X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FRemoteAuthUtils.java;h=0bb199dfdbfddcf4fb93eda4e4363834f9afa77b;hb=dca2b13e0e3ca3e7a9469e089b980c48c880ad1a;hp=d51997d74fca518340fc5f601e649c7e30dd6480;hpb=4185ff8826f893a4a1f054f61a11b89333c3e85d;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/RemoteAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/RemoteAuthUtils.java index d51997d74..0bb199dfd 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/RemoteAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/RemoteAuthUtils.java @@ -3,19 +3,24 @@ package org.argeo.cms.auth; import java.security.AccessControlContext; import java.security.AccessController; import java.security.PrivilegedAction; +import java.util.Base64; import java.util.function.Supplier; import javax.security.auth.Subject; +import javax.security.auth.kerberos.KerberosTicket; import org.argeo.api.cms.CmsSession; -import org.argeo.cms.osgi.CmsOsgiUtils; -import org.osgi.framework.BundleContext; -import org.osgi.framework.FrameworkUtil; +import org.argeo.cms.internal.runtime.CmsContextImpl; +import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSException; +import org.ietf.jgss.GSSManager; +import org.ietf.jgss.GSSName; +import org.ietf.jgss.Oid; /** Remote authentication utilities. */ public class RemoteAuthUtils { static final String REMOTE_USER = "org.osgi.service.http.authentication.remote.user"; - private static BundleContext bundleContext = FrameworkUtil.getBundle(RemoteAuthUtils.class).getBundleContext(); +// private static BundleContext bundleContext = FrameworkUtil.getBundle(RemoteAuthUtils.class).getBundleContext(); /** * Execute this supplier, using the CMS class loader as context classloader. @@ -58,7 +63,53 @@ public class RemoteAuthUtils { public static CmsSession getCmsSession(RemoteAuthRequest req) { Subject subject = Subject .getSubject((AccessControlContext) req.getAttribute(AccessControlContext.class.getName())); - CmsSession cmsSession = CmsOsgiUtils.getCmsSession(bundleContext, subject); + CmsSession cmsSession = CmsContextImpl.getCmsContext().getCmsSession(subject); return cmsSession; } + + private final static Oid KERBEROS_OID; + static { + try { + KERBEROS_OID = new Oid("1.3.6.1.5.5.2"); + } catch (GSSException e) { + throw new IllegalStateException("Cannot create Kerberos OID", e); + } + } + + public static String getGssToken(Subject subject, String serverPrinc) { + if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) + throw new IllegalArgumentException("Subject " + subject + " is not GSS authenticated."); + return Subject.doAs(subject, (PrivilegedAction) () -> { + GSSContext context = null; + String tokenStr = null; + + try { + // Get service's principal name + GSSManager manager = GSSManager.getInstance(); + GSSName serverName = manager.createName(serverPrinc, GSSName.NT_HOSTBASED_SERVICE, KERBEROS_OID); + + // Get the context for authentication + context = manager.createContext(serverName, KERBEROS_OID, null, GSSContext.DEFAULT_LIFETIME); + // context.requestMutualAuth(true); // Request mutual authentication + // context.requestConf(true); // Request confidentiality + context.requestCredDeleg(true); + + byte[] token = new byte[0]; + + // token is ignored on the first call + token = context.initSecContext(token, 0, token.length); + + // Send a token to the server if one was generated by + // initSecContext + if (token != null) { + tokenStr = Base64.getEncoder().encodeToString(token); + // complete=true; + } + return tokenStr; + + } catch (GSSException e) { + throw new IllegalStateException("Cannot authenticate to " + serverPrinc, e); + } + }); + } }