Hi Colm, As Kai said, it's a bug in new module.
>>However, if I look at the existing TokenAuthLoginModule, it just adds the >>credential via: >>subject.getPublicCredentials().add(krbToken); >> It looks like GSS needs the TGT to be encoded in the Subject somehow? Yes, in the TokenAuthLoginModule, some credentials should be added to subject private credentials. I will take some time to fix it. Regards, Jiajia -----Original Message----- From: Zheng, Kai Sent: Saturday, July 2, 2016 6:31 AM To: [email protected]; [email protected]; Li, Jiajia <[email protected]> Subject: RE: JWT pre-authentication - get JWT token on service side Hi Colm, I didn't check the codes yet, but generally the module should do the similar thing as Krb5LoginModule in the post process of login. You seemed to find a bug in the new module. @Jiajia, would you have some comments? Thanks. Regards, Kai -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Friday, July 01, 2016 7:09 PM To: [email protected] Subject: Re: JWT pre-authentication - get JWT token on service side Hi Kai, Thanks for your reply. Ok writing a JAAS LoginModule that wraps the Kerby API is fine with me. However, if I look at the existing TokenAuthLoginModule, it just adds the credential via: subject.getPublicCredentials().add(krbToken); It looks like GSS needs the TGT to be encoded in the Subject somehow? Please look at the following @Ignore'd test. I'm getting the Subject using the TokenAuthLoginModule and then attempting to get a service ticket using the GSS API and the Subject. It fails with "Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)": https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=commit;h=68933ae0 Colm. On Fri, Jul 1, 2016 at 2:22 AM, Zheng, Kai <[email protected]> wrote: > Sorry for the late. Just got a chance looking at the codes closely. > > I thought it's clearly right in the following test, where it logins > first via jaas, then get tgt, then sgt, and then at last you wrap the > sgt in a gss token. It got the gss token (roughly a AppReq (of sgt) in > a token > wrapper) and then let it be validated against a server key. > > @Test > public void testGss() throws Exception { > Subject clientSubject = loginClientUsingTicketCache(); > Set<Principal> clientPrincipals = clientSubject.getPrincipals(); > Assert.assertFalse(clientPrincipals.isEmpty()); > > // Get the TGT > Set<KerberosTicket> privateCredentials = > clientSubject.getPrivateCredentials(KerberosTicket.class); > Assert.assertFalse(privateCredentials.isEmpty()); > KerberosTicket tgt = privateCredentials.iterator().next(); > Assert.assertNotNull(tgt); > > // Get the service ticket > KerberosClientExceptionAction action = > new > KerberosClientExceptionAction(clientPrincipals.iterator().next(), > getServerPrincipal()); > > byte[] kerberosToken = (byte[]) Subject.doAs(clientSubject, > action); > Assert.assertNotNull(kerberosToken); > > validateServiceTicket(kerberosToken); > } > > I don't think it's right here. The point is the bytes to validate at > the last step shouldn’t be the sgt directly, instead, it should be a > gss token of AppReq of the sgt. But you might ask how to generate the > gss token? I don't have better idea than the way used in the above > test method, that's to say, better to use GSSAPI layer in JRE > directly, since the Kerby one hasn't been ready yet. > > But how you proceed in the way as above? As you told in previous > emails, you don’t want to use jaas login modules, but rather use the > Kerby client api directly. I would suggest you still go starting with > jaas, doing everything you want in a jaas login module (like calling > kerby client api) and obtain a valid logined subject or security > context, and then do the left as you did in the above test method. It > should be able to work, like we did or will do in the token login module. > > @Test > @org.junit.Ignore > public void testKerbyClientAndGssService() throws Exception { > KrbClient client = getKrbClient(); > client.init(); > > try { > // Get a service ticket using Kerby APIs > TgtTicket tgt = client.requestTgt(getClientPrincipal(), > getClientPassword()); > Assert.assertTrue(tgt != null); > > SgtTicket tkt = client.requestSgt(tgt, getServerPrincipal()); > Assert.assertTrue(tkt != null); > > Credential credential = new Credential(tkt, > tgt.getClientPrincipal()); > CredentialCache cCache = new CredentialCache(); > cCache.addCredential(credential); > cCache.setPrimaryPrincipal(tgt.getClientPrincipal()); > > ByteArrayOutputStream bout = new ByteArrayOutputStream(); > CredCacheOutputStream os = new CredCacheOutputStream(bout); > cCache.store(bout); > os.close(); > > // Now validate the ticket using GSS > validateServiceTicket(bout.toByteArray()); > } catch (Exception e) { > e.printStackTrace(); > Assert.fail(); > } > } > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Wednesday, June 29, 2016 4:37 PM > To: [email protected] > Subject: Re: JWT pre-authentication - get JWT token on service side > > Sure, no rush :-) > > Colm. > > On Wed, Jun 29, 2016 at 2:48 AM, Zheng, Kai <[email protected]> wrote: > > > Hi Colm, I will look at this late of today. Hope it works for you. > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Tuesday, June 28, 2016 10:00 PM > > To: [email protected] > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > Hi Kai, > > > > Could you take a look at the @Ignore'd test-case I just committed: > > > > > > https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=bl > > ob > > diff;f=kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerbe > > ro > > s/kerb/server/GssInteropTest.java;h=7e0d269f6e0c19fb4f750dd98542a4d5 > > 01 > > 1e1dc5;hp=832d59dda4b0b0739ef5a1228da0b7bb20c10ab9;hb=1bce738d;hpb=7 > > 9d > > 4a584129026bcf920dd1ae5c28c27c6971412 > > > > It gets a SgtTicket using Kerby and tries to get the resulting > > service token in byte array form to validate with GSS. Running the test > > leads to: > > > > Caused by: GSSException: Defective token detected (Mechanism level: > > GSSHeader did not find the right tag) > > > > I get the same error if I just do "sgtTicket.getTicket().encode()". > > > > Colm. > > > > On Thu, Jun 23, 2016 at 9:26 PM, Zheng, Kai <[email protected]> wrote: > > > > > I’m just back from my sleep. ☺ > > > > > > Regarding how to get the service ticket from SgtTicket object in > > > bytes, probably you do sgtTicket.getTicket().encode(). If it > > > doesn’t work, please reference the codes in > > > CredCacheOutputStream.java to see how it store a ticket in a file. > > > > > > Regards, > > > Kai > > > > > > From: Colm O hEigeartaigh [mailto:[email protected]] > > > Sent: Thursday, June 23, 2016 11:25 PM > > > To: Zheng, Kai <[email protected]> > > > Cc: [email protected] > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > side > > > > > > > > > On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai <[email protected] > <mailto: > > > [email protected]>> wrote: > > > I see. Why you want to validate it using GSS on the client side? > > > Because the client gets it and then should just trust it, right? > > > To validate a service ticket needs the service key or keytab, > > > which is why I thought it could be on the server side. > > > > > > Just to test that it works! See the unit test called "unitGSSTest" > here: > > > > > > > > > https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-k > > > er > > > be > > > ros-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authentic > > > at > > > io > > > n/AuthenticationTest.java > > > Using the GSS API I do: > > > > > > byte[] ticket = (byte[]) Subject.doAs(clientSubject, action); ... > > > validateServiceTicket(ticket); > > > > > > > > > I got your scenario. Are you able to obtain the service ticket or not? > > You > > > seem to because you said you can use a JWT token for that. But > > > then you asked how to access the service ticket on the client side > > > using the Kerby API. Did you have the SgtTicket in hand? If yes, I > > > thought then you can extract something from it to put into the SOAP > > > header. > > > Could you point to the relevant spec about that? I may then have > concrete idea to help. > > > > > > Yes I have the SgtTicket in hand. Now I want to extract the > > > service > > ticket > > > from this class as an array of bytes, similar to what I get above > > > from Subject.doAs using the GSS API. I know how to put the > > > Kerberos token in > > the > > > SOAP header, my question is how to get it from SgtTicket in the > > > first > > place > > > :-) > > > Thanks again for your help, > > > > > > Colm. > > > > > > > > > Regards, > > > Kai > > > > > > -----Original Message----- > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]>] > > > Sent: Thursday, June 23, 2016 9:40 PM > > > To: [email protected]<mailto:[email protected]> > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > side > > > > > > On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <[email protected] > <mailto: > > > [email protected]>> wrote: > > > > > > > > > > > >> How do I extract the token from SgtTicket that I can validate > > > > >> using > > > GSS? > > > > Sorry, but where do you want to do this? App client side or > > > > server > > side? > > > > If on server side, I thought you have already made it, as your > > > > previous email notified, being able to query/extract the > > > > authorization data and get token from it. Would you clarify some bit? > > > > > > > > > > On the client side. So what I want to do is use the Kerby API to > > > get a service ticket (using a JWT token) and then extract the > > > ticket from the > > KDC > > > response + validate it using GSS. For example, for SOAP web > > > services, the service ticket is inserted into the SOAP header of > > > the web services call > > in > > > BASE-64 format. So the question is, how can I get access to the > > > service ticket on the client side using the Kerby API? > > > > > > Thanks, > > > > > > Colm. > > > > > > > > > > > > > > Regards, > > > > Kai > > > > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]>] > > > > Sent: Thursday, June 23, 2016 7:59 PM > > > > To: Zheng, Kai <[email protected]<mailto:[email protected]>> > > > > Cc: > > > > [email protected]<mailto:[email protected]> > > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > > side > > > > > > > > Hi Kai, > > > > > > > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <[email protected] > > <mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>> wrote: > > > > > > > > Great question. Here what you need would be a login module using > > > > token, and the module will send the token to KDC for a TGT to > > > > get a SGT that's to be used in a GSS session. We have already > > > > the module, please look at TokenAuthLoginModule. > > > > > > > > From what I can see, the TokenAuthLoginModule just gets the TGT > > > > and not the SGT. However, I can get the service ticket easily > > > > enough via the Kerby API from this. How do I extract the token > > > > from SgtTicket that I can validate using GSS? > > > > > > > > > > > > Regards, > > > > Kai > > > > > > > > -----Original Message----- > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>] > > > > Sent: Wednesday, June 22, 2016 9:36 PM > > > > To: [email protected]<mailto:[email protected] > > > ><mailto:[email protected]<mailto:[email protected]. > > > >or > > > >g>> > > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > >side > > > > > > > > Hi all, > > > > > > > > Some more questions on this task: > > > > > > > > 1) Kai, you mentioned the AuthzToken type. Is this defined > > > > somewhere so that I can add it in to the AuthorizationType class? > > > > > > > > 2) Currently, the TokenIssuer class asks the IdentityService for > > > > the authorization data. However, the IdentityService doesn't > > > > have access to the token. Is it reasonable default behaviour to > > > > insert the received token in the TokenIssuer as the > > > > authorization data, and if none exists fall back to ask the > > > > IdentityService for any authorization > > > data? > > > > > > > > 3) I can extract the token on the service side using the GSS API > > > > in the way suggested by Kai. However, how can I send the token > > > > to the KDC on the client side using GSS? > > > > > > > > Thanks, > > > > > > > > Colm. > > > > > > > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <[email protected] > > <mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>> wrote: > > > > > > > > > It's not a bug. It works that way, the temp value will be > > > > > there only after you have decode/decrypt the part. > > > > > > > > > > Note SGT is used/consumed in app server side, and can be > > > > > decrypted using the server ticket/key. I suggest you try this > > > > > in the GssAppTest codes using the example code I provided in > > > > > my last email, where you should be able to query/extract the > > > > > authorization data. If you put the token in the authorization > > > > > data, then after decoding it, you could extract token from it. > > > > > I remembered we had defined the AuthzToken type for this > > > > > actually > but guess it's not used yet. > > > > > > > > > > Regards, > > > > > Kai > > > > > > > > > > -----Original Message----- > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>] > > > > > Sent: Friday, June 17, 2016 7:21 PM > > > > > To: > > > > > [email protected]<mailto:[email protected] > > > ><mailto:[email protected]<mailto:[email protected]. > > > >or > > > >g>> > > > > > Subject: Re: JWT pre-authentication - get JWT token on service > > > > > side > > > > > > > > > > Thanks Kai and Jiajia! > > > > > > > > > > I'm trying to get access to the authorization data using the > > > > > Kerby API after getting a service ticket: > > > > > > > > > > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc, > > > > > cCacheFile.getPath()); > > > > > > > > > > However the following is null: > > > > > > > > > > tkt.getTicket().getEncPart() > > > > > > > > > > Is this a bug or how else can I parse the ticket to get the > > > > > authorization data? > > > > > > > > > > Colm. > > > > > > > > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai > > > > > <[email protected] > > > <mailto:[email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>> wrote: > > > > > > > > > > > Thanks Jiajia for the first question! > > > > > > > > > > > > For the second one, since you're using GSS the even lower > > > > > > level, which is more fine, and should be totally doable. Ref. > > > > > > the following > > > > doc: > > > > > > > > > > > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/ > > > > > > sp ec/c om /s un/security/jgss/ExtendedGSSContext.html > > > > > > > > > > > > GSSContext ctxt = m.createContext(...) > > > > > > // Establishing the context > > > > > > if (ctxt instanceof ExtendedGSSContext) { > > > > > > ExtendedGSSContext ex = (ExtendedGSSContext)ctxt; > > > > > > try { > > > > > > Key key = (key)ex.inquireSecContext( > > > > > > InquireType.KRB5_GET_SESSION_KEY); > > > > > > // read key info > > > > > > } catch (GSSException gsse) { > > > > > > // deal with exception > > > > > > } > > > > > > } > > > > > > > > > > > > As you can see after established the GSS context, you can > > > > > > query the SESSION_KEY from the layer. You can also query > > > > > > AUTHZ_DATA field > > > > > similarly! > > > > > > After you get authz data, it's up to you to decode it, say > > > > > > using Kerby library to decode the ASN1 object and extract > > > > > > any info in it like the > > > > > token. > > > > > > > > > > > > Regards, > > > > > > Kai > > > > > > > > > > > > -----Original Message----- > > > > > > From: Li, Jiajia [mailto:[email protected]<mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>] > > > > > > Sent: Thursday, June 16, 2016 7:50 PM > > > > > > To: > > > > > > [email protected]<mailto:[email protected] > > > ><mailto:[email protected]<mailto:[email protected]. > > > >or > > > >g>>; > > > > [email protected]<mailto:[email protected]><mailto: > > > [email protected]<mailto:[email protected]>> > > > > > > Subject: RE: JWT pre-authentication - get JWT token on > > > > > > service side > > > > > > > > > > > > Hi Colm, > > > > > > > > > > > > For the first question: I think now the token has not been > > > > > > put into the issued service ticket as authorization data. > > > > > > You can look at issueTicket()#TgsRequest.java in server side for > > > > > > detail. > > > > > > > > > > > > Regards, > > > > > > Jiajia > > > > > > > > > > > > -----Original Message----- > > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>] > > > > > > Sent: Thursday, June 16, 2016 7:19 PM > > > > > > To: > > > > > > [email protected]<mailto:[email protected] > > > ><mailto:[email protected]<mailto:[email protected]. > > > >or > > > >g>> > > > > > > Subject: Re: JWT pre-authentication - get JWT token on > > > > > > service side > > > > > > > > > > > > Thanks Kai. A few questions below. > > > > > > > > > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai > > > > > > <[email protected] > > > <mailto:[email protected]> > > > > <mailto:[email protected]<mailto:[email protected]>>> > > > > > wrote: > > > > > > > > > > > > > > > > > > > > 1. For issuing service ticket, the token used to do the > > > > > > > authentication or a token derivation was put into the > > > > > > > issued service ticket as authorization data. I'm not sure > > > > > > > in current Kerby impl, it has done this or not. If not, it > > > > > > > should be not difficult to support it, considering we have > > > > > > > some Kerby > > > > authorization support now. > > > > > > > > > > > > > > > > > > > I can take a look at this. Can you give me some pointers in > > > > > > the code so that I know where to start? > > > > > > > > > > > > > > > > > > > > > > > > > > 2. In application server side, it should be able to query > > > > > > > and extract out the token encapsulated in the > > > > > > > authorization data field in the service ticket. This > > > > > > > should be doable now, because a proposal from me quite > > > > > > > some ago had already been accepted by Oracle Java, as > > > > > > > recorded in the following ticket, though I hadn't got the > > > > > > > chance to verify it using latest JDK update like > > > JDK8. > > > > > > > > > > > > > > JDK-8044085, our extension proposal accepted and committed: > > > > > > > allowing querying authorization data field of service ticket. > > > > > > > https://bugs.openjdk.java.net/browse/JDK-8044085 > > > > > > > > > > > > > > > > > > The JDK service ticket only refers to SASL. If I'm just > > > > > > using GSS on the service side, is it already supported? If > > > > > > so, how can I > > > extract it? > > > > > > > > > > > > Colm. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > So in summary, if you want to try this, I would suggest > > > > > > > please go ahead since it's doable now. Please let me know > > > > > > > if you have other > > > > > > questions. > > > > > > > > > > > > > > Regards, > > > > > > > Kai > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > > > [email protected]><mailto: > > > > [email protected]<mailto:[email protected]>>] > > > > > > > Sent: Thursday, June 16, 2016 5:54 PM > > > > > > > To: > > > > > > > [email protected]<mailto:[email protected] > > > > > > > rg > > > ><mailto:[email protected]<mailto:[email protected]. > > > >or > > > >g>> > > > > > > > Subject: JWT pre-authentication - get JWT token on service > > > > > > > side > > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > For the JWT pre-authentication use-case, how can I get > > > > > > > access to the token information on the service side? > > > > > > > > > > > > > > From the documentation: "The service authenticates the > > > > > > > ticket, extracts the token derivation, then enforce any > > > > > > > advanced authorization by employing the token derivation > > > > > > > and token > > > attributes" > > > > > > > > > > > > > > Is there an example in the code to look at? > > > > > > > > > > > > > > Colm. > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Colm O hEigeartaigh > > > > > > > > > > > > > > Talend Community Coder > > > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Colm O hEigeartaigh > > > > > > > > > > > > Talend Community Coder > > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Colm O hEigeartaigh > > > > > > > > > > Talend Community Coder > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
