package org.argeo.cms.internal.http.client;
-import java.net.URI;
import java.net.URL;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
-import java.util.Base64;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import org.apache.commons.httpclient.Credentials;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpMethod;
-import org.apache.commons.httpclient.URIException;
import org.apache.commons.httpclient.auth.AuthPolicy;
import org.apache.commons.httpclient.auth.AuthScheme;
import org.apache.commons.httpclient.auth.AuthenticationException;
import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.httpclient.params.DefaultHttpParams;
import org.apache.commons.httpclient.params.HttpParams;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSManager;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
+import org.argeo.cms.auth.RemoteAuthUtils;
/** Implementation of the SPNEGO auth scheme. */
public class SpnegoAuthScheme implements AuthScheme {
- private final static Log log = LogFactory.getLog(SpnegoAuthScheme.class);
+// private final static Log log = LogFactory.getLog(SpnegoAuthScheme.class);
public static final String NAME = "Negotiate";
- private final static Oid KERBEROS_OID;
- static {
- try {
- KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
- } catch (GSSException e) {
- throw new IllegalStateException("Cannot create Kerberos OID", e);
- }
- }
+// private final static Oid KERBEROS_OID;
+// static {
+// try {
+// KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
+// } catch (GSSException e) {
+// throw new IllegalStateException("Cannot create Kerberos OID", e);
+// }
+// }
+
+ private final static String DEFAULT_KERBEROS_SERVICE = "HTTP";
private boolean complete = false;
private String realm;
- private String tokenStr;
@Override
public void processChallenge(String challenge) throws MalformedChallengeException {
-// if(tokenStr!=null){
-// log.error("Received challenge while there is a token. Failing.");
-// complete = false;
-// }
+ // if(tokenStr!=null){
+ // log.error("Received challenge while there is a token. Failing.");
+ // complete = false;
+ // }
}
@Override
public String authenticate(Credentials credentials, String method, String uri) throws AuthenticationException {
-// log.debug("authenticate " + method + " " + uri);
-// return null;
+ // log.debug("authenticate " + method + " " + uri);
+ // return null;
throw new UnsupportedOperationException();
}
@Override
public String authenticate(Credentials credentials, HttpMethod method) throws AuthenticationException {
- GSSContext context = null;
- String tokenStr = null;
+// GSSContext context = null;
String hostname;
try {
hostname = method.getURI().getHost();
- } catch (URIException e1) {
- throw new IllegalStateException("Cannot authenticate", e1);
- }
- String serverPrinc = "HTTP@" + hostname;
-
- try {
- // Get service's principal name
- GSSManager manager = GSSManager.getInstance();
- GSSName serverName = manager.createName(serverPrinc, GSSName.NT_HOSTBASED_SERVICE, KERBEROS_OID);
-
- // Get the context for authentication
- context = manager.createContext(serverName, KERBEROS_OID, null, GSSContext.DEFAULT_LIFETIME);
- // context.requestMutualAuth(true); // Request mutual authentication
- // context.requestConf(true); // Request confidentiality
- context.requestCredDeleg(true);
-
- byte[] token = new byte[0];
-
- // token is ignored on the first call
- token = context.initSecContext(token, 0, token.length);
-
- // Send a token to the server if one was generated by
- // initSecContext
- if (token != null) {
- tokenStr = Base64.getEncoder().encodeToString(token);
- // complete=true;
- }
+ String tokenStr = RemoteAuthUtils.getGssToken(null, DEFAULT_KERBEROS_SERVICE, hostname);
return "Negotiate " + tokenStr;
- } catch (GSSException e) {
+ } catch (Exception e1) {
complete = true;
- throw new AuthenticationException("Cannot authenticate to " + serverPrinc, e);
+ throw new AuthenticationException("Cannot authenticate " + method, e1);
}
- }
-
- private void doAuthenticate(URI uri){
-
+// String serverPrinc = DEFAULT_KERBEROS_SERVICE + "@" + hostname;
+//
+// try {
+// // Get service's principal name
+// GSSManager manager = GSSManager.getInstance();
+// GSSName serverName = manager.createName(serverPrinc, GSSName.NT_HOSTBASED_SERVICE, KERBEROS_OID);
+//
+// // Get the context for authentication
+// context = manager.createContext(serverName, KERBEROS_OID, null, GSSContext.DEFAULT_LIFETIME);
+// // context.requestMutualAuth(true); // Request mutual authentication
+// // context.requestConf(true); // Request confidentiality
+// context.requestCredDeleg(true);
+//
+// byte[] token = new byte[0];
+//
+// // token is ignored on the first call
+// token = context.initSecContext(token, 0, token.length);
+//
+// // Send a token to the server if one was generated by
+// // initSecContext
+// if (token != null) {
+// tokenStr = Base64.getEncoder().encodeToString(token);
+// // complete=true;
+// }
+// } catch (GSSException e) {
+// complete = true;
+// throw new AuthenticationException("Cannot authenticate to " + serverPrinc, e);
+// }
}
public static void main(String[] args) {
- if (args.length == 0) {
- System.err.println("usage: java " + SpnegoAuthScheme.class.getName() + " <url>");
+ String principal = System.getProperty("javax.security.auth.login.name");
+ if (args.length == 0 || principal == null) {
+ System.err.println("usage: java -Djavax.security.auth.login.name=<principal@REALM> "
+ + SpnegoAuthScheme.class.getName() + " <url>");
System.exit(1);
return;
}
ArrayList<String> schemes = new ArrayList<>();
schemes.add(SpnegoAuthScheme.NAME);
params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes);
- params.setParameter(CredentialsProvider.PROVIDER, new SpnegoCredentialProvider());
+ params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider());
int responseCode = Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<Integer>() {
public Integer run() throws Exception {