diff --git a/spring-security-kerberos-core/src/main/java/org/springframework/security/kerberos/authentication/KerberosTicketValidation.java b/spring-security-kerberos-core/src/main/java/org/springframework/security/kerberos/authentication/KerberosTicketValidation.java index e9a7182..d2a49ae 100644 --- a/spring-security-kerberos-core/src/main/java/org/springframework/security/kerberos/authentication/KerberosTicketValidation.java +++ b/spring-security-kerberos-core/src/main/java/org/springframework/security/kerberos/authentication/KerberosTicketValidation.java @@ -6,6 +6,7 @@ import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; /** * Result of ticket validation @@ -16,8 +17,13 @@ public class KerberosTicketValidation { private final Subject subject; private final byte[] responseToken; private final GSSContext gssContext; + private final GSSCredential delegationCredential; public KerberosTicketValidation(String username, String servicePrincipal, byte[] responseToken, GSSContext gssContext) { + this(username, servicePrincipal, responseToken, gssContext, null); + } + + public KerberosTicketValidation(String username, String servicePrincipal, byte[] responseToken, GSSContext gssContext, GSSCredential delegationCredential) { final HashSet princs = new HashSet(); princs.add(new KerberosPrincipal(servicePrincipal)); @@ -25,14 +31,19 @@ public class KerberosTicketValidation { this.subject = new Subject(false, princs, new HashSet(), new HashSet()); this.responseToken = responseToken; this.gssContext = gssContext; + this.delegationCredential = delegationCredential; } - public KerberosTicketValidation(String username, Subject subject, byte[] responseToken, GSSContext gssContext) { + this(username, subject, responseToken, gssContext, null) + } + + public KerberosTicketValidation(String username, Subject subject, byte[] responseToken, GSSContext gssContext, GSSCredential delegationCredential) { this.username = username; this.subject = subject; this.responseToken = responseToken; this.gssContext = gssContext; + this.delegationCredential = delegationCredential; } public String username() { @@ -51,4 +62,7 @@ public class KerberosTicketValidation { return this.subject; } + public GSSCredential getDelegationCredential() { + return delegationCredential; + } } \ No newline at end of file diff --git a/spring-security-kerberos-core/src/main/java/org/springframework/security/kerberos/authentication/sun/SunJaasKerberosTicketValidator.java b/spring-security-kerberos-core/src/main/java/org/springframework/security/kerberos/authentication/sun/SunJaasKerberosTicketValidator.java index 3a24373..14e3720 100644 --- a/spring-security-kerberos-core/src/main/java/org/springframework/security/kerberos/authentication/sun/SunJaasKerberosTicketValidator.java +++ b/spring-security-kerberos-core/src/main/java/org/springframework/security/kerberos/authentication/sun/SunJaasKerberosTicketValidator.java @@ -64,6 +64,7 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator, private boolean holdOnToGSSContext; private boolean debug = false; private boolean multiTier = false; + private boolean refreshKrb5Config = false; private static final Log LOG = LogFactory.getLog(SunJaasKerberosTicketValidator.class); @Override @@ -104,7 +105,8 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator, this.servicePrincipal, this.realmName, this.multiTier, - this.debug); + this.debug, + this.refreshKrb5Config); Set princ = new HashSet(1); princ.add(new KerberosPrincipal(this.servicePrincipal)); Subject sub = new Subject(false, princ, new HashSet(), new HashSet()); @@ -180,7 +182,14 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator, this.holdOnToGSSContext = holdOnToGSSContext; } - + /** + * Enables configuration to be refreshed before the login method is called. + * + * @param refreshKrb5Config Set this to true, if you want the configuration to be refreshed before the login method is called. + */ + public void setRefreshKrb5Config(boolean refreshKrb5Config) { + this.refreshKrb5Config = refreshKrb5Config; + } /** * This class is needed, because the validation must run with previously generated JAAS subject @@ -249,6 +258,12 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator, } first = false; } + + GSSCredential delegationCredential = null; + if (context.getCredDelegState()) { + delegationCredential = context.getDelegCred(); + } + if (!holdOnToGSSContext) { context.dispose(); } @@ -271,13 +286,15 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator, private String realmName; private boolean multiTier; private boolean debug; + private boolean refreshKrb5Config; - public LoginConfig(String keyTabLocation, String servicePrincipalName, String realmName, boolean multiTier, boolean debug) { + public LoginConfig(String keyTabLocation, String servicePrincipalName, String realmName, boolean multiTier, boolean debug, boolean refreshKrb5Config) { this.keyTabLocation = keyTabLocation; this.servicePrincipalName = servicePrincipalName; this.realmName = realmName; this.multiTier = multiTier; this.debug = debug; + this.refreshKrb5Config = refreshKrb5Configx } @Override @@ -296,6 +313,10 @@ public class SunJaasKerberosTicketValidator implements KerberosTicketValidator, options.put("realm", realmName); } + if(this.refreshKrb5Config) { + options.put("refreshKrb5Config", "true"); + } + if (!multiTier) { options.put("isInitiator", "false"); }