+ CmsSession cmsSession = getCmsSession(req);
+ return CurrentSubject.callAs(cmsSession.getSubject(), () -> supplier.get());
+// ClassLoader currentContextCl = Thread.currentThread().getContextClassLoader();
+// Thread.currentThread().setContextClassLoader(RemoteAuthUtils.class.getClassLoader());
+// try {
+// return Subject.doAs(
+// Subject.getSubject((AccessControlContext) req.getAttribute(AccessControlContext.class.getName())),
+// new PrivilegedAction<T>() {
+//
+// @Override
+// public T run() {
+// return supplier.get();
+// }
+//
+// });
+// } finally {
+// Thread.currentThread().setContextClassLoader(currentContextCl);
+// }
+ }
+
+// public final static void configureRequestSecurity(RemoteAuthRequest req) {
+// if (req.getAttribute(AccessControlContext.class.getName()) != null)
+// throw new IllegalStateException("Request already authenticated.");
+// AccessControlContext acc = AccessController.getContext();
+// req.setAttribute(REMOTE_USER, CurrentUser.getUsername());
+// req.setAttribute(AccessControlContext.class.getName(), acc);
+// }
+//
+// public final static void clearRequestSecurity(RemoteAuthRequest req) {
+// if (req.getAttribute(AccessControlContext.class.getName()) == null)
+// throw new IllegalStateException("Cannot clear non-authenticated request.");
+// req.setAttribute(REMOTE_USER, null);
+// req.setAttribute(AccessControlContext.class.getName(), null);
+// }
+
+ public static CmsSession getCmsSession(RemoteAuthRequest req) {
+ CmsSession cmsSession = (CmsSession) req.getAttribute(CmsSession.class.getName());
+ if (cmsSession == null)
+ throw new IllegalStateException("Request must have a CMS session attribute");
+ return cmsSession;
+ }
+
+ public static String createGssToken(Subject subject, String service, String server) {
+ if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty())
+ throw new IllegalArgumentException("Subject " + subject + " is not GSS authenticated.");
+ return Subject.doAs(subject, (PrivilegedAction<String>) () -> {
+ // !! different format than Kerberos
+ String serverPrinc = service + "@" + server;
+ GSSContext context = null;
+ String tokenStr = null;
+
+ try {
+ // Get service's principal name
+ GSSManager manager = GSSManager.getInstance();
+ // GSSName serverName = manager.createName(serverPrinc,
+ // GSSName.NT_HOSTBASED_SERVICE, KERBEROS_OID);
+ GSSName serverName = manager.createName(serverPrinc, GSSName.NT_HOSTBASED_SERVICE);
+
+ // Get the context for authentication
+ context = manager.createContext(serverName, KERBEROS_OID, null, GSSContext.DEFAULT_LIFETIME);
+ // context.requestMutualAuth(true); // Request mutual authentication
+ // context.requestConf(true); // Request confidentiality
+ context.requestCredDeleg(true);