J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. Sun designates this |
| 8 | * particular file as subject to the "Classpath" exception as provided |
| 9 | * by Sun in the LICENSE file that accompanied this code. |
| 10 | * |
| 11 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | * accompanied this code). |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License version |
| 18 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | * |
| 21 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 22 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 23 | * have any questions. |
| 24 | */ |
| 25 | |
| 26 | package sun.net.www.protocol.http; |
| 27 | |
| 28 | import java.io.IOException; |
| 29 | |
| 30 | import org.ietf.jgss.GSSContext; |
| 31 | import org.ietf.jgss.GSSException; |
| 32 | import org.ietf.jgss.GSSName; |
| 33 | import org.ietf.jgss.Oid; |
| 34 | |
| 35 | import sun.security.jgss.GSSManagerImpl; |
| 36 | import sun.security.jgss.GSSUtil; |
| 37 | |
| 38 | /** |
| 39 | * This class encapsulates all JAAS and JGSS API calls in a seperate class |
| 40 | * outside NegotiateAuthentication.java so that J2SE build can go smoothly |
| 41 | * without the presence of it. |
| 42 | * |
| 43 | * @author weijun.wang@sun.com |
| 44 | * @since 1.6 |
| 45 | */ |
| 46 | public class NegotiatorImpl extends Negotiator { |
| 47 | |
| 48 | private static final boolean DEBUG = |
| 49 | java.security.AccessController.doPrivileged( |
| 50 | new sun.security.action.GetBooleanAction("sun.security.krb5.debug")); |
| 51 | |
| 52 | private GSSContext context; |
| 53 | private byte[] oneToken; |
| 54 | |
| 55 | /** |
| 56 | * Initialize the object, which includes:<ul> |
| 57 | * <li>Find out what GSS mechanism to use from <code>http.negotiate.mechanism.oid</code>, |
| 58 | * defaults SPNEGO |
| 59 | * <li>Creating the GSSName for the target host, "HTTP/"+hostname |
| 60 | * <li>Creating GSSContext |
| 61 | * <li>A first call to initSecContext</ul> |
| 62 | * @param hostname name of peer server |
| 63 | * @param scheme auth scheme requested, Negotiate ot Kerberos |
| 64 | * @throws GSSException if any JGSS-API call fails |
| 65 | */ |
| 66 | private void init(final String hostname, String scheme) throws GSSException { |
| 67 | // "1.2.840.113554.1.2.2" Kerberos |
| 68 | // "1.3.6.1.5.5.2" SPNEGO |
| 69 | final Oid oid; |
| 70 | |
| 71 | if (scheme.equalsIgnoreCase("Kerberos")) { |
| 72 | // we can only use Kerberos mech when the scheme is kerberos |
| 73 | oid = GSSUtil.GSS_KRB5_MECH_OID; |
| 74 | } else { |
| 75 | String pref = java.security.AccessController.doPrivileged( |
| 76 | new java.security.PrivilegedAction<String>() { |
| 77 | public String run() { |
| 78 | return System.getProperty( |
| 79 | "http.auth.preference", |
| 80 | "spnego"); |
| 81 | } |
| 82 | }); |
| 83 | if (pref.equalsIgnoreCase("kerberos")) { |
| 84 | oid = GSSUtil.GSS_KRB5_MECH_OID; |
| 85 | } else { |
| 86 | // currently there is no 3rd mech we can use |
| 87 | oid = GSSUtil.GSS_SPNEGO_MECH_OID; |
| 88 | } |
| 89 | } |
| 90 | |
| 91 | GSSManagerImpl manager = new GSSManagerImpl( |
| 92 | GSSUtil.CALLER_HTTP_NEGOTIATE); |
| 93 | |
| 94 | String peerName = "HTTP/" + hostname; |
| 95 | |
| 96 | GSSName serverName = manager.createName(peerName, null); |
| 97 | context = manager.createContext(serverName, |
| 98 | oid, |
| 99 | null, |
| 100 | GSSContext.DEFAULT_LIFETIME); |
| 101 | |
| 102 | // In order to support credential delegation in HTTP/SPNEGO, |
| 103 | // we always request it before initSecContext. The current |
| 104 | // implementation will check the OK-AS-DELEGATE flag inside |
| 105 | // the service ticket of the web server, and only enable |
| 106 | // delegation when this flag is set. This check is only |
| 107 | // performed when the GSS caller is CALLER_HTTP_NEGOTIATE, |
| 108 | // so all other normal GSS-API calls are not affected. |
| 109 | |
| 110 | context.requestCredDeleg(true); |
| 111 | oneToken = context.initSecContext(new byte[0], 0, 0); |
| 112 | } |
| 113 | |
| 114 | /** |
| 115 | * Constructor |
| 116 | * @param hostname name of peer server |
| 117 | * @param scheme auth scheme requested, Negotiate ot Kerberos |
| 118 | * @throws java.io.IOException If negotiator cannot be constructed |
| 119 | */ |
| 120 | public NegotiatorImpl(String hostname, String scheme) throws IOException { |
| 121 | try { |
| 122 | init(hostname, scheme); |
| 123 | } catch (GSSException e) { |
| 124 | if (DEBUG) { |
| 125 | System.out.println("Negotiate support not initiated, will fallback to other scheme if allowed. Reason:"); |
| 126 | e.printStackTrace(); |
| 127 | } |
| 128 | IOException ioe = new IOException("Negotiate support not initiated"); |
| 129 | ioe.initCause(e); |
| 130 | throw ioe; |
| 131 | } |
| 132 | } |
| 133 | |
| 134 | /** |
| 135 | * Return the first token of GSS, in SPNEGO, it's called NegTokenInit |
| 136 | * @return the first token |
| 137 | */ |
| 138 | public byte[] firstToken() { |
| 139 | return oneToken; |
| 140 | } |
| 141 | |
| 142 | /** |
| 143 | * Return the rest tokens of GSS, in SPNEGO, it's called NegTokenTarg |
| 144 | * @param token the token received from server |
| 145 | * @return the next token |
| 146 | * @throws java.io.IOException if the token cannot be created successfully |
| 147 | */ |
| 148 | public byte[] nextToken(byte[] token) throws IOException { |
| 149 | try { |
| 150 | return context.initSecContext(token, 0, token.length); |
| 151 | } catch (GSSException e) { |
| 152 | if (DEBUG) { |
| 153 | System.out.println("Negotiate support cannot continue. Reason:"); |
| 154 | e.printStackTrace(); |
| 155 | } |
| 156 | IOException ioe = new IOException("Negotiate support cannot continue"); |
| 157 | ioe.initCause(e); |
| 158 | throw ioe; |
| 159 | } |
| 160 | } |
| 161 | } |