/** * Add an entry to the jaas configuration with the passed in name, * principal, and keytab. The other necessary options will be set for you. * * @param entryName * The name of the entry (e.g. "Client") * @param principal * The principal of the user * @param keytab * The location of the keytab */ public JaasConfiguration(String entryName, String principal, String keytab) { this.entryName = entryName; Map<String, String> options = new HashMap<String, String>(); options.put("keyTab", keytab); options.put("principal", principal); options.put("useKeyTab", "true"); options.put("storeKey", "true"); options.put("useTicketCache", "false"); options.put("refreshKrb5Config", "true"); String jaasEnvVar = System.getenv("HADOOP_JAAS_DEBUG"); if (jaasEnvVar != null && "true".equalsIgnoreCase(jaasEnvVar)) { options.put("debug", "true"); } entry = new AppConfigurationEntry[] { new AppConfigurationEntry(getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { if (SIMPLE_CONFIG_NAME.equals(appName)) { return SIMPLE_CONF; } else if (USER_KERBEROS_CONFIG_NAME.equals(appName)) { return USER_KERBEROS_CONF; } else if (KEYTAB_KERBEROS_CONFIG_NAME.equals(appName)) { if (IBM_JAVA) { KEYTAB_KERBEROS_OPTIONS.put("useKeytab", prependFileAuthority(keytabFile)); } else { KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); } KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); return KEYTAB_KERBEROS_CONF; } return null; }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map<String, String> options = new HashMap<String, String>(); options.put("principal", principal); options.put("keyTab", keytab); options.put("useKeyTab", "true"); options.put("storeKey", "true"); options.put("doNotPrompt", "true"); options.put("useTicketCache", "true"); options.put("renewTGT", "true"); options.put("refreshKrb5Config", "true"); options.put("isInitiator", "true"); String ticketCache = System.getenv("KRB5CCNAME"); if (ticketCache != null) { options.put("ticketCache", ticketCache); } options.put("debug", "true"); return new AppConfigurationEntry[]{ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options),}; }
public SaslQuorumAuthServer(boolean quorumRequireSasl, String loginContext, Set<String> authzHosts) throws SaslException { this.quorumRequireSasl = quorumRequireSasl; try { AppConfigurationEntry entries[] = Configuration.getConfiguration() .getAppConfigurationEntry(loginContext); if (entries == null || entries.length == 0) { throw new LoginException("SASL-authentication failed" + " because the specified JAAS configuration " + "section '" + loginContext + "' could not be found."); } SaslQuorumServerCallbackHandler saslServerCallbackHandler = new SaslQuorumServerCallbackHandler( Configuration.getConfiguration(), loginContext, authzHosts); serverLogin = new Login(loginContext, saslServerCallbackHandler); serverLogin.startThreadIfNeeded(); } catch (Throwable e) { throw new SaslException( "Failed to initialize authentication mechanism using SASL", e); } }
public void initialize() { options.put("debug", "true"); options.put("principal", principalName); // Ensure the correct TGT is used. options.put("refreshKrb5Config", "true"); appConfigEntries = new AppConfigurationEntry[1]; appConfigEntries[0] = new AppConfigurationEntry(LOGIN_MODULE, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options); Security.setProperty("login.configuration.provider", getClass().getName()); // For each Kerberos client that the loads we // need a separate instance of this class, it gets set here, so next call // on the LoginContext will use this instance. setConfiguration(this); }
public SaslServerCallbackHandler(Configuration configuration) throws IOException { String serverSection = System.getProperty( ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, ZooKeeperSaslServer.DEFAULT_LOGIN_CONTEXT_NAME); AppConfigurationEntry configurationEntries[] = configuration.getAppConfigurationEntry(serverSection); if (configurationEntries == null) { String errorMessage = "Could not find a '" + serverSection + "' entry in this configuration: Server cannot start."; LOG.error(errorMessage); throw new IOException(errorMessage); } credentials.clear(); for(AppConfigurationEntry entry: configurationEntries) { Map<String,?> options = entry.getOptions(); // Populate DIGEST-MD5 user -> password map with JAAS configuration entries from the "Server" section. // Usernames are distinguished from other options by prefixing the username with a "user_" prefix. for(Map.Entry<String, ?> pair : options.entrySet()) { String key = pair.getKey(); if (key.startsWith(USER_PREFIX)) { String userName = key.substring(USER_PREFIX.length()); credentials.put(userName,(String)pair.getValue()); } } } }
public SaslServerCallbackHandler(Configuration configuration) throws IOException { String serverSection = System.getProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, ZooKeeperSaslServer.DEFAULT_LOGIN_CONTEXT_NAME); AppConfigurationEntry configurationEntries[] = configuration.getAppConfigurationEntry(serverSection); if (configurationEntries == null) { String errorMessage = "Could not find a 'Server' entry in this configuration: Server cannot start."; LOG.error(errorMessage); throw new IOException(errorMessage); } credentials.clear(); for(AppConfigurationEntry entry: configurationEntries) { Map<String,?> options = entry.getOptions(); // Populate DIGEST-MD5 user -> password map with JAAS configuration entries from the "Server" section. // Usernames are distinguished from other options by prefixing the username with a "user_" prefix. for(Map.Entry<String, ?> pair : options.entrySet()) { String key = pair.getKey(); if (key.startsWith(USER_PREFIX)) { String userName = key.substring(USER_PREFIX.length()); credentials.put(userName,(String)pair.getValue()); } } } }
static Subject getSubject() throws Exception { if (!secure) return new Subject(); /* * To authenticate the DemoClient, kinit should be invoked ahead. * Here we try to get the Kerberos credential from the ticket cache. */ LoginContext context = new LoginContext("", new Subject(), null, new Configuration() { @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map<String, String> options = new HashMap<String, String>(); options.put("useKeyTab", "false"); options.put("storeKey", "false"); options.put("doNotPrompt", "true"); options.put("useTicketCache", "true"); options.put("renewTGT", "true"); options.put("refreshKrb5Config", "true"); options.put("isInitiator", "true"); String ticketCache = System.getenv("KRB5CCNAME"); if (ticketCache != null) { options.put("ticketCache", ticketCache); } options.put("debug", "true"); return new AppConfigurationEntry[]{ new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options)}; } }); context.login(); return context.getSubject(); }
private void init(URL config, Map<String, List<AppConfigurationEntry>> newConfig) throws IOException { try (InputStreamReader isr = new InputStreamReader(getInputStream(config), "UTF-8")) { readConfig(isr, newConfig); } catch (FileNotFoundException fnfe) { if (debugConfig != null) { debugConfig.println(fnfe.toString()); } throw new IOException(ResourcesMgr.getString ("Configuration.Error.No.such.file.or.directory", "sun.security.util.AuthResources")); } }
/** * Retrieve an entry from the Configuration using an application name * as an index. * * @param applicationName the name used to index the Configuration. * @return an array of AppConfigurationEntries which correspond to * the stacked configuration of LoginModules for this * application, or null if this application has no configured * LoginModules. */ @Override public AppConfigurationEntry[] engineGetAppConfigurationEntry (String applicationName) { List<AppConfigurationEntry> list = null; synchronized (configuration) { list = configuration.get(applicationName); } if (list == null || list.size() == 0) { return null; } AppConfigurationEntry[] entries = new AppConfigurationEntry[list.size()]; Iterator<AppConfigurationEntry> iterator = list.iterator(); for (int i = 0; iterator.hasNext(); i++) { AppConfigurationEntry e = iterator.next(); entries[i] = new AppConfigurationEntry(e.getLoginModuleName(), e.getControlFlag(), e.getOptions()); } return entries; }
public SaslQuorumServerCallbackHandler(Configuration configuration, String serverSection, Set<String> authzHosts) throws IOException { AppConfigurationEntry configurationEntries[] = configuration.getAppConfigurationEntry(serverSection); if (configurationEntries == null) { String errorMessage = "Could not find a '" + serverSection + "' entry in this configuration: Server cannot start."; LOG.error(errorMessage); throw new IOException(errorMessage); } credentials.clear(); for(AppConfigurationEntry entry: configurationEntries) { Map<String,?> options = entry.getOptions(); // Populate DIGEST-MD5 user -> password map with JAAS configuration entries from the "QuorumServer" section. // Usernames are distinguished from other options by prefixing the username with a "user_" prefix. for(Map.Entry<String, ?> pair : options.entrySet()) { String key = pair.getKey(); if (key.startsWith(USER_PREFIX)) { String userName = key.substring(USER_PREFIX.length()); credentials.put(userName,(String)pair.getValue()); } } } // authorized host lists this.authzHosts = authzHosts; }
/** * Creates an instance of <code>FileLoginConfig</code> * * @param passwordFile A filepath that identifies the password file to use. * If null then the default password file is used. */ public FileLoginConfig(String passwordFile) { Map<String, String> options; if (passwordFile != null) { options = new HashMap<String, String>(1); options.put(PASSWORD_FILE_OPTION, passwordFile); } else { options = Collections.emptyMap(); } entries = new AppConfigurationEntry[] { new AppConfigurationEntry(FILE_LOGIN_MODULE, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; }
/** * Resolve the context of an entry. This is an effective test of * JAAS setup, because it will relay detected problems up * @param context context name * @return the entry * @throws RuntimeException if there is no context entry found */ public static AppConfigurationEntry[] validateContext(String context) { if (context == null) { throw new RuntimeException("Null context argument"); } if (context.isEmpty()) { throw new RuntimeException("Empty context argument"); } javax.security.auth.login.Configuration configuration = javax.security.auth.login.Configuration.getConfiguration(); AppConfigurationEntry[] entries = configuration.getAppConfigurationEntry(context); if (entries == null) { throw new RuntimeException( String.format("Entry \"%s\" not found; " + "JAAS config = %s", context, describeProperty(Environment.JAAS_CONF_KEY) )); } return entries; }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map<String, String> options = new HashMap<String, String>(); options.put("keyTab", keytab); options.put("principal", principal); options.put("useKeyTab", "true"); options.put("storeKey", "true"); options.put("doNotPrompt", "true"); options.put("useTicketCache", "true"); options.put("renewTGT", "true"); options.put("refreshKrb5Config", "true"); options.put("isInitiator", Boolean.toString(isInitiator)); String ticketCache = System.getenv("KRB5CCNAME"); if (ticketCache != null) { options.put("ticketCache", ticketCache); } options.put("debug", "true"); return new AppConfigurationEntry[]{ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map<String, String> options = new HashMap<String, String>(); options.put("keyTab", KerberosTestUtils.getKeytabFile()); options.put("principal", principal); options.put("useKeyTab", "true"); options.put("storeKey", "true"); options.put("doNotPrompt", "true"); options.put("useTicketCache", "true"); options.put("renewTGT", "true"); options.put("refreshKrb5Config", "true"); options.put("isInitiator", "true"); String ticketCache = System.getenv("KRB5CCNAME"); if (ticketCache != null) { options.put("ticketCache", ticketCache); } options.put("debug", "true"); return new AppConfigurationEntry[]{ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options),}; }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map<String, String> options = new HashMap<String, String>(); options.put("keyTab", keytab); options.put("principal", principal); options.put("useKeyTab", "true"); options.put("storeKey", "true"); options.put("doNotPrompt", "true"); options.put("useTicketCache", "true"); options.put("renewTGT", "true"); options.put("refreshKrb5Config", "true"); options.put("isInitiator", Boolean.toString(isInitiator)); String ticketCache = System.getenv("KRB5CCNAME"); if (ticketCache != null) { options.put("ticketCache", ticketCache); } options.put("debug", "true"); return new AppConfigurationEntry[]{ new AppConfigurationEntry(getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options)}; }
/** * Add an entry to the jaas configuration with the passed in name, * principal, and keytab. The other necessary options will be set for you. * * @param entryName The name of the entry (e.g. "Client") * @param principal The principal of the user * @param keytab The location of the keytab */ public JaasConfiguration(String entryName, String principal, String keytab) { this.entryName = entryName; Map<String, String> options = new HashMap<String, String>(); options.put("keyTab", keytab); options.put("principal", principal); options.put("useKeyTab", "true"); options.put("storeKey", "true"); options.put("useTicketCache", "false"); options.put("refreshKrb5Config", "true"); String jaasEnvVar = System.getenv("HADOOP_JAAS_DEBUG"); if (jaasEnvVar != null && "true".equalsIgnoreCase(jaasEnvVar)) { options.put("debug", "true"); } entry = new AppConfigurationEntry[]{ new AppConfigurationEntry(getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options)}; }
static JaasContext load(JaasContext.Type contextType, String listenerContextName, String globalContextName, Map<String, ?> configs) { Password jaasConfigArgs = (Password) configs.get(SaslConfigs.SASL_JAAS_CONFIG); if (jaasConfigArgs != null) { if (contextType == JaasContext.Type.SERVER) throw new IllegalArgumentException("JAAS config property not supported for server"); else { JaasConfig jaasConfig = new JaasConfig(globalContextName, jaasConfigArgs.value()); AppConfigurationEntry[] clientModules = jaasConfig.getAppConfigurationEntry(globalContextName); int numModules = clientModules == null ? 0 : clientModules.length; if (numModules != 1) throw new IllegalArgumentException("JAAS config property contains " + numModules + " login modules, should be 1 module"); return new JaasContext(globalContextName, contextType, jaasConfig); } } else return defaultContext(contextType, listenerContextName, globalContextName); }
private AppConfigurationEntry parseAppConfigurationEntry(StreamTokenizer tokenizer) throws IOException { String loginModule = tokenizer.sval; if (tokenizer.nextToken() == StreamTokenizer.TT_EOF) throw new IllegalArgumentException("Login module control flag not specified in JAAS config"); LoginModuleControlFlag controlFlag = loginModuleControlFlag(tokenizer.sval); Map<String, String> options = new HashMap<>(); while (tokenizer.nextToken() != StreamTokenizer.TT_EOF && tokenizer.ttype != ';') { String key = tokenizer.sval; if (tokenizer.nextToken() != '=' || tokenizer.nextToken() == StreamTokenizer.TT_EOF || tokenizer.sval == null) throw new IllegalArgumentException("Value not specified for key '" + key + "' in JAAS config"); String value = tokenizer.sval; options.put(key, value); } if (tokenizer.ttype != ';') throw new IllegalArgumentException("JAAS config entry not terminated by semi-colon"); return new AppConfigurationEntry(loginModule, controlFlag, options); }
/** * Default value for a caller-mech pair when no entry is defined in * the system-wide Configuration object. */ private AppConfigurationEntry[] getDefaultConfigurationEntry() { HashMap <String, String> options = new HashMap <String, String> (2); if (mechName == null || mechName.equals("krb5")) { if (isServerSide(caller)) { // Assuming the keytab file can be found through // krb5 config file or under user home directory options.put("useKeyTab", "true"); options.put("storeKey", "true"); options.put("doNotPrompt", "true"); options.put("principal", "*"); options.put("isInitiator", "false"); } else { options.put("useTicketCache", "true"); options.put("doNotPrompt", "false"); } return new AppConfigurationEntry[] { new AppConfigurationEntry( "com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; } return null; }
private void readConfig(Reader reader, Map<String, List<AppConfigurationEntry>> newConfig) throws IOException { linenum = 1; if (!(reader instanceof BufferedReader)) { reader = new BufferedReader(reader); } st = new StreamTokenizer(reader); st.quoteChar('"'); st.wordChars('$', '$'); st.wordChars('_', '_'); st.wordChars('-', '-'); st.wordChars('*', '*'); st.lowerCaseMode(false); st.slashSlashComments(true); st.slashStarComments(true); st.eolIsSignificant(true); lookahead = nextToken(); while (lookahead != StreamTokenizer.TT_EOF) { parseLoginEntry(newConfig); } }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map<String, String> options = new HashMap<String, String>(); options.put("principal", principal); options.put("refreshKrb5Config", "true"); if (KerberosConnection.isIbmJava()) { options.put("useKeytab", keytab); options.put("credsType", "both"); } else { options.put("keyTab", keytab); options.put("useKeyTab", "true"); options.put("isInitiator", "false"); options.put("doNotPrompt", "true"); options.put("storeKey", "true"); } LOG.debug("JAAS Configuration for server keytab-based Kerberos login: {}", options); return new AppConfigurationEntry[] {new AppConfigurationEntry( KerberosConnection.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options)}; }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map<String, String> options = new HashMap<String, String>(); options.put("principal", principal); options.put("refreshKrb5Config", "true"); if (KerberosConnection.isIbmJava()) { options.put("useKeytab", keytab); options.put("credsType", "both"); } else { options.put("keyTab", keytab); options.put("useKeyTab", "true"); options.put("isInitiator", "true"); options.put("doNotPrompt", "true"); options.put("storeKey", "true"); } LOG.debug("JAAS Configuration for client keytab-based Kerberos login: {}", options); return new AppConfigurationEntry[] {new AppConfigurationEntry( KerberosConnection.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options)}; }
public SaslQuorumAuthLearner(boolean quorumRequireSasl, String quorumServicePrincipal, String loginContext) throws SaslException { this.quorumRequireSasl = quorumRequireSasl; this.quorumServicePrincipal = quorumServicePrincipal; try { AppConfigurationEntry entries[] = Configuration .getConfiguration() .getAppConfigurationEntry(loginContext); if (entries == null || entries.length == 0) { throw new LoginException("SASL-authentication failed because" + " the specified JAAS configuration " + "section '" + loginContext + "' could not be found."); } this.learnerLogin = new Login(loginContext, new SaslClientCallbackHandler(null, "QuorumLearner")); this.learnerLogin.startThreadIfNeeded(); } catch (LoginException e) { throw new SaslException("Failed to initialize authentication mechanism using SASL", e); } }
/** * Creates a new instance of Krb5LoginConfiguration. */ public Krb5LoginConfiguration() { String loginModule = "com.sun.security.auth.module.Krb5LoginModule"; HashMap<String, Object> options = new HashMap<>(); // TODO: this only works for Sun JVM options.put( "refreshKrb5Config", "true" ); LoginModuleControlFlag flag = LoginModuleControlFlag.REQUIRED; configList[0] = new AppConfigurationEntry( loginModule, flag, options ); }
/** * Creates Jaas config * * @param loginModuleClassName Jaas login module class name * @return Configuration */ private static Configuration createJaasConfig(String loginModuleClassName, Map<String, String> options) { AppConfigurationEntry[] entries = { new AppConfigurationEntry(loginModuleClassName, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; return new Configuration() { @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { return entries; } }; }
@BeforeMethod public void setUp() throws Exception { plainSaslServer = new PlainSaslServer(new PlainSaslCallbackHandler()); // create test login module and set in in the configuration AppConfigurationEntry[] entries = { new AppConfigurationEntry(TestLoginModule.class.getCanonicalName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, new HashMap<>()) }; Configuration.setConfiguration(new Configuration() { @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { return entries; } }); }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map<String, String> options = new HashMap<String, String>(); options.put("principal", principal); options.put("refreshKrb5Config", "true"); if (IBM_JAVA) { options.put("useKeytab", keytab); options.put("credsType", "both"); } else { options.put("keyTab", keytab); options.put("useKeyTab", "true"); options.put("storeKey", "true"); options.put("doNotPrompt", "true"); options.put("useTicketCache", "true"); options.put("renewTGT", "true"); options.put("isInitiator", Boolean.toString(isInitiator)); } String ticketCache = System.getenv("KRB5CCNAME"); if (ticketCache != null) { options.put("ticketCache", ticketCache); } options.put("debug", "true"); return new AppConfigurationEntry[] { new AppConfigurationEntry(getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; }
/** * Gets the configuredLoginModules as list of loginModule class names, * optionally printing if "verbose" is true. * * @param verbose to display configured modules * @return The configuredLoginModules value */ public static List getConfiguredLoginModules(boolean verbose) { String report = "\nConfigured Login Modules"; List loginModules = new ArrayList(); try { Configuration config = Configuration.getConfiguration(); if (config == null) throw new Exception("No configuration found"); AppConfigurationEntry[] entries = config.getAppConfigurationEntry("NCS"); if (entries == null) throw new Exception("No app config entries found"); for (int i = 0; i < entries.length; i++) { AppConfigurationEntry entry = entries[i]; String name = entry.getLoginModuleName(); loginModules.add(name); String controlFlag = entry.getControlFlag().toString(); report += "\n\t" + name + " (" + controlFlag + ")"; } } catch (Throwable t) { String msg = "Error showing login modules: " + t.getMessage(); prtlnErr(msg); report += "\n" + msg; } if (verbose) System.out.println(report + "\n"); return loginModules; }
/** * Gets the passwordFile attribute of the AuthUtils class * * @return The passwordFile value */ public static String getPasswordFile() { AppConfigurationEntry entry = getConfiguredLoginModule("org.dlese.dpc.schemedit.security.login.FileLogin"); if (entry == null) return null; String path = null; try { path = ((String) entry.getOptions().get("pwdFile")); } catch (Throwable t) { prtlnErr("getPasswordFile could not get pwdFile option: " + t.getMessage()); } return path; }
