J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. Sun designates this |
| 8 | * particular file as subject to the "Classpath" exception as provided |
| 9 | * by Sun in the LICENSE file that accompanied this code. |
| 10 | * |
| 11 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | * accompanied this code). |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License version |
| 18 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | * |
| 21 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 22 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 23 | * have any questions. |
| 24 | */ |
| 25 | |
| 26 | package sun.security.jgss; |
| 27 | |
| 28 | import com.sun.security.auth.callback.TextCallbackHandler; |
| 29 | import javax.security.auth.Subject; |
| 30 | import javax.security.auth.kerberos.KerberosPrincipal; |
| 31 | import javax.security.auth.kerberos.KerberosTicket; |
| 32 | import javax.security.auth.kerberos.KerberosKey; |
| 33 | import org.ietf.jgss.*; |
| 34 | import sun.security.jgss.spi.GSSNameSpi; |
| 35 | import sun.security.jgss.spi.GSSCredentialSpi; |
| 36 | import sun.security.action.GetPropertyAction; |
| 37 | import sun.security.jgss.krb5.Krb5NameElement; |
| 38 | import sun.security.jgss.spnego.SpNegoCredElement; |
| 39 | import java.util.Set; |
| 40 | import java.util.HashSet; |
| 41 | import java.util.Vector; |
| 42 | import java.util.Iterator; |
| 43 | import java.security.AccessController; |
| 44 | import java.security.AccessControlContext; |
| 45 | import java.security.PrivilegedExceptionAction; |
| 46 | import java.security.PrivilegedActionException; |
| 47 | import javax.security.auth.callback.CallbackHandler; |
| 48 | import javax.security.auth.login.LoginContext; |
| 49 | import javax.security.auth.login.LoginException; |
| 50 | import sun.security.action.GetBooleanAction; |
| 51 | |
| 52 | /** |
| 53 | * The GSSUtilImplementation that knows how to work with the internals of |
| 54 | * the GSS-API. |
| 55 | */ |
| 56 | public class GSSUtil { |
| 57 | |
| 58 | public static final Oid GSS_KRB5_MECH_OID = |
| 59 | GSSUtil.createOid("1.2.840.113554.1.2.2"); |
| 60 | public static final Oid GSS_KRB5_MECH_OID2 = |
| 61 | GSSUtil.createOid("1.3.5.1.5.2"); |
| 62 | |
| 63 | public static final Oid GSS_SPNEGO_MECH_OID = |
| 64 | GSSUtil.createOid("1.3.6.1.5.5.2"); |
| 65 | |
| 66 | public static final Oid NT_GSS_KRB5_PRINCIPAL = |
| 67 | GSSUtil.createOid("1.2.840.113554.1.2.2.1"); |
| 68 | |
| 69 | public static final Oid NT_HOSTBASED_SERVICE2 = |
| 70 | GSSUtil.createOid("1.2.840.113554.1.2.1.4"); |
| 71 | |
| 72 | private static final String DEFAULT_HANDLER = |
| 73 | "auth.login.defaultCallbackHandler"; |
| 74 | |
| 75 | public static final int CALLER_UNKNOWN = -1; |
| 76 | public static final int CALLER_INITIATE = 1; |
| 77 | public static final int CALLER_ACCEPT = 2; |
| 78 | public static final int CALLER_SSL_CLIENT = 3; |
| 79 | public static final int CALLER_SSL_SERVER = 4; |
| 80 | public static final int CALLER_HTTP_NEGOTIATE = 5; |
| 81 | |
| 82 | static final boolean DEBUG; |
| 83 | static { |
| 84 | DEBUG = (AccessController.doPrivileged |
| 85 | (new GetBooleanAction("sun.security.jgss.debug"))). |
| 86 | booleanValue(); |
| 87 | } |
| 88 | |
| 89 | static void debug(String message) { |
| 90 | if (DEBUG) { |
| 91 | assert(message != null); |
| 92 | System.out.println(message); |
| 93 | } |
| 94 | } |
| 95 | |
| 96 | // NOTE: this method is only for creating Oid objects with |
| 97 | // known to be valid <code>oidStr</code> given it ignores |
| 98 | // the GSSException |
| 99 | public static Oid createOid(String oidStr) { |
| 100 | try { |
| 101 | return new Oid(oidStr); |
| 102 | } catch (GSSException e) { |
| 103 | debug("Ignored invalid OID: " + oidStr); |
| 104 | return null; |
| 105 | } |
| 106 | } |
| 107 | |
| 108 | public static boolean isSpNegoMech(Oid oid) { |
| 109 | return (GSS_SPNEGO_MECH_OID.equals(oid)); |
| 110 | } |
| 111 | |
| 112 | public static boolean isKerberosMech(Oid oid) { |
| 113 | return (GSS_KRB5_MECH_OID.equals(oid) || |
| 114 | GSS_KRB5_MECH_OID2.equals(oid)); |
| 115 | |
| 116 | } |
| 117 | |
| 118 | public static String getMechStr(Oid oid) { |
| 119 | if (isSpNegoMech(oid)) { |
| 120 | return "SPNEGO"; |
| 121 | } else if (isKerberosMech(oid)) { |
| 122 | return "Kerberos V5"; |
| 123 | } else { |
| 124 | return oid.toString(); |
| 125 | } |
| 126 | } |
| 127 | |
| 128 | /** |
| 129 | * Note: The current impl only works with Sun's impl of |
| 130 | * GSSName and GSSCredential since it depends on package |
| 131 | * private APIs. |
| 132 | */ |
| 133 | public static Subject getSubject(GSSName name, |
| 134 | GSSCredential creds) { |
| 135 | |
| 136 | HashSet<Object> privCredentials = null; |
| 137 | HashSet<Object> pubCredentials = new HashSet<Object>(); // empty Set |
| 138 | |
| 139 | Set<GSSCredentialSpi> gssCredentials = null; |
| 140 | |
| 141 | Set<KerberosPrincipal> krb5Principals = |
| 142 | new HashSet<KerberosPrincipal>(); |
| 143 | |
| 144 | if (name instanceof GSSNameImpl) { |
| 145 | try { |
| 146 | GSSNameSpi ne = ((GSSNameImpl) name).getElement |
| 147 | (GSS_KRB5_MECH_OID); |
| 148 | String krbName = ne.toString(); |
| 149 | if (ne instanceof Krb5NameElement) { |
| 150 | krbName = |
| 151 | ((Krb5NameElement) ne).getKrb5PrincipalName().getName(); |
| 152 | } |
| 153 | KerberosPrincipal krbPrinc = new KerberosPrincipal(krbName); |
| 154 | krb5Principals.add(krbPrinc); |
| 155 | } catch (GSSException ge) { |
| 156 | debug("Skipped name " + name + " due to " + ge); |
| 157 | } |
| 158 | } |
| 159 | |
| 160 | if (creds instanceof GSSCredentialImpl) { |
| 161 | gssCredentials = ((GSSCredentialImpl) creds).getElements(); |
| 162 | privCredentials = new HashSet<Object>(gssCredentials.size()); |
| 163 | populateCredentials(privCredentials, gssCredentials); |
| 164 | } else { |
| 165 | privCredentials = new HashSet<Object>(); // empty Set |
| 166 | } |
| 167 | debug("Created Subject with the following"); |
| 168 | debug("principals=" + krb5Principals); |
| 169 | debug("public creds=" + pubCredentials); |
| 170 | debug("private creds=" + privCredentials); |
| 171 | |
| 172 | return new Subject(false, krb5Principals, pubCredentials, |
| 173 | privCredentials); |
| 174 | |
| 175 | } |
| 176 | |
| 177 | /** |
| 178 | * Populates the set credentials with elements from gssCredentials. At |
| 179 | * the same time, it converts any subclasses of KerberosTicket |
| 180 | * into KerberosTicket instances and any subclasses of KerberosKey into |
| 181 | * KerberosKey instances. (It is not desirable to expose the customer |
| 182 | * to sun.security.jgss.krb5.Krb5InitCredential which extends |
| 183 | * KerberosTicket and sun.security.jgss.krb5.Kbr5AcceptCredential which |
| 184 | * extends KerberosKey.) |
| 185 | */ |
| 186 | private static void populateCredentials(Set<Object> credentials, |
| 187 | Set<?> gssCredentials) { |
| 188 | |
| 189 | Object cred; |
| 190 | |
| 191 | Iterator<?> elements = gssCredentials.iterator(); |
| 192 | while (elements.hasNext()) { |
| 193 | |
| 194 | cred = elements.next(); |
| 195 | |
| 196 | // Retrieve the internal cred out of SpNegoCredElement |
| 197 | if (cred instanceof SpNegoCredElement) { |
| 198 | cred = ((SpNegoCredElement) cred).getInternalCred(); |
| 199 | } |
| 200 | |
| 201 | if (cred instanceof KerberosTicket) { |
| 202 | if (!cred.getClass().getName().equals |
| 203 | ("javax.security.auth.kerberos.KerberosTicket")) { |
| 204 | KerberosTicket tempTkt = (KerberosTicket) cred; |
| 205 | cred = new KerberosTicket(tempTkt.getEncoded(), |
| 206 | tempTkt.getClient(), |
| 207 | tempTkt.getServer(), |
| 208 | tempTkt.getSessionKey().getEncoded(), |
| 209 | tempTkt.getSessionKeyType(), |
| 210 | tempTkt.getFlags(), |
| 211 | tempTkt.getAuthTime(), |
| 212 | tempTkt.getStartTime(), |
| 213 | tempTkt.getEndTime(), |
| 214 | tempTkt.getRenewTill(), |
| 215 | tempTkt.getClientAddresses()); |
| 216 | } |
| 217 | credentials.add(cred); |
| 218 | } else if (cred instanceof KerberosKey) { |
| 219 | if (!cred.getClass().getName().equals |
| 220 | ("javax.security.auth.kerberos.KerberosKey")) { |
| 221 | KerberosKey tempKey = (KerberosKey) cred; |
| 222 | cred = new KerberosKey(tempKey.getPrincipal(), |
| 223 | tempKey.getEncoded(), |
| 224 | tempKey.getKeyType(), |
| 225 | tempKey.getVersionNumber()); |
| 226 | } |
| 227 | credentials.add(cred); |
| 228 | } else { |
| 229 | // Ignore non-KerberosTicket and non-KerberosKey elements |
| 230 | debug("Skipped cred element: " + cred); |
| 231 | } |
| 232 | } |
| 233 | } |
| 234 | |
| 235 | /** |
| 236 | * Authenticate using the login module from the specified |
| 237 | * configuration entry. |
| 238 | * |
| 239 | * @param caller the caller of JAAS Login |
| 240 | * @param mech the mech to be used |
| 241 | * @return the authenticated subject |
| 242 | */ |
| 243 | public static Subject login(int caller, Oid mech) throws LoginException { |
| 244 | |
| 245 | CallbackHandler cb = null; |
| 246 | if (caller == GSSUtil.CALLER_HTTP_NEGOTIATE) { |
| 247 | cb = new sun.net.www.protocol.http.NegotiateCallbackHandler(); |
| 248 | } else { |
| 249 | String defaultHandler = |
| 250 | java.security.Security.getProperty(DEFAULT_HANDLER); |
| 251 | // get the default callback handler |
| 252 | if ((defaultHandler != null) && (defaultHandler.length() != 0)) { |
| 253 | cb = null; |
| 254 | } else { |
| 255 | cb = new TextCallbackHandler(); |
| 256 | } |
| 257 | } |
| 258 | |
| 259 | // New instance of LoginConfigImpl must be created for each login, |
| 260 | // since the entry name is not passed as the first argument, but |
| 261 | // generated with caller and mech inside LoginConfigImpl |
| 262 | LoginContext lc = new LoginContext("", null, cb, |
| 263 | new LoginConfigImpl(caller, mech)); |
| 264 | lc.login(); |
| 265 | return lc.getSubject(); |
| 266 | } |
| 267 | |
| 268 | /** |
| 269 | * Determines if the application doesn't mind if the mechanism obtains |
| 270 | * the required credentials from outside of the current Subject. Our |
| 271 | * Kerberos v5 mechanism would do a JAAS login on behalf of the |
| 272 | * application if this were the case. |
| 273 | * |
| 274 | * The application indicates this by explicitly setting the system |
| 275 | * property javax.security.auth.useSubjectCredsOnly to false. |
| 276 | */ |
| 277 | public static boolean useSubjectCredsOnly(int caller) { |
| 278 | |
| 279 | // HTTP/SPNEGO doesn't use the standard JAAS framework. Instead, it |
| 280 | // uses the java.net.Authenticator style, therefore always return |
| 281 | // false here. |
| 282 | if (caller == CALLER_HTTP_NEGOTIATE) { |
| 283 | return false; |
| 284 | } |
| 285 | /* |
| 286 | * Don't use GetBooleanAction because the default value in the JRE |
| 287 | * (when this is unset) has to treated as true. |
| 288 | */ |
| 289 | String propValue = AccessController.doPrivileged( |
| 290 | new GetPropertyAction("javax.security.auth.useSubjectCredsOnly", |
| 291 | "true")); |
| 292 | /* |
| 293 | * This property has to be explicitly set to "false". Invalid |
| 294 | * values should be ignored and the default "true" assumed. |
| 295 | */ |
| 296 | return (!propValue.equalsIgnoreCase("false")); |
| 297 | } |
| 298 | |
| 299 | /** |
| 300 | * Determines the SPNEGO interoperability mode with Microsoft; |
| 301 | * by default it is set to true. |
| 302 | * |
| 303 | * To disable it, the application indicates this by explicitly setting |
| 304 | * the system property sun.security.spnego.interop to false. |
| 305 | */ |
| 306 | public static boolean useMSInterop() { |
| 307 | /* |
| 308 | * Don't use GetBooleanAction because the default value in the JRE |
| 309 | * (when this is unset) has to treated as true. |
| 310 | */ |
| 311 | String propValue = AccessController.doPrivileged( |
| 312 | new GetPropertyAction("sun.security.spnego.msinterop", |
| 313 | "true")); |
| 314 | /* |
| 315 | * This property has to be explicitly set to "false". Invalid |
| 316 | * values should be ignored and the default "true" assumed. |
| 317 | */ |
| 318 | return (!propValue.equalsIgnoreCase("false")); |
| 319 | } |
| 320 | |
| 321 | /** |
| 322 | * Searches the private credentials of current Subject with the |
| 323 | * specified criteria and returns the matching GSSCredentialSpi |
| 324 | * object out of Sun's impl of GSSCredential. Returns null if |
| 325 | * no Subject present or a Vector which contains 0 or more |
| 326 | * matching GSSCredentialSpi objects. |
| 327 | */ |
| 328 | public static Vector searchSubject(final GSSNameSpi name, |
| 329 | final Oid mech, |
| 330 | final boolean initiate, |
| 331 | final Class credCls) { |
| 332 | debug("Search Subject for " + getMechStr(mech) + |
| 333 | (initiate? " INIT" : " ACCEPT") + " cred (" + |
| 334 | (name == null? "<<DEF>>" : name.toString()) + ", " + |
| 335 | credCls.getName() + ")"); |
| 336 | final AccessControlContext acc = AccessController.getContext(); |
| 337 | try { |
| 338 | Vector creds = |
| 339 | AccessController.doPrivileged |
| 340 | (new PrivilegedExceptionAction<Vector>() { |
| 341 | public Vector run() throws Exception { |
| 342 | Subject accSubj = Subject.getSubject(acc); |
| 343 | Vector<GSSCredentialSpi> result = null; |
| 344 | if (accSubj != null) { |
| 345 | result = new Vector<GSSCredentialSpi>(); |
| 346 | Iterator<GSSCredentialImpl> iterator = |
| 347 | accSubj.getPrivateCredentials |
| 348 | (GSSCredentialImpl.class).iterator(); |
| 349 | while (iterator.hasNext()) { |
| 350 | GSSCredentialImpl cred = iterator.next(); |
| 351 | debug("...Found cred" + cred); |
| 352 | try { |
| 353 | GSSCredentialSpi ce = |
| 354 | cred.getElement(mech, initiate); |
| 355 | debug("......Found element: " + ce); |
| 356 | if (ce.getClass().equals(credCls) && |
| 357 | (name == null || |
| 358 | name.equals((Object) ce.getName()))) { |
| 359 | result.add(ce); |
| 360 | } else { |
| 361 | debug("......Discard element"); |
| 362 | } |
| 363 | } catch (GSSException ge) { |
| 364 | debug("...Discard cred (" + ge + ")"); |
| 365 | } |
| 366 | } |
| 367 | } else debug("No Subject"); |
| 368 | return result; |
| 369 | } |
| 370 | }); |
| 371 | return creds; |
| 372 | } catch (PrivilegedActionException pae) { |
| 373 | debug("Unexpected exception when searching Subject:"); |
| 374 | if (DEBUG) pae.printStackTrace(); |
| 375 | return null; |
| 376 | } |
| 377 | } |
| 378 | } |