ticket delegation support

This commit is contained in:
Steven Rowney
2018-11-07 19:51:45 +01:00
parent 8936168e85
commit f8c4bd65b3
2 changed files with 39 additions and 4 deletions

View File

@@ -6,6 +6,7 @@ import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
/**
* Result of ticket validation
@@ -16,8 +17,13 @@ public class KerberosTicketValidation {
private final Subject subject;
private final byte[] responseToken;
private final GSSContext gssContext;
private final GSSCredential delegationCredential;
public KerberosTicketValidation(String username, String servicePrincipal, byte[] responseToken, GSSContext gssContext) {
this(username, servicePrincipal, responseToken, gssContext, null);
}
public KerberosTicketValidation(String username, String servicePrincipal, byte[] responseToken, GSSContext gssContext, GSSCredential delegationCredential) {
final HashSet<KerberosPrincipal> princs = new HashSet<KerberosPrincipal>();
princs.add(new KerberosPrincipal(servicePrincipal));
@@ -25,14 +31,19 @@ public class KerberosTicketValidation {
this.subject = new Subject(false, princs, new HashSet<Object>(), new HashSet<Object>());
this.responseToken = responseToken;
this.gssContext = gssContext;
this.delegationCredential = delegationCredential;
}
public KerberosTicketValidation(String username, Subject subject, byte[] responseToken, GSSContext gssContext) {
this(username, subject, responseToken, gssContext, null)
}
public KerberosTicketValidation(String username, Subject subject, byte[] responseToken, GSSContext gssContext, GSSCredential delegationCredential) {
this.username = username;
this.subject = subject;
this.responseToken = responseToken;
this.gssContext = gssContext;
this.delegationCredential = delegationCredential;
}
public String username() {
@@ -51,4 +62,7 @@ public class KerberosTicketValidation {
return this.subject;
}
public GSSCredential getDelegationCredential() {
return delegationCredential;
}
}

View File

@@ -64,6 +64,7 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
private boolean holdOnToGSSContext;
private boolean debug = false;
private boolean multiTier = false;
private boolean refreshKrb5Config = false;
private static final Log LOG = LogFactory.getLog(SunJaasKerberosTicketValidator.class);
@Override
@@ -104,7 +105,8 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
this.servicePrincipal,
this.realmName,
this.multiTier,
this.debug);
this.debug,
this.refreshKrb5Config);
Set<Principal> princ = new HashSet<Principal>(1);
princ.add(new KerberosPrincipal(this.servicePrincipal));
Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
@@ -180,7 +182,14 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
this.holdOnToGSSContext = holdOnToGSSContext;
}
/**
* Enables configuration to be refreshed before the login method is called.
*
* @param refreshKrb5Config Set this to true, if you want the configuration to be refreshed before the login method is called.
*/
public void setRefreshKrb5Config(boolean refreshKrb5Config) {
this.refreshKrb5Config = refreshKrb5Config;
}
/**
* This class is needed, because the validation must run with previously generated JAAS subject
@@ -249,6 +258,12 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
}
first = false;
}
GSSCredential delegationCredential = null;
if (context.getCredDelegState()) {
delegationCredential = context.getDelegCred();
}
if (!holdOnToGSSContext) {
context.dispose();
}
@@ -271,13 +286,15 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
private String realmName;
private boolean multiTier;
private boolean debug;
private boolean refreshKrb5Config;
public LoginConfig(String keyTabLocation, String servicePrincipalName, String realmName, boolean multiTier, boolean debug) {
public LoginConfig(String keyTabLocation, String servicePrincipalName, String realmName, boolean multiTier, boolean debug, boolean refreshKrb5Config) {
this.keyTabLocation = keyTabLocation;
this.servicePrincipalName = servicePrincipalName;
this.realmName = realmName;
this.multiTier = multiTier;
this.debug = debug;
this.refreshKrb5Config = refreshKrb5Configx
}
@Override
@@ -296,6 +313,10 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator,
options.put("realm", realmName);
}
if(this.refreshKrb5Config) {
options.put("refreshKrb5Config", "true");
}
if (!multiTier) {
options.put("isInitiator", "false");
}