+
+ Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name());
+ if (realm != null) {
+ if (acceptorCredentials != null) {
+ try {
+ acceptorCredentials.dispose();
+ } catch (GSSException e) {
+ // silent
+ }
+ acceptorCredentials = null;
+ }
+ }
+ }
+
+ private String getKerberosServicePrincipal(String realm) {
+ String hostname;
+ try (DnsBrowser dnsBrowser = new DnsBrowser()) {
+ InetAddress localhost = InetAddress.getLocalHost();
+ hostname = localhost.getHostName();
+ String dnsZone = hostname.substring(hostname.indexOf('.') + 1);
+ String ipfromDns = dnsBrowser.getRecord(hostname, localhost instanceof Inet6Address ? "AAAA" : "A");
+ boolean consistentIp = localhost.getHostAddress().equals(ipfromDns);
+ String kerberosDomain = dnsBrowser.getRecord("_kerberos." + dnsZone, "TXT");
+ if (consistentIp && kerberosDomain != null && kerberosDomain.equals(realm) && Files.exists(nodeKeyTab)) {
+ return NodeHttp.DEFAULT_SERVICE + "/" + hostname + "@" + kerberosDomain;
+ } else
+ return null;
+ } catch (Exception e) {
+ log.warn("Exception when determining kerberos principal", e);
+ return null;
+ }
+ }
+
+ private GSSCredential logInAsAcceptor(Subject subject, String servicePrincipal) {
+ // GSS
+ Iterator<KerberosPrincipal> krb5It = subject.getPrincipals(KerberosPrincipal.class).iterator();
+ if (!krb5It.hasNext())
+ return null;
+ KerberosPrincipal krb5Principal = null;
+ while (krb5It.hasNext()) {
+ KerberosPrincipal principal = krb5It.next();
+ if (principal.getName().equals(servicePrincipal))
+ krb5Principal = principal;
+ }
+
+ if (krb5Principal == null)
+ return null;
+
+ GSSManager manager = GSSManager.getInstance();
+ try {
+ GSSName gssName = manager.createName(krb5Principal.getName(), null);
+ GSSCredential serverCredentials = Subject.doAs(subject, new PrivilegedExceptionAction<GSSCredential>() {
+
+ @Override
+ public GSSCredential run() throws GSSException {
+ return manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, KERBEROS_OID,
+ GSSCredential.ACCEPT_ONLY);
+
+ }
+
+ });
+ if (log.isDebugEnabled())
+ log.debug("GSS acceptor configured for " + krb5Principal);
+ return serverCredentials;
+ } catch (Exception gsse) {
+ throw new CmsException("Cannot create acceptor credentials for " + krb5Principal, gsse);
+ }
+ }
+
+ public GSSCredential getAcceptorCredentials() {
+ return acceptorCredentials;
+ }
+
+ public boolean isSingleUser() {
+ return singleUser;
+ }
+
+ public final static Oid KERBEROS_OID;
+ static {
+ try {
+ KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
+ } catch (GSSException e) {
+ throw new IllegalStateException("Cannot create Kerberos OID", e);
+ }