ticket delegation support
This commit is contained in:
@@ -6,6 +6,7 @@ import javax.security.auth.Subject;
|
||||
import javax.security.auth.kerberos.KerberosPrincipal;
|
||||
|
||||
import org.ietf.jgss.GSSContext;
|
||||
import org.ietf.jgss.GSSCredential;
|
||||
|
||||
/**
|
||||
* Result of ticket validation
|
||||
@@ -16,8 +17,13 @@ public class KerberosTicketValidation {
|
||||
private final Subject subject;
|
||||
private final byte[] responseToken;
|
||||
private final GSSContext gssContext;
|
||||
private final GSSCredential delegationCredential;
|
||||
|
||||
public KerberosTicketValidation(String username, String servicePrincipal, byte[] responseToken, GSSContext gssContext) {
|
||||
this(username, servicePrincipal, responseToken, gssContext, null);
|
||||
}
|
||||
|
||||
public KerberosTicketValidation(String username, String servicePrincipal, byte[] responseToken, GSSContext gssContext, GSSCredential delegationCredential) {
|
||||
final HashSet<KerberosPrincipal> princs = new HashSet<KerberosPrincipal>();
|
||||
princs.add(new KerberosPrincipal(servicePrincipal));
|
||||
|
||||
@@ -25,14 +31,19 @@ public class KerberosTicketValidation {
|
||||
this.subject = new Subject(false, princs, new HashSet<Object>(), new HashSet<Object>());
|
||||
this.responseToken = responseToken;
|
||||
this.gssContext = gssContext;
|
||||
this.delegationCredential = delegationCredential;
|
||||
}
|
||||
|
||||
|
||||
public KerberosTicketValidation(String username, Subject subject, byte[] responseToken, GSSContext gssContext) {
|
||||
this(username, subject, responseToken, gssContext, null)
|
||||
}
|
||||
|
||||
public KerberosTicketValidation(String username, Subject subject, byte[] responseToken, GSSContext gssContext, GSSCredential delegationCredential) {
|
||||
this.username = username;
|
||||
this.subject = subject;
|
||||
this.responseToken = responseToken;
|
||||
this.gssContext = gssContext;
|
||||
this.delegationCredential = delegationCredential;
|
||||
}
|
||||
|
||||
public String username() {
|
||||
@@ -51,4 +62,7 @@ public class KerberosTicketValidation {
|
||||
return this.subject;
|
||||
}
|
||||
|
||||
public GSSCredential getDelegationCredential() {
|
||||
return delegationCredential;
|
||||
}
|
||||
}
|
||||
@@ -64,6 +64,7 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
|
||||
private boolean holdOnToGSSContext;
|
||||
private boolean debug = false;
|
||||
private boolean multiTier = false;
|
||||
private boolean refreshKrb5Config = false;
|
||||
private static final Log LOG = LogFactory.getLog(SunJaasKerberosTicketValidator.class);
|
||||
|
||||
@Override
|
||||
@@ -104,7 +105,8 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
|
||||
this.servicePrincipal,
|
||||
this.realmName,
|
||||
this.multiTier,
|
||||
this.debug);
|
||||
this.debug,
|
||||
this.refreshKrb5Config);
|
||||
Set<Principal> princ = new HashSet<Principal>(1);
|
||||
princ.add(new KerberosPrincipal(this.servicePrincipal));
|
||||
Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
|
||||
@@ -180,7 +182,14 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
|
||||
this.holdOnToGSSContext = holdOnToGSSContext;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Enables configuration to be refreshed before the login method is called.
|
||||
*
|
||||
* @param refreshKrb5Config Set this to true, if you want the configuration to be refreshed before the login method is called.
|
||||
*/
|
||||
public void setRefreshKrb5Config(boolean refreshKrb5Config) {
|
||||
this.refreshKrb5Config = refreshKrb5Config;
|
||||
}
|
||||
|
||||
/**
|
||||
* This class is needed, because the validation must run with previously generated JAAS subject
|
||||
@@ -249,6 +258,12 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
|
||||
}
|
||||
first = false;
|
||||
}
|
||||
|
||||
GSSCredential delegationCredential = null;
|
||||
if (context.getCredDelegState()) {
|
||||
delegationCredential = context.getDelegCred();
|
||||
}
|
||||
|
||||
if (!holdOnToGSSContext) {
|
||||
context.dispose();
|
||||
}
|
||||
@@ -271,13 +286,15 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
|
||||
private String realmName;
|
||||
private boolean multiTier;
|
||||
private boolean debug;
|
||||
private boolean refreshKrb5Config;
|
||||
|
||||
public LoginConfig(String keyTabLocation, String servicePrincipalName, String realmName, boolean multiTier, boolean debug) {
|
||||
public LoginConfig(String keyTabLocation, String servicePrincipalName, String realmName, boolean multiTier, boolean debug, boolean refreshKrb5Config) {
|
||||
this.keyTabLocation = keyTabLocation;
|
||||
this.servicePrincipalName = servicePrincipalName;
|
||||
this.realmName = realmName;
|
||||
this.multiTier = multiTier;
|
||||
this.debug = debug;
|
||||
this.refreshKrb5Config = refreshKrb5Configx
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -296,6 +313,10 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
|
||||
options.put("realm", realmName);
|
||||
}
|
||||
|
||||
if(this.refreshKrb5Config) {
|
||||
options.put("refreshKrb5Config", "true");
|
||||
}
|
||||
|
||||
if (!multiTier) {
|
||||
options.put("isInitiator", "false");
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user