[jboss-cvs] JBossAS SVN: r70417 - in projects/security/security-negotiation/trunk/jboss-negotiation: src/main/org/jboss/security/negotiation and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Mar 5 07:39:15 EST 2008
Author: darran.lofthouse at jboss.com
Date: 2008-03-05 07:39:14 -0500 (Wed, 05 Mar 2008)
New Revision: 70417
Added:
projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/MessageTrace.java
projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/
projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOAuthenticator.java
projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOContext.java
projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOLoginModule.java
Modified:
projects/security/security-negotiation/trunk/jboss-negotiation/.classpath
projects/security/security-negotiation/trunk/jboss-negotiation/pom.xml
Log:
Added new authenticator and login module.
Modified: projects/security/security-negotiation/trunk/jboss-negotiation/.classpath
===================================================================
--- projects/security/security-negotiation/trunk/jboss-negotiation/.classpath 2008-03-05 12:30:52 UTC (rev 70416)
+++ projects/security/security-negotiation/trunk/jboss-negotiation/.classpath 2008-03-05 12:39:14 UTC (rev 70417)
@@ -9,5 +9,7 @@
<classpathentry kind="var" path="M2_REPO/javax/servlet/servlet-api/2.5/servlet-api-2.5.jar"/>
<classpathentry kind="var" path="M2_REPO/apache-tomcat/catalina/5.5.12/catalina-5.5.12.jar"/>
<classpathentry kind="var" path="M2_REPO/junit/junit/3.8.1/junit-3.8.1.jar"/>
+ <classpathentry kind="var" path="M2_REPO/jboss/jboss-common/1.2.0.GA/jboss-common-1.2.0.GA.jar"/>
+ <classpathentry kind="var" path="M2_REPO/jboss/jbosssx/4.2.1.GA/jbosssx-4.2.1.GA.jar"/>
<classpathentry kind="output" path="target/eclipse-classes"/>
</classpath>
Modified: projects/security/security-negotiation/trunk/jboss-negotiation/pom.xml
===================================================================
--- projects/security/security-negotiation/trunk/jboss-negotiation/pom.xml 2008-03-05 12:30:52 UTC (rev 70416)
+++ projects/security/security-negotiation/trunk/jboss-negotiation/pom.xml 2008-03-05 12:39:14 UTC (rev 70417)
@@ -28,8 +28,18 @@
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
- </dependency>
+ </dependency>
<dependency>
+ <groupId>jboss</groupId>
+ <artifactId>jboss-common</artifactId>
+ <version>1.2.0.GA</version>
+ </dependency>
+ <dependency>
+ <groupId>jboss</groupId>
+ <artifactId>jbosssx</artifactId>
+ <version>4.2.1.GA</version>
+ </dependency>
+ <dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
Added: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/MessageTrace.java
===================================================================
--- projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/MessageTrace.java (rev 0)
+++ projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/MessageTrace.java 2008-03-05 12:39:14 UTC (rev 70417)
@@ -0,0 +1,74 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ *
+ * Copyright 2007, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.negotiation;
+
+import org.apache.log4j.Logger;
+
+import com.darranl.spnego.DebugHelper;
+
+/**
+ * Handle message tracing hierarchy.
+ *
+ * @author darran.lofthouse at jboss.com
+ * @version $Revision$
+ */
+public class MessageTrace
+{
+
+ private static final String BASE_CLASS = MessageTrace.class.getName();
+
+ private static final Logger REQUEST_BASE64 = Logger.getLogger(BASE_CLASS + ".Request.Base64");
+
+ private static final Logger REQUEST_HEX = Logger.getLogger(BASE_CLASS + ".Request.Hex");
+
+ private static final Logger RESPONSE_BASE64 = Logger.getLogger(BASE_CLASS + ".Response.Base64");
+
+ private static final Logger RESPONSE_HEX = Logger.getLogger(BASE_CLASS + ".Response.HEX");
+
+ public static void logRequestBase64(final String request)
+ {
+ REQUEST_BASE64.trace(request);
+ }
+
+ public static void logRequestHex(final byte[] request)
+ {
+ if (REQUEST_HEX.isTraceEnabled())
+ {
+ REQUEST_HEX.trace(DebugHelper.convertToHex(request));
+ }
+ }
+
+ public static void logResponseBase64(final String response)
+ {
+ RESPONSE_BASE64.trace(response);
+ }
+
+ public static void logResponseHex(final byte[] response)
+ {
+ if (RESPONSE_HEX.isTraceEnabled())
+ {
+ RESPONSE_HEX.trace(DebugHelper.convertToHex(response));
+ }
+ }
+
+}
Property changes on: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/MessageTrace.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF
Added: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOAuthenticator.java
===================================================================
--- projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOAuthenticator.java (rev 0)
+++ projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOAuthenticator.java 2008-03-05 12:39:14 UTC (rev 70417)
@@ -0,0 +1,131 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ *
+ * Copyright 2007, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.negotiation.spnego;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import org.apache.catalina.Realm;
+import org.apache.catalina.Session;
+import org.apache.catalina.authenticator.AuthenticatorBase;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.deploy.LoginConfig;
+import org.apache.log4j.Logger;
+
+/**
+ * An authenticator to manage SPNEGO authentication in connection with the
+ * SPNEGO login module.
+ *
+ * @author darran.lofthouse at jboss.com
+ * @version $Revision$
+ */
+public class SPNEGOAuthenticator extends AuthenticatorBase
+{
+
+ private static final Logger log = Logger.getLogger(SPNEGOAuthenticator.class);
+
+ private static final String SPNEGO = "SPNEGO";
+
+ private static final String SPNEGO_CONTEXT = "SPNEGO_CONTEXT";
+
+ @Override
+ protected boolean authenticate(final Request request, final Response response, final LoginConfig config)
+ throws IOException
+ {
+ log.trace("Authenticating user");
+
+ Principal principal = request.getUserPrincipal();
+ if (principal != null)
+ {
+ if (log.isTraceEnabled())
+ log.trace("Already authenticated '" + principal.getName() + "'");
+ return true;
+ }
+
+ String authHeader = request.getHeader("Authorization");
+ if (authHeader == null)
+ {
+ log.debug("No Authorization Header, sending 401");
+ response.setHeader("WWW-Authenticate", "Negotiate");
+ response.sendError(401);
+
+ return false;
+ }
+ else if (authHeader.startsWith("Negotiate ") == false)
+ {
+ throw new IOException("Invalid 'Authorization' header.");
+ }
+
+ Session session = request.getSessionInternal();
+ SPNEGOContext spnegoContext = (SPNEGOContext) session.getNote(SPNEGO_CONTEXT);
+ if (spnegoContext == null)
+ {
+ log.debug("Creating new SPNEGOContext");
+ {
+ spnegoContext = new SPNEGOContext();
+ session.setNote(SPNEGO_CONTEXT, spnegoContext);
+ }
+ }
+
+ // TODO - Probably not good if session reused.
+ // Maybe create arbitary ID or use SSO ID.
+ String username = session.getId();
+ try
+ {
+ // Set the ThreadLocal association.
+ spnegoContext.associate();
+ spnegoContext.setRequestHeader(authHeader.substring(10));
+
+ Realm realm = context.getRealm();
+
+ principal = realm.authenticate(username, (String) null);
+
+ if (log.isDebugEnabled())
+ log.debug("authenticated principal = " + principal);
+
+ String responseHeader = spnegoContext.getResponseHeader();
+ if (responseHeader != null)
+ {
+ response.setHeader("WWW-Authenticate", "Negotiate " + responseHeader);
+ }
+
+ }
+ finally
+ {
+ // Clear the headers and remove the ThreadLocal association.
+ spnegoContext.clear();
+ }
+
+ if (principal == null)
+ {
+ response.sendError(Response.SC_UNAUTHORIZED);
+ }
+ else
+ {
+ register(request, response, principal, SPNEGO, username, null);
+ }
+
+ return (principal != null);
+ }
+}
Property changes on: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOAuthenticator.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF
Added: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOContext.java
===================================================================
--- projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOContext.java (rev 0)
+++ projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOContext.java 2008-03-05 12:39:14 UTC (rev 70417)
@@ -0,0 +1,114 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ *
+ * Copyright 2007, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.negotiation.spnego;
+
+import org.apache.log4j.Logger;
+import org.ietf.jgss.GSSContext;
+
+/**
+ * The SPNEGOContext is the holder to contain the state of the current authentication process
+ * and is used to transfer data between the authenticator valve and the login module.
+ *
+ * @author darran.lofthouse at jboss.com
+ * @version $Revision$
+ */
+public class SPNEGOContext
+{
+
+ private static final Logger log = Logger.getLogger(SPNEGOContext.class);
+
+ private static final ThreadLocal<SPNEGOContext> spnegoContext = new ThreadLocal<SPNEGOContext>();
+
+ private boolean authenticated = false;
+
+ private String requestHeader = null;
+
+ private String responseHeader = null;
+
+ // TODO : This class needs to be Externalizable so this can be converted to a
+ // byte[] for transport.
+ private GSSContext gssContext = null;
+
+ public static SPNEGOContext getCurrentSPNEGOContext()
+ {
+ return spnegoContext.get();
+ }
+
+ void associate()
+ {
+ log.trace("associate " + this.hashCode());
+ spnegoContext.set(this);
+ }
+
+ /**
+ * Clear any information that is not required to be retained between invocations.
+ */
+ void clear()
+ {
+ log.trace("clear " + this.hashCode());
+ requestHeader = null;
+ responseHeader = null;
+ spnegoContext.remove();
+ }
+
+ public boolean isAuthenticated()
+ {
+ return authenticated;
+ }
+
+ public void setAuthenticated(boolean authenticated)
+ {
+ this.authenticated = authenticated;
+ }
+
+ public String getRequestHeader()
+ {
+ return requestHeader;
+ }
+
+ public void setRequestHeader(String requestHeader)
+ {
+ this.requestHeader = requestHeader;
+ }
+
+ public String getResponseHeader()
+ {
+ return responseHeader;
+ }
+
+ public void setResponseHeader(String responseHeader)
+ {
+ this.responseHeader = responseHeader;
+ }
+
+ public GSSContext getGssContext()
+ {
+ return gssContext;
+ }
+
+ public void setGssContext(GSSContext gssContext)
+ {
+ this.gssContext = gssContext;
+ }
+
+}
Property changes on: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOContext.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF
Added: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOLoginModule.java
===================================================================
--- projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOLoginModule.java (rev 0)
+++ projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOLoginModule.java 2008-03-05 12:39:14 UTC (rev 70417)
@@ -0,0 +1,334 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ *
+ * Copyright 2007, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.negotiation.spnego;
+
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import java.security.acl.Group;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.apache.commons.codec.binary.Base64;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.Oid;
+import org.jboss.security.SimpleGroup;
+import org.jboss.security.auth.spi.AbstractServerLoginModule;
+import org.jboss.security.negotiation.MessageTrace;
+
+import com.darranl.spnego.NegTokenInit;
+import com.darranl.spnego.NegTokenInitDecoder;
+import com.darranl.spnego.NegTokenTarg;
+import com.darranl.spnego.NegTokenTargDecoder;
+import com.darranl.spnego.NegTokenTargEncoder;
+
+/**
+ * Login module to work in conjunction with SPNEGOAuthenticator to handle the
+ * authentication requirements.
+ *
+ * @author darran.lofthouse at jboss.com
+ * @version $Revision$
+ */
+public class SPNEGOLoginModule extends AbstractServerLoginModule
+{
+
+ private static final Oid kerberos;
+
+ // TODO - Pick a name for a default domain?
+ private String serverSecurityDomain;
+
+ private LoginContext serverLoginContext = null;
+
+ private Principal identity = null;
+
+ static
+ {
+ try
+ {
+ kerberos = new Oid("1.2.840.113554.1.2.2");
+ }
+ catch (GSSException e)
+ {
+ throw new RuntimeException("Unable to initialise Oid", e);
+ }
+ }
+
+ @Override
+ public void initialize(final Subject subject, final CallbackHandler callbackHandler, final Map sharedState,
+ final Map options)
+ {
+ super.initialize(subject, callbackHandler, sharedState, options);
+ // Which security domain to authenticate the server.
+ serverSecurityDomain = (String) options.get("serverSecurityDomain");
+ }
+
+ @Override
+ public boolean login() throws LoginException
+ {
+ if (super.login() == true)
+ {
+ // TODO - Does this login module need to do anything with the identity?
+ // Especially as this module does not do any role mapping.
+ return true;
+ }
+
+ super.loginOk = false;
+
+ SPNEGOContext spnegoContext = SPNEGOContext.getCurrentSPNEGOContext();
+
+ try
+ {
+ Subject server = getServerSubject();
+ AcceptSecContext action = new AcceptSecContext(spnegoContext);
+ Object result = Subject.doAs(server, action);
+
+ log.trace("Result - " + result);
+
+ if (result instanceof Boolean)
+ {
+ if (Boolean.TRUE.equals(result))
+ {
+ super.loginOk = true;
+ if (getUseFirstPass() == true)
+ {
+ String userName = identity.getName();
+ log.debug("Storing username '" + userName + "' and empty password");
+ // Add the username and a null password to the shared state map
+ sharedState.put("javax.security.auth.login.name", identity);
+ sharedState.put("javax.security.auth.login.password", "");
+ }
+ }
+ }
+ else if (result instanceof Exception)
+ {
+ Exception e = (Exception) result;
+ log.error("Unable to authenticate", e);
+ throw new LoginException("Unable to authenticate - " + e.getMessage());
+ }
+
+ }
+ finally
+ {
+ if (serverLoginContext != null)
+ {
+ // TODO - We may not actually want to logout as if we use cache this may clear it,
+ serverLoginContext.logout();
+ }
+ }
+
+ log.trace("super.loginOk " + super.loginOk);
+ if (super.loginOk == true)
+ {
+ return true;
+ }
+ else
+ {
+ throw new LoginException("Continuation Required.");
+
+ }
+
+ }
+
+ @Override
+ protected Principal getIdentity()
+ {
+ return identity;
+ }
+
+ @Override
+ protected Group[] getRoleSets() throws LoginException
+ {
+
+ Group roles = new SimpleGroup("Roles");
+ Group callerPrincipal = new SimpleGroup("CallerPrincipal");
+ Group[] groups =
+ {roles, callerPrincipal};
+ callerPrincipal.addMember(identity);
+ return groups;
+ }
+
+ protected Subject getServerSubject() throws LoginException
+ {
+ LoginContext lc = new LoginContext(serverSecurityDomain);
+ lc.login();
+ // Cache so we can log out.
+ serverLoginContext = lc;
+
+ Subject serverSubject = serverLoginContext.getSubject();
+ log.debug("Subject = " + serverSubject);
+ log.debug("Logged in '" + serverSecurityDomain + "' LoginContext");
+
+ return serverSubject;
+ }
+
+ private class AcceptSecContext implements PrivilegedAction
+ {
+
+ private final SPNEGOContext spnegoContext;
+
+ public AcceptSecContext(final SPNEGOContext spnegoContext)
+ {
+ this.spnegoContext = spnegoContext;
+ }
+
+ public Object run()
+ {
+ try
+ {
+ String requestHeader = spnegoContext.getRequestHeader();
+ byte[] reqToken = Base64.decodeBase64(requestHeader.getBytes());
+
+ MessageTrace.logRequestBase64(spnegoContext.getRequestHeader());
+ MessageTrace.logRequestHex(reqToken);
+ byte[] gssToken = null;
+
+ // TODO - If Section from MY Code!!
+ if (reqToken[0] == 0x60)
+ {
+ NegTokenInit negTokenInit = NegTokenInitDecoder.decode(reqToken);
+ List mechList = negTokenInit.getMechTypes();
+
+ if (mechList.get(0).equals(kerberos))
+ {
+ gssToken = negTokenInit.getMechToken();
+ }
+ else
+ {
+ boolean kerberosSupported = false;
+
+ Iterator it = mechList.iterator();
+ while (it.hasNext() && kerberosSupported == false)
+ {
+ kerberosSupported = it.next().equals(kerberos);
+ }
+
+ NegTokenTarg negTokenTarg = new NegTokenTarg();
+
+ if (kerberosSupported)
+ {
+ negTokenTarg.setNegResult(NegTokenTarg.ACCEPT_INCOMPLETE);
+ negTokenTarg.setSupportedMech(kerberos);
+ }
+ else
+ {
+ negTokenTarg.setNegResult(NegTokenTarg.REJECTED);
+ }
+
+ byte[] respSpnego = NegTokenTargEncoder.encode(negTokenTarg);
+ String respEncoded = new String(Base64.encodeBase64(respSpnego));
+
+ MessageTrace.logResponseBase64(respEncoded);
+ MessageTrace.logResponseHex(respSpnego);
+
+ spnegoContext.setResponseHeader(respEncoded);
+
+ return Boolean.FALSE;
+ }
+
+ }
+ else if (reqToken[0] == (byte) 0xa1)
+ {
+ NegTokenTarg negTokenTarg = NegTokenTargDecoder.decode(reqToken);
+
+ gssToken = negTokenTarg.getResponseToken();
+ }
+ else
+ {
+ // TODO - Detect NTLM to specific error can be reported.
+ throw new LoginException("Unsupported negotiation mechanism.");
+ }
+
+ GSSContext gssContext = spnegoContext.getGssContext();
+ if (gssContext == null)
+ {
+ log.debug("Creating new GSSContext.");
+ GSSManager manager = GSSManager.getInstance();
+ gssContext = manager.createContext((GSSCredential) null);
+
+ spnegoContext.setGssContext(gssContext);
+ }
+
+ if (gssContext.isEstablished())
+ {
+ log.warn("Authentication was performed despite already being authenticated!");
+ identity = new KerberosPrincipal(gssContext.getSrcName().toString());
+
+ log.debug("context.getCredDelegState() = " + gssContext.getCredDelegState());
+ log.debug("context.getMutualAuthState() = " + gssContext.getMutualAuthState());
+ log.debug("context.getSrcName() = " + gssContext.getSrcName().toString());
+
+ spnegoContext.setAuthenticated(true);
+
+ return Boolean.TRUE;
+ }
+
+ byte[] respToken = gssContext.acceptSecContext(gssToken, 0, gssToken.length);
+
+ if (respToken != null)
+ {
+ NegTokenTarg negTokenTarg = new NegTokenTarg();
+ negTokenTarg.setResponseToken(respToken);
+
+ byte[] respSpnego = NegTokenTargEncoder.encode(negTokenTarg);
+ String respEncoded = new String(Base64.encodeBase64(respSpnego));
+
+ MessageTrace.logResponseBase64(respEncoded);
+ MessageTrace.logResponseHex(respSpnego);
+
+ spnegoContext.setResponseHeader(respEncoded);
+ }
+
+ if (gssContext.isEstablished() == false)
+ {
+ return Boolean.FALSE;
+ }
+ else
+ {
+ identity = new KerberosPrincipal(gssContext.getSrcName().toString());
+
+ log.debug("context.getCredDelegState() = " + gssContext.getCredDelegState());
+ log.debug("context.getMutualAuthState() = " + gssContext.getMutualAuthState());
+ log.debug("context.getSrcName() = " + gssContext.getSrcName().toString());
+
+ spnegoContext.setAuthenticated(true);
+ return Boolean.TRUE;
+ }
+
+ }
+ catch (Exception e)
+ {
+ return e;
+ }
+
+ }
+ }
+}
Property changes on: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/org/jboss/security/negotiation/spnego/SPNEGOLoginModule.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF
More information about the jboss-cvs-commits
mailing list