[
https://issues.apache.org/jira/browse/QPIDJMS-303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16096227#comment-16096227
]
ASF GitHub Bot commented on QPIDJMS-303:
----------------------------------------
Github user gemmellr commented on a diff in the pull request:
https://github.com/apache/qpid-jms/pull/10#discussion_r128748789
--- Diff:
qpid-jms-client/src/main/java/org/apache/qpid/jms/sasl/GssapiMechanism.java ---
@@ -0,0 +1,163 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.qpid.jms.sasl;
+
+import javax.security.auth.Subject;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import javax.security.sasl.Sasl;
+import javax.security.sasl.SaslClient;
+import javax.security.sasl.SaslException;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Implements the GSSAPI sasl authentication Mechanism.
+ */
+public class GssapiMechanism extends AbstractMechanism {
+
+ public static final String NAME = "GSSAPI";
+ private Subject subject;
+ private SaslClient saslClient;
+ private String protocol = "amqp";
+ private String server = null;
+ private String configScope = null;
+
+ // a gss/sasl service name, x@y, morphs to a krbPrincipal a/y@REALM
+
+ @Override
+ public int getPriority() {
+ return PRIORITY.LOW.getValue();
+ }
+
+ @Override
+ public String getName() {
+ return NAME;
+ }
+
+ @Override
+ public byte[] getInitialResponse() throws SaslException {
+ try {
+ LoginContext loginContext = null;
+ if (configScope != null) {
+ loginContext = new LoginContext(configScope);
+ } else {
+ // inline keytab config using user as principal
+ loginContext = new LoginContext("", null, null,
+ kerb5InlineConfig(getUsername(), true));
+ }
+ loginContext.login();
+ subject = loginContext.getSubject();
+
+ return Subject.doAs(subject, new
PrivilegedExceptionAction<byte[]>() {
+
+ @Override
+ public byte[] run() throws Exception {
+ saslClient = Sasl.createSaslClient(new
String[]{getName()}, null, protocol, server, null, null);
+ if (saslClient.hasInitialResponse()) {
+ return saslClient.evaluateChallenge(new byte[0]);
+ }
+ return null;
+ }
+ });
+ } catch (Exception e) {
+ throw new SaslException(e.toString(), e);
+ }
+ }
+
+ @Override
+ public byte[] getChallengeResponse(final byte[] challenge) throws
SaslException {
+ try {
+ return Subject.doAs(subject, new
PrivilegedExceptionAction<byte[]>() {
+ @Override
+ public byte[] run() throws Exception {
+ return saslClient.evaluateChallenge(challenge);
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ throw new SaslException(e.toString(), e);
+ }
+ }
+
+ @Override
+ public void verifyCompletion() throws SaslException {
+ boolean result = saslClient.isComplete();
+ saslClient.dispose();
+ if (!result) {
+ throw new SaslException("not complete");
+ }
+ }
+
+
+ @Override
+ public boolean isApplicable(String username, String password,
Principal localPrincipal) {
+ return true;
+ }
+
+ public static Configuration kerb5InlineConfig(String principal,
boolean initiator) {
+ final Map<String, String> krb5LoginModuleOptions = new HashMap<>();
+ krb5LoginModuleOptions.put("isInitiator",
String.valueOf(initiator));
+ krb5LoginModuleOptions.put("principal", principal);
+ krb5LoginModuleOptions.put("useKeyTab", "true");
+ krb5LoginModuleOptions.put("storeKey", "true");
+ krb5LoginModuleOptions.put("doNotPrompt", "true");
+ krb5LoginModuleOptions.put("renewTGT", "true");
+ krb5LoginModuleOptions.put("refreshKrb5Config", "true");
+ krb5LoginModuleOptions.put("useTicketCache", "true");
+ String ticketCache = System.getenv("KRB5CCNAME");
+ if (ticketCache != null) {
+ krb5LoginModuleOptions.put("ticketCache", ticketCache);
+ }
+ return new Configuration() {
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String
name) {
+ return new AppConfigurationEntry[]{
+ new
AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
+
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ krb5LoginModuleOptions)};
+ }
+ };
+ }
+
+ public String getProtocol() {
+ return protocol;
+ }
+
+ public void setProtocol(String protocol) {
+ this.protocol = protocol;
+ }
+
+ public String getServer() {
+ return server;
+ }
+
+ public void setServer(String server) {
--- End diff --
Name this serverName perhaps? Thats how its referenced by the bits that use
it.
> Add support for SASL GSSAPI Kerberos mechanism
> ----------------------------------------------
>
> Key: QPIDJMS-303
> URL: https://issues.apache.org/jira/browse/QPIDJMS-303
> Project: Qpid JMS
> Issue Type: Bug
> Components: qpid-jms-client
> Reporter: Gary Tully
>
> It would be great to be able to authenticate using kerberos credentials using
> the SASL GSSAPI mechanism.
> Authentication would be sufficient leaving TLS to do encryption of the
> channel if that is necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
