List of usage examples for javax.security.auth Subject Subject
public Subject(boolean readOnly, Set<? extends Principal> principals, Set<?> pubCredentials, Set<?> privCredentials)
From source file:org.apache.hadoop.registry.secure.TestSecureLogins.java
public LoginContext createLoginContextZookeeperLocalhost() throws LoginException { String principalAndRealm = getPrincipalAndRealm(ZOOKEEPER_LOCALHOST); Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(ZOOKEEPER_LOCALHOST)); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); return new LoginContext("", subject, null, KerberosConfiguration.createServerConfig(ZOOKEEPER_LOCALHOST, keytab_zk)); }
From source file:org.apache.sentry.api.service.thrift.TestSentryWebServerWithKerberos.java
@Test public void testPingWithUnauthorizedUser() throws Exception { // create an unauthorized User with Kerberos String userPrinciple = "user/" + SentryServiceIntegrationBase.SERVER_HOST; String userKerberosName = userPrinciple + "@" + SentryServiceIntegrationBase.REALM; Subject userSubject = new Subject(false, Sets.newHashSet(new KerberosPrincipal(userKerberosName)), new HashSet<Object>(), new HashSet<Object>()); File userKeytab = new File(SentryServiceIntegrationBase.kdcWorkDir, "user.keytab"); SentryServiceIntegrationBase.kdc.createPrincipal(userKeytab, userPrinciple); LoginContext userLoginContext = new LoginContext("", userSubject, null, KerberosConfiguration.createClientConfig(userKerberosName, userKeytab)); userLoginContext.login();//from w ww . j a va 2 s . c o m Subject.doAs(userLoginContext.getSubject(), new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { final URL url = new URL("http://" + SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/ping"); try { new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token()); fail("Here should fail."); } catch (AuthenticationException e) { String expectedError = "status code: 403"; if (!exceptionContainsMessage(e, expectedError)) { LOG.error("UnexpectedError: " + e.getMessage(), e); fail("UnexpectedError: " + e.getMessage()); } } return null; } }); }
From source file:org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.java
public void afterPropertiesSet() throws Exception { Assert.notNull(this.servicePrincipal, "servicePrincipal must be specified"); Assert.notNull(this.keyTabLocation, "keyTab must be specified"); if (keyTabLocation instanceof ClassPathResource) { LOG.warn(// w w w . j av a 2 s. com "Your keytab is in the classpath. This file needs special protection and shouldn't be in the classpath. JAAS may also not be able to load this file from classpath."); } String keyTabLocationAsString = this.keyTabLocation.getURL().toExternalForm(); // We need to remove the file prefix (if there is one), as it is not supported in Java 7 anymore. // As Java 6 accepts it with and without the prefix, we don't need to check for Java 7 if (keyTabLocationAsString.startsWith("file:")) { keyTabLocationAsString = keyTabLocationAsString.substring(5); } LoginConfig loginConfig = new LoginConfig(keyTabLocationAsString, this.servicePrincipal, this.debug); Set<Principal> princ = new HashSet<Principal>(1); princ.add(new KerberosPrincipal(this.servicePrincipal)); Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>()); LoginContext lc = new LoginContext("", sub, null, loginConfig); lc.login(); this.serviceSubject = lc.getSubject(); }
From source file:com.redhat.tools.kerberos.SunJaasKerberosTicketValidator.java
public void setProperties() throws Exception { // if (keyTabLocation instanceof ClassPathResource) { // LOG.warn("Your keytab is in the classpath. This file needs special protection and shouldn't be in the classpath. JAAS may also not be able to load this file from classpath."); // }/*ww w .j a va 2 s. c o m*/ URL keytabURL = new URL(this.keyTabLocation); LoginConfig loginConfig = new LoginConfig(keytabURL.toExternalForm(), this.servicePrincipal, this.debug); Set<Principal> princ = new HashSet<Principal>(1); princ.add(new KerberosPrincipal(this.servicePrincipal)); Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>()); LoginContext lc = new LoginContext("", sub, null, loginConfig); lc.login(); this.serviceSubject = lc.getSubject(); }
From source file:org.wso2.carbon.core.security.CarbonJMXAuthenticator.java
public Subject authenticate(Object credentials) { // Verify that credentials is of type String[]. ///*from ww w . j a v a2 s . c o m*/ if (!(credentials instanceof String[])) { // Special case for null so we get a more informative message if (credentials == null) { throw new SecurityException("Credentials required"); } throw new SecurityException("Credentials should be String[]"); } // Verify that the array contains username/password // final String[] aCredentials = (String[]) credentials; if (aCredentials.length < 2) { throw new SecurityException("Credentials should have at least username & password"); } // Perform authentication // String userName = aCredentials[0]; String password = aCredentials[1]; UserStoreManager authenticator; try { authenticator = userRealm.getUserStoreManager(); } catch (UserStoreException e) { String msg = "Cannot get authenticator from Realm"; log.error(msg, e); throw new SecurityException(msg, e); } try { // for new cahing, every thread should has its own populated CC. During the deployment time we assume super tenant PrivilegedCarbonContext carbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext(); carbonContext.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); carbonContext.setTenantId(MultitenantConstants.SUPER_TENANT_ID); String domainNameFromUserName = extractTenantDomain(userName); if (domainNameFromUserName != null && domainNameFromUserName.equals(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) { if (log.isDebugEnabled()) { log.debug("Authentication Failure..Provided tenant domain name is reserved.."); } throw new SecurityException( "Authentication failed - System error occurred. Tenant domain name is reserved."); } if (authenticator.authenticate(userName, password)) { UserRealmService userRealmService = CarbonCoreDataHolder.getInstance().getRealmService(); TenantManager tenantManager = userRealmService.getTenantManager(); String tenantDomain = MultitenantUtils.getTenantDomain(userName); int tenantId = tenantManager.getTenantId(tenantDomain); carbonContext.setTenantId(tenantId); carbonContext.setTenantDomain(tenantDomain); audit.info("User " + userName + " successfully authenticated to perform JMX operations."); if (authorize(userName)) { audit.info("User : " + userName + " successfully authorized to perform JMX operations."); return new Subject(true, Collections.singleton(new JMXPrincipal(userName)), Collections.EMPTY_SET, Collections.EMPTY_SET); } else { throw new SecurityException( "User : " + userName + " not authorized to perform JMX operations."); } } else { throw new SecurityException( "Login failed for user : " + userName + ". Invalid username or password."); } } catch (SecurityException se) { String msg = "Unauthorized access attempt to JMX operation. "; audit.warn(msg, se); throw new SecurityException(msg, se); } catch (Exception e) { String msg = "JMX operation failed."; log.error(msg, e); throw new SecurityException(msg, e); } }
From source file:org.apache.sentry.service.thrift.SentryServiceIntegrationBase.java
public static void setupConf() throws Exception { if (kerberos) { setupKdc();/*from w w w . jav a 2 s . c om*/ kdc = getKdc(); kdcWorkDir = getWorkDir(); serverKeytab = new File(kdcWorkDir, "server.keytab"); clientKeytab = new File(kdcWorkDir, "client.keytab"); kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL); kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL); conf.set(ServerConfig.PRINCIPAL, getServerKerberosName()); conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath()); conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_SHORT_NAME); conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL, getServerKerberosName()); conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB, serverKeytab.getPath()); conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "false"); clientSubject = new Subject(false, Sets.newHashSet(new KerberosPrincipal(CLIENT_KERBEROS_NAME)), new HashSet<Object>(), new HashSet<Object>()); clientLoginContext = new LoginContext("", clientSubject, null, KerberosConfiguration.createClientConfig(CLIENT_KERBEROS_NAME, clientKeytab)); clientLoginContext.login(); clientSubject = clientLoginContext.getSubject(); } else { LOGGER.info("Stopped KDC"); conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE); } if (haEnabled) { zkServer = getZKServer(); conf.set(ServerConfig.SENTRY_HA_ENABLED, "true"); conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM, zkServer.getConnectString()); conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE, "sentry-test-case"); if (kerberos) { conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY, "true"); } } if (webServerEnabled) { conf.set(ServerConfig.SENTRY_WEB_ENABLE, "true"); conf.set(ServerConfig.SENTRY_WEB_PORT, String.valueOf(webServerPort)); if (webSecurity) { httpKeytab = new File(kdcWorkDir, "http.keytab"); kdc.createPrincipal(httpKeytab, HTTP_PRINCIPAL); conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE, ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS); conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL); conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath()); } else { conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE, ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE); } } else { conf.set(ServerConfig.SENTRY_WEB_ENABLE, "false"); } if (pooled) { conf.set(ClientConfig.SENTRY_POOL_ENABLED, "true"); } conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP); conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST); conf.set(ServerConfig.RPC_PORT, String.valueOf(0)); dbDir = new File(Files.createTempDir(), "sentry_policy_db"); conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true"); conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy"); server = new SentryServiceFactory().create(conf); conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName()); conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort())); conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING); }
From source file:org.eclipse.ecr.runtime.api.login.LoginComponent.java
private LoginContext systemLogin(String username) throws LoginException { if (systemLogin != null) { Set<Principal> principals = new HashSet<Principal>(); SystemID sysId = new SystemID(username); principals.add(sysId);/*from ww w. ja v a2 s. c o m*/ Subject subject = new Subject(false, principals, new HashSet<String>(), new HashSet<String>()); return systemLogin.login(subject, new CredentialsCallbackHandler(sysId.getName(), sysId)); } return null; }
From source file:org.jboss.dashboard.users.UserStatus.java
/** * Invalidates the user principals due to external changes affecting them. *//*from w w w .j a v a2 s. c o m*/ public synchronized void invalidateUserPrincipals() { if (log.isDebugEnabled()) { log.debug("Security information is obsolete. Clearing."); } securityCache.clear(); Set<Principal> userPrincipals = calculateUserPrincipals(); userAuth = new Subject(false, userPrincipals, new HashSet(), new HashSet()); }
From source file:com.cloudera.alfredo.server.KerberosAuthenticationHandler.java
/** * Initializes the authentication handler instance. * <p/>//from w w w . j a v a2s.com * It creates a Kerberos context using the principal and keytab specified in the configuration. * <p/> * This method is invoked by the {@link AuthenticationFilter#init} method. * * @param config configuration properties to initialize the handler. * * @throws ServletException thrown if the handler could not be initialized. */ @Override public void init(Properties config) throws ServletException { try { principal = config.getProperty(PRINCIPAL, principal); if (principal == null || principal.trim().length() == 0) { throw new ServletException("Principal not defined in configuration"); } keytab = config.getProperty(KEYTAB, keytab); if (keytab == null || keytab.trim().length() == 0) { throw new ServletException("Keytab not defined in configuration"); } if (!new File(keytab).exists()) { throw new ServletException("Keytab does not exist: " + keytab); } Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(principal)); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); KerberosConfiguration kerberosConfiguration = new KerberosConfiguration(keytab, principal); loginContext = new LoginContext("", subject, null, kerberosConfiguration); loginContext.login(); Subject serverSubject = loginContext.getSubject(); try { gssManager = Subject.doAs(serverSubject, new PrivilegedExceptionAction<GSSManager>() { @Override public GSSManager run() throws Exception { return GSSManager.getInstance(); } }); } catch (PrivilegedActionException ex) { throw ex.getException(); } LOG.info("Initialized, principal [{}] from keytab [{}]", principal, keytab); } catch (Exception ex) { throw new ServletException(ex); } }
From source file:org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.java
/** * Initializes the authentication handler instance. * <p/>/*w w w. j a va2 s . co m*/ * It creates a Kerberos context using the principal and keytab specified in the configuration. * <p/> * This method is invoked by the {@link AuthenticationFilter#init} method. * * @param config configuration properties to initialize the handler. * * @throws ServletException thrown if the handler could not be initialized. */ @Override public void init(Properties config) throws ServletException { try { principal = config.getProperty(PRINCIPAL, principal); if (principal == null || principal.trim().length() == 0) { throw new ServletException("Principal not defined in configuration"); } keytab = config.getProperty(KEYTAB, keytab); if (keytab == null || keytab.trim().length() == 0) { throw new ServletException("Keytab not defined in configuration"); } if (!new File(keytab).exists()) { throw new ServletException("Keytab does not exist: " + keytab); } Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(principal)); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); KerberosConfiguration kerberosConfiguration = new KerberosConfiguration(keytab, principal); LOG.info("Login using keytab " + keytab + ", for principal " + principal); loginContext = new LoginContext("", subject, null, kerberosConfiguration); loginContext.login(); Subject serverSubject = loginContext.getSubject(); try { gssManager = Subject.doAs(serverSubject, new PrivilegedExceptionAction<GSSManager>() { @Override public GSSManager run() throws Exception { return GSSManager.getInstance(); } }); } catch (PrivilegedActionException ex) { throw ex.getException(); } LOG.info("Initialized, principal [{}] from keytab [{}]", principal, keytab); } catch (Exception ex) { throw new ServletException(ex); } }