org.argeo.cms/src/org/argeo/cms/internal/http/client/SpnegoAuthScheme.java

   1 package org.argeo.cms.internal.http.client;
   2
   3 import java.net.URL;
   4 import java.security.PrivilegedExceptionAction;
   5 import java.util.ArrayList;
   6
   7 import javax.security.auth.Subject;
   8 import javax.security.auth.login.LoginContext;
   9
  10 import org.apache.commons.httpclient.Credentials;
  11 import org.apache.commons.httpclient.HttpClient;
  12 import org.apache.commons.httpclient.HttpMethod;
  13 import org.apache.commons.httpclient.auth.AuthPolicy;
  14 import org.apache.commons.httpclient.auth.AuthScheme;
  15 import org.apache.commons.httpclient.auth.AuthenticationException;
  16 import org.apache.commons.httpclient.auth.CredentialsProvider;
  17 import org.apache.commons.httpclient.auth.MalformedChallengeException;
  18 import org.apache.commons.httpclient.methods.GetMethod;
  19 import org.apache.commons.httpclient.params.DefaultHttpParams;
  20 import org.apache.commons.httpclient.params.HttpParams;
  21 import org.argeo.cms.auth.RemoteAuthUtils;
  22
  23 /** Implementation of the SPNEGO auth scheme. */
  24 public class SpnegoAuthScheme implements AuthScheme {
  25 //      private final static Log log = LogFactory.getLog(SpnegoAuthScheme.class);
  26
  27         public static final String NAME = "Negotiate";
  28 //      private final static Oid KERBEROS_OID;
  29 //      static {
  30 //              try {
  31 //                      KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
  32 //              } catch (GSSException e) {
  33 //                      throw new IllegalStateException("Cannot create Kerberos OID", e);
  34 //              }
  35 //      }
  36
  37         private final static String DEFAULT_KERBEROS_SERVICE = "HTTP";
  38
  39         private boolean complete = false;
  40         private String realm;
  41
  42         @Override
  43         public void processChallenge(String challenge) throws MalformedChallengeException {
  44                 // if(tokenStr!=null){
  45                 // log.error("Received challenge while there is a token. Failing.");
  46                 // complete = false;
  47                 // }
  48
  49         }
  50
  51         @Override
  52         public String getSchemeName() {
  53                 return NAME;
  54         }
  55
  56         @Override
  57         public String getParameter(String name) {
  58                 return null;
  59         }
  60
  61         @Override
  62         public String getRealm() {
  63                 return realm;
  64         }
  65
  66         @Override
  67         public String getID() {
  68                 return NAME;
  69         }
  70
  71         @Override
  72         public boolean isConnectionBased() {
  73                 return true;
  74         }
  75
  76         @Override
  77         public boolean isComplete() {
  78                 return complete;
  79         }
  80
  81         @Override
  82         public String authenticate(Credentials credentials, String method, String uri) throws AuthenticationException {
  83                 // log.debug("authenticate " + method + " " + uri);
  84                 // return null;
  85                 throw new UnsupportedOperationException();
  86         }
  87
  88         @Override
  89         public String authenticate(Credentials credentials, HttpMethod method) throws AuthenticationException {
  90 //              GSSContext context = null;
  91                 String hostname;
  92                 try {
  93                         hostname = method.getURI().getHost();
  94                         String tokenStr = RemoteAuthUtils.getGssToken(null, DEFAULT_KERBEROS_SERVICE, hostname);
  95                         return "Negotiate " + tokenStr;
  96                 } catch (Exception e1) {
  97                         complete = true;
  98                         throw new AuthenticationException("Cannot authenticate " + method, e1);
  99                 }
 100 //              String serverPrinc = DEFAULT_KERBEROS_SERVICE + "@" + hostname;
 101 //
 102 //              try {
 103 //                      // Get service's principal name
 104 //                      GSSManager manager = GSSManager.getInstance();
 105 //                      GSSName serverName = manager.createName(serverPrinc, GSSName.NT_HOSTBASED_SERVICE, KERBEROS_OID);
 106 //
 107 //                      // Get the context for authentication
 108 //                      context = manager.createContext(serverName, KERBEROS_OID, null, GSSContext.DEFAULT_LIFETIME);
 109 //                      // context.requestMutualAuth(true); // Request mutual authentication
 110 //                      // context.requestConf(true); // Request confidentiality
 111 //                      context.requestCredDeleg(true);
 112 //
 113 //                      byte[] token = new byte[0];
 114 //
 115 //                      // token is ignored on the first call
 116 //                      token = context.initSecContext(token, 0, token.length);
 117 //
 118 //                      // Send a token to the server if one was generated by
 119 //                      // initSecContext
 120 //                      if (token != null) {
 121 //                              tokenStr = Base64.getEncoder().encodeToString(token);
 122 //                              // complete=true;
 123 //                      }
 124 //              } catch (GSSException e) {
 125 //                      complete = true;
 126 //                      throw new AuthenticationException("Cannot authenticate to " + serverPrinc, e);
 127 //              }
 128         }
 129
 130         public static void main(String[] args) {
 131                 String principal = System.getProperty("javax.security.auth.login.name");
 132                 if (args.length == 0 || principal == null) {
 133                         System.err.println("usage: java -Djavax.security.auth.login.name=<principal@REALM> "
 134                                         + SpnegoAuthScheme.class.getName() + " <url>");
 135                         System.exit(1);
 136                         return;
 137                 }
 138                 String url = args[0];
 139
 140                 URL jaasUrl = SpnegoAuthScheme.class.getResource("jaas.cfg");
 141                 System.setProperty("java.security.auth.login.config", jaasUrl.toExternalForm());
 142                 try {
 143                         LoginContext lc = new LoginContext("SINGLE_USER");
 144                         lc.login();
 145
 146                         AuthPolicy.registerAuthScheme(SpnegoAuthScheme.NAME, SpnegoAuthScheme.class);
 147                         HttpParams params = DefaultHttpParams.getDefaultParams();
 148                         ArrayList<String> schemes = new ArrayList<>();
 149                         schemes.add(SpnegoAuthScheme.NAME);
 150                         params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes);
 151                         params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider());
 152
 153                         int responseCode = Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<Integer>() {
 154                                 public Integer run() throws Exception {
 155                                         HttpClient httpClient = new HttpClient();
 156                                         return httpClient.executeMethod(new GetMethod(url));
 157                                 }
 158                         });
 159                         System.out.println("Reponse code: " + responseCode);
 160                 } catch (Exception e) {
 161                         e.printStackTrace();
 162                 }
 163         }
 164
 165 }