X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fhttp%2Fclient%2FSpnegoAuthScheme.java;h=a8aa29bbbfb6487217e6365d3518d6108f4f6a29;hb=3d3c654c9d973c62ca22f1c9010bb2e7e1847d09;hp=7d5278ef06b90fb176c93ca35b582b8e18f41c55;hpb=3714331f776988facff3632d86ad3f6d6352220c;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/http/client/SpnegoAuthScheme.java b/org.argeo.cms/src/org/argeo/cms/internal/http/client/SpnegoAuthScheme.java
index 7d5278ef0..a8aa29bbb 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/http/client/SpnegoAuthScheme.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/http/client/SpnegoAuthScheme.java
@@ -3,7 +3,6 @@ package org.argeo.cms.internal.http.client;
 import java.net.URL;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
-import java.util.Base64;
 
 import javax.security.auth.Subject;
 import javax.security.auth.login.LoginContext;
@@ -11,7 +10,6 @@ import javax.security.auth.login.LoginContext;
 import org.apache.commons.httpclient.Credentials;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.HttpMethod;
-import org.apache.commons.httpclient.URIException;
 import org.apache.commons.httpclient.auth.AuthPolicy;
 import org.apache.commons.httpclient.auth.AuthScheme;
 import org.apache.commons.httpclient.auth.AuthenticationException;
@@ -20,34 +18,33 @@ import org.apache.commons.httpclient.auth.MalformedChallengeException;
 import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.commons.httpclient.params.DefaultHttpParams;
 import org.apache.commons.httpclient.params.HttpParams;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSManager;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
+import org.argeo.cms.auth.RemoteAuthUtils;
 
 /** Implementation of the SPNEGO auth scheme. */
 public class SpnegoAuthScheme implements AuthScheme {
-	private final static Log log = LogFactory.getLog(SpnegoAuthScheme.class);
+//	private final static Log log = LogFactory.getLog(SpnegoAuthScheme.class);
 
 	public static final String NAME = "Negotiate";
-	private final static Oid KERBEROS_OID;
-	static {
-		try {
-			KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
-		} catch (GSSException e) {
-			throw new IllegalStateException("Cannot create Kerberos OID", e);
-		}
-	}
+//	private final static Oid KERBEROS_OID;
+//	static {
+//		try {
+//			KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
+//		} catch (GSSException e) {
+//			throw new IllegalStateException("Cannot create Kerberos OID", e);
+//		}
+//	}
+
+	private final static String DEFAULT_KERBEROS_SERVICE = "HTTP";
 
 	private boolean complete = false;
 	private String realm;
 
 	@Override
 	public void processChallenge(String challenge) throws MalformedChallengeException {
-		log.debug("processChallenge " + challenge);
+		// if(tokenStr!=null){
+		// log.error("Received challenge while there is a token. Failing.");
+		// complete = false;
+		// }
 
 	}
 
@@ -58,7 +55,6 @@ public class SpnegoAuthScheme implements AuthScheme {
 
 	@Override
 	public String getParameter(String name) {
-		log.debug("getParameter " + name);
 		return null;
 	}
 
@@ -79,60 +75,63 @@ public class SpnegoAuthScheme implements AuthScheme {
 
 	@Override
 	public boolean isComplete() {
-		log.debug("isComplete");
 		return complete;
 	}
 
 	@Override
 	public String authenticate(Credentials credentials, String method, String uri) throws AuthenticationException {
-		log.debug("authenticate " + method + " " + uri);
-		return null;
+		// log.debug("authenticate " + method + " " + uri);
+		// return null;
+		throw new UnsupportedOperationException();
 	}
 
 	@Override
 	public String authenticate(Credentials credentials, HttpMethod method) throws AuthenticationException {
-		log.debug("authenticate " + method);
-		GSSContext context = null;
-		String tokenStr = null;
+//		GSSContext context = null;
 		String hostname;
 		try {
 			hostname = method.getURI().getHost();
-		} catch (URIException e1) {
-			throw new IllegalStateException("Cannot authenticate", e1);
-		}
-		String serverPrinc = "HTTP@" + hostname;
-
-		try {
-			// Get service's principal name
-			GSSManager manager = GSSManager.getInstance();
-			GSSName serverName = manager.createName(serverPrinc, GSSName.NT_HOSTBASED_SERVICE, KERBEROS_OID);
-
-			// Get the context for authentication
-			context = manager.createContext(serverName, KERBEROS_OID, null, GSSContext.DEFAULT_LIFETIME);
-			// context.requestMutualAuth(true); // Request mutual authentication
-			// context.requestConf(true); // Request confidentiality
-			context.requestCredDeleg(true);
-
-			byte[] token = new byte[0];
-
-			// token is ignored on the first call
-			token = context.initSecContext(token, 0, token.length);
-
-			// Send a token to the server if one was generated by
-			// initSecContext
-			if (token != null) {
-				tokenStr = Base64.getEncoder().encodeToString(token);
-				// complete=true;
-			}
+			String tokenStr = RemoteAuthUtils.getGssToken(null, DEFAULT_KERBEROS_SERVICE, hostname);
 			return "Negotiate " + tokenStr;
-		} catch (GSSException e) {
-			throw new AuthenticationException("Cannot authenticate to " + serverPrinc, e);
+		} catch (Exception e1) {
+			complete = true;
+			throw new AuthenticationException("Cannot authenticate " + method, e1);
 		}
+//		String serverPrinc = DEFAULT_KERBEROS_SERVICE + "@" + hostname;
+//
+//		try {
+//			// Get service's principal name
+//			GSSManager manager = GSSManager.getInstance();
+//			GSSName serverName = manager.createName(serverPrinc, GSSName.NT_HOSTBASED_SERVICE, KERBEROS_OID);
+//
+//			// Get the context for authentication
+//			context = manager.createContext(serverName, KERBEROS_OID, null, GSSContext.DEFAULT_LIFETIME);
+//			// context.requestMutualAuth(true); // Request mutual authentication
+//			// context.requestConf(true); // Request confidentiality
+//			context.requestCredDeleg(true);
+//
+//			byte[] token = new byte[0];
+//
+//			// token is ignored on the first call
+//			token = context.initSecContext(token, 0, token.length);
+//
+//			// Send a token to the server if one was generated by
+//			// initSecContext
+//			if (token != null) {
+//				tokenStr = Base64.getEncoder().encodeToString(token);
+//				// complete=true;
+//			}
+//		} catch (GSSException e) {
+//			complete = true;
+//			throw new AuthenticationException("Cannot authenticate to " + serverPrinc, e);
+//		}
 	}
 
 	public static void main(String[] args) {
-		if (args.length == 0) {
-			System.err.println("usage: java " + SpnegoAuthScheme.class.getName() + " <url>");
+		String principal = System.getProperty("javax.security.auth.login.name");
+		if (args.length == 0 || principal == null) {
+			System.err.println("usage: java -Djavax.security.auth.login.name=<principal@REALM> "
+					+ SpnegoAuthScheme.class.getName() + " <url>");
 			System.exit(1);
 			return;
 		}
@@ -149,7 +148,7 @@ public class SpnegoAuthScheme implements AuthScheme {
 			ArrayList<String> schemes = new ArrayList<>();
 			schemes.add(SpnegoAuthScheme.NAME);
 			params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes);
-			params.setParameter(CredentialsProvider.PROVIDER, new SpnegoCredentialProvider());
+			params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider());
 
 			int responseCode = Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<Integer>() {
 				public Integer run() throws Exception {