSSHeader did not find the right tag) > > > > I get the same error if I just do "sgtTicket.getTicket().encode()". > > > > Colm. > > > > On Thu, Jun 23, 2016 at 9:26 PM, Zheng, Kai <[email protected]> wrote: > > > > > I’m just back from my sleep. ☺ > > > > > > Regarding how to get the service ticket from SgtTicket object in > > > bytes, probably you do sgtTicket.getTicket().encode(). If it doesn’t > > > work, please reference the codes in CredCacheOutputStream.java to > > > see how it store a ticket in a file. > > > > > > Regards, > > > Kai > > > > > > From: Colm O hEigeartaigh [mailto:[email protected]] > > > Sent: Thursday, June 23, 2016 11:25 PM > > > To: Zheng, Kai <[email protected]> > > > Cc: [email protected] > > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > > > > > > On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai <[email protected] > <mailto: > > > [email protected]>> wrote: > > > I see. Why you want to validate it using GSS on the client side? > > > Because the client gets it and then should just trust it, right? To > > > validate a service ticket needs the service key or keytab, which is > > > why I thought it could be on the server side. > > > > > > Just to test that it works! See the unit test called "unitGSSTest" > here: > > > > > > > > > https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-ker > > > be > > > ros-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authenticat > > > io > > > n/AuthenticationTest.java > > > Using the GSS API I do: > > > > > > byte[] ticket = (byte[]) Subject.doAs(clientSubject, action); ... > > > validateServiceTicket(ticket); > > > > > > > > > I got your scenario. Are you able to obtain the service ticket or not? > > You > > > seem to because you said you can use a JWT token for that. But then > > > you asked how to access the service ticket on the client side using > > > the Kerby API. Did you have the SgtTicket in hand? If yes, I thought > > > then you can extract something from it to put into the SOAP header. > > > Could you point to the relevant spec about that? I may then have > concrete idea to help. > > > > > > Yes I have the SgtTicket in hand. Now I want to extract the service > > ticket > > > from this class as an array of bytes, similar to what I get above > > > from Subject.doAs using the GSS API. I know how to put the Kerberos > > > token in > > the > > > SOAP header, my question is how to get it from SgtTicket in the > > > first > > place > > > :-) > > > Thanks again for your help, > > > > > > Colm. > > > > > > > > > Regards, > > > Kai > > > > > > -----Original Message----- > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]>] > > > Sent: Thursday, June 23, 2016 9:40 PM > > > To: [email protected]<mailto:[email protected]> > > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > > > On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <[email protected] > <mailto: > > > [email protected]>> wrote: > > > > > > > > > > > >> How do I extract the token from SgtTicket that I can validate > > > > >> using > > > GSS? > > > > Sorry, but where do you want to do this? App client side or server > > side? > > > > If on server side, I thought you have already made it, as your > > > > previous email notified, being able to query/extract the > > > > authorization data and get token from it. Would you clarify some bit? > > > > > > > > > > On the client side. So what I want to do is use the Kerby API to get > > > a service ticket (using a JWT token) and then extract the ticket > > > from the > > KDC > > > response + validate it using GSS. For example, for SOAP web > > > services, the service ticket is inserted into the SOAP header of the > > > web services call > > in > > > BASE-64 format. So the question is, how can I get access to the > > > service ticket on the client side using the Kerby API? > > > > > > Thanks, > > > > > > Colm. > > > > > > > > > > > > > > Regards, > > > > Kai > > > > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]>] > > > > Sent: Thursday, June 23, 2016 7:59 PM > > > > To: Zheng, Kai <[email protected]<mailto:[email protected]>> > > > > Cc: [email protected]<mailto:[email protected]> > > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > > side > > > > > > > > Hi Kai, > > > > > > > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <[email protected] > > <mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>> wrote: > > > > > > > > Great question. Here what you need would be a login module using > > > > token, and the module will send the token to KDC for a TGT to get > > > > a SGT that's to be used in a GSS session. We have already the > > > > module, please look at TokenAuthLoginModule. > > > > > > > > From what I can see, the TokenAuthLoginModule just gets the TGT > > > > and not the SGT. However, I can get the service ticket easily > > > > enough via the Kerby API from this. How do I extract the token > > > > from SgtTicket that I can validate using GSS? > > > > > > > > > > > > Regards, > > > > Kai > > > > > > > > -----Original Message----- > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>] > > > > Sent: Wednesday, June 22, 2016 9:36 PM > > > > To: [email protected]<mailto:[email protected] > > > ><mailto:[email protected]<mailto:[email protected] > > > >g>> > > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > >side > > > > > > > > Hi all, > > > > > > > > Some more questions on this task: > > > > > > > > 1) Kai, you mentioned the AuthzToken type. Is this defined > > > > somewhere so that I can add it in to the AuthorizationType class? > > > > > > > > 2) Currently, the TokenIssuer class asks the IdentityService for > > > > the authorization data. However, the IdentityService doesn't have > > > > access to the token. Is it reasonable default behaviour to insert > > > > the received token in the TokenIssuer as the authorization data, > > > > and if none exists fall back to ask the IdentityService for any > > > > authorization > > > data? > > > > > > > > 3) I can extract the token on the service side using the GSS API > > > > in the way suggested by Kai. However, how can I send the token to > > > > the KDC on the client side using GSS? > > > > > > > > Thanks, > > > > > > > > Colm. > > > > > > > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <[email protected] > > <mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>> wrote: > > > > > > > > > It's not a bug. It works that way, the temp value will be there > > > > > only after you have decode/decrypt the part. > > > > > > > > > > Note SGT is used/consumed in app server side, and can be > > > > > decrypted using the server ticket/key. I suggest you try this in > > > > > the GssAppTest codes using the example code I provided in my > > > > > last email, where you should be able to query/extract the > > > > > authorization data. If you put the token in the authorization > > > > > data, then after decoding it, you could extract token from it. I > > > > > remembered we had defined the AuthzToken type for this actually > but guess it's not used yet. > > > > > > > > > > Regards, > > > > > Kai > > > > > > > > > > -----Original Message----- > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>] > > > > > Sent: Friday, June 17, 2016 7:21 PM > > > > > To: [email protected]<mailto:[email protected] > > > ><mailto:[email protected]<mailto:[email protected] > > > >g>> > > > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > > > side > > > > > > > > > > Thanks Kai and Jiajia! > > > > > > > > > > I'm trying to get access to the authorization data using the > > > > > Kerby API after getting a service ticket: > > > > > > > > > > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc, > > > > > cCacheFile.getPath()); > > > > > > > > > > However the following is null: > > > > > > > > > > tkt.getTicket().getEncPart() > > > > > > > > > > Is this a bug or how else can I parse the ticket to get the > > > > > authorization data? > > > > > > > > > > Colm. > > > > > > > > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <[email protected] > > > <mailto:[email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>> wrote: > > > > > > > > > > > Thanks Jiajia for the first question! > > > > > > > > > > > > For the second one, since you're using GSS the even lower > > > > > > level, which is more fine, and should be totally doable. Ref. > > > > > > the following > > > > doc: > > > > > > > > > > > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/sp > > > > > > ec/c om /s un/security/jgss/ExtendedGSSContext.html > > > > > > > > > > > > GSSContext ctxt = m.createContext(...) > > > > > > // Establishing the context > > > > > > if (ctxt instanceof ExtendedGSSContext) { > > > > > > ExtendedGSSContext ex = (ExtendedGSSContext)ctxt; > > > > > > try { > > > > > > Key key = (key)ex.inquireSecContext( > > > > > > InquireType.KRB5_GET_SESSION_KEY); > > > > > > // read key info > > > > > > } catch (GSSException gsse) { > > > > > > // deal with exception > > > > > > } > > > > > > } > > > > > > > > > > > > As you can see after established the GSS context, you can > > > > > > query the SESSION_KEY from the layer. You can also query > > > > > > AUTHZ_DATA field > > > > > similarly! > > > > > > After you get authz data, it's up to you to decode it, say > > > > > > using Kerby library to decode the ASN1 object and extract any > > > > > > info in it like the > > > > > token. > > > > > > > > > > > > Regards, > > > > > > Kai > > > > > > > > > > > > -----Original Message----- > > > > > > From: Li, Jiajia [mailto:[email protected]<mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>] > > > > > > Sent: Thursday, June 16, 2016 7:50 PM > > > > > > To: > > > > > > [email protected]<mailto:[email protected] > > > ><mailto:[email protected]<mailto:[email protected] > > > >g>>; > > > > [email protected]<mailto:[email protected]><mailto: > > > [email protected]<mailto:[email protected]>> > > > > > > Subject: RE: JWT pre-authentication - get JWT token on service > > > > > > side > > > > > > > > > > > > Hi Colm, > > > > > > > > > > > > For the first question: I think now the token has not been put > > > > > > into the issued service ticket as authorization data. You can > > > > > > look at issueTicket()#TgsRequest.java in server side for detail. > > > > > > > > > > > > Regards, > > > > > > Jiajia > > > > > > > > > > > > -----Original Message----- > > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>] > > > > > > Sent: Thursday, June 16, 2016 7:19 PM > > > > > > To: > > > > > > [email protected]<mailto:[email protected] > > > ><mailto:[email protected]<mailto:[email protected] > > > >g>> > > > > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > > > > side > > > > > > > > > > > > Thanks Kai. A few questions below. > > > > > > > > > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai > > > > > > <[email protected] > > > <mailto:[email protected]> > > > > <mailto:[email protected]<mailto:[email protected]>>> > > > > > wrote: > > > > > > > > > > > > > > > > > > > > 1. For issuing service ticket, the token used to do the > > > > > > > authentication or a token derivation was put into the issued > > > > > > > service ticket as authorization data. I'm not sure in > > > > > > > current Kerby impl, it has done this or not. If not, it > > > > > > > should be not difficult to support it, considering we have > > > > > > > some Kerby > > > > authorization support now. > > > > > > > > > > > > > > > > > > > I can take a look at this. Can you give me some pointers in > > > > > > the code so that I know where to start? > > > > > > > > > > > > > > > > > > > > > > > > > > 2. In application server side, it should be able to query > > > > > > > and extract out the token encapsulated in the authorization > > > > > > > data field in the service ticket. This should be doable now, > > > > > > > because a proposal from me quite some ago had already been > > > > > > > accepted by Oracle Java, as recorded in the following > > > > > > > ticket, though I hadn't got the chance to verify it using > > > > > > > latest JDK update like > > > JDK8. > > > > > > > > > > > > > > JDK-8044085, our extension proposal accepted and committed: > > > > > > > allowing querying authorization data field of service ticket. > > > > > > > https://bugs.openjdk.java.net/browse/JDK-8044085 > > > > > > > > > > > > > > > > > > The JDK service ticket only refers to SASL. If I'm just using > > > > > > GSS on the service side, is it already supported? If so, how > > > > > > can I > > > extract it? > > > > > > > > > > > > Colm. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > So in summary, if you want to try this, I would suggest > > > > > > > please go ahead since it's doable now. Please let me know if > > > > > > > you have other > > > > > > questions. > > > > > > > > > > > > > > Regards, > > > > > > > Kai > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>] > > > > > > > Sent: Thursday, June 16, 2016 5:54 PM > > > > > > > To: > > > > > > > [email protected]<mailto:[email protected] > > > ><mailto:[email protected]<mailto:[email protected] > > > >g>> > > > > > > > Subject: JWT pre-authentication - get JWT token on service > > > > > > > side > > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > For the JWT pre-authentication use-case, how can I get > > > > > > > access to the token information on the service side? > > > > > > > > > > > > > > From the documentation: "The service authenticates the > > > > > > > ticket, extracts the token derivation, then enforce any > > > > > > > advanced authorization by employing the token derivation and > > > > > > > token > > > attributes" > > > > > > > > > > > > > > Is there an example in the code to look at? > > > > > > > > > > > > > > Colm. > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Colm O hEigeartaigh > > > > > > > > > > > > > > Talend Community Coder > > > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Colm O hEigeartaigh > > > > > > > > > > > > Talend Community Coder > > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Colm O hEigeartaigh > > > > > > > > > > Talend Community Coder > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
