krb5loginmodule.java
来自「JAVA 所有包」· Java 代码 · 共 1,143 行 · 第 1/3 页
JAVA
1,143 行
/* * @(#)Krb5LoginModule.java 1.32 06/06/01 * * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. */package com.sun.security.auth.module;import java.io.*;import java.net.*;import java.text.MessageFormat;import java.util.*;import javax.security.auth.*;import javax.security.auth.kerberos.*;import javax.security.auth.callback.*;import javax.security.auth.login.*;import javax.security.auth.spi.*;import sun.security.krb5.*;import sun.security.krb5.Config;import sun.security.krb5.RealmException;import sun.security.util.AuthResources;import sun.security.jgss.krb5.Krb5Util;import sun.security.krb5.Credentials;import sun.misc.HexDumpEncoder;/** * <p> This <code>LoginModule</code> authenticates users using * Kerberos protocols. * * <p> The configuration entry for <code>Krb5LoginModule</code> has * several options that control the authentication process and * additions to the <code>Subject</code>'s private credential * set. Irrespective of these options, the <code>Subject</code>'s * principal set and private credentials set are updated only when * <code>commit</code> is called. * When <code>commit</code> is called, the <code>KerberosPrincipal</code> * is added to the <code>Subject</code>'s * principal set and <code>KerberosTicket</code> is * added to the <code>Subject</code>'s private credentials. * * <p> If the configuration entry for <code>KerberosLoginModule</code> * has the option <code>storeKey</code> set to true, then * <code>KerberosKey</code> will also be added to the * subject's private credentials. <code>KerberosKey</code>, the principal's * key will be either obtained from the keytab or * derived from user's password. * * <p> This <code>LoginModule</code> recognizes the <code>doNotPrompt</code> * option. If set to true the user will not be prompted for the password. * * <p> The user can specify the location of the ticket cache by using * the option <code>ticketCache</code> in the configuration entry. * * <p>The user can specify the keytab location by using * the option <code>keyTab</code> * in the configuration entry. * * <p> The principal name can be specified in the configuration entry * by using the option <code>principal</code>. The principal name * can either be a simple user name or a service name such as * <code>host/mission.eng.sun.com</code>. The principal can also * be set using the system property <code>sun.security.krb5.principal</code>. * This property is checked during login. If this property is not set, then * the principal name from the configuration is used. In the * case where the principal property is not set and the principal * entry also does not exist, the user is prompted for the name. * * <p> The following is a list of configuration options supported * for <code>Krb5LoginModule</code>: * <dl> * <blockquote><dt><b><code>refreshKrb5Config</code></b>:</dt> * <dd> Set this to true, if you want the configuration * to be refreshed before the <code>login</code> method is called.</dd> * <P> * <dt><b><code>useTicketCache</code></b>:</dt> * <dd>Set this to true, if you want the * TGT to be obtained * from the ticket cache. Set this option * to false if you do not want this module to use the ticket cache. * (Default is False). * This module will * search for the tickect * cache in the following locations: * For Windows 2000, it will use Local Security Authority (LSA) API * to get the TGT. On Solaris and Linux * it will look for the ticket cache in /tmp/krb5cc_<code>uid</code> * where the uid is numeric user * identifier. If the ticket cache is * not available in either of the above locations, or if we are on a * different Windows platform, it will look for the cache as * {user.home}{file.separator}krb5cc_{user.name}. * You can override the ticket cache location by using * <code>ticketCache</code> * <P> * <dt><b><code>ticketCache</code></b>:</dt> * <dd>Set this to the name of the ticket * cache that contains user's TGT. * If this is set, <code>useTicketCache</code> * must also be set to true; Otherwise a configuration error will * be returned.</dd> * <P> * <dt><b><code>renewTGT</code></b>:</dt> * <dd>Set this to true, if you want to renew * the TGT. If this is set, <code>useTicketCache</code> must also be * set to true; otherwise a configuration error will be returned.</dd> * <p> * <dt><b><code>doNotPrompt</code></b>:</dt> * <dd>Set this to true if you do not want to be * prompted for the password * if credentials can * not be obtained from the cache or keytab.(Default is false) * If set to true authentication will fail if credentials can * not be obtained from the cache or keytab.</dd> * <P> * <dt><b><code>useKeyTab</code></b>:</dt> * <dd>Set this to true if you * want the module to get the principal's key from the * the keytab.(default value is False) * If <code>keyatb</code> * is not set then * the module will locate the keytab from the * Kerberos configuration file.</dd> * If it is not specifed in the Kerberos configuration file * then it will look for the file * <code>{user.home}{file.separator}</code>krb5.keytab.</dd> * <P> * <dt><b><code>keyTab</code></b>:</dt> * <dd>Set this to the file name of the * keytab to get principal's secret key.</dd> * <P> * <dt><b><code>storeKey</code></b>:</dt> * <dd>Set this to true to if you want the * principal's key to be stored in the Subject's private credentials. </dd> * <p> * <dt><b><code>principal</code></b>:</dt> * <dd>The name of the principal that should * be used. The principal can be a simple username such as * "<code>testuser</code>" or a service name such as * "<code>host/testhost.eng.sun.com</code>". You can use the * <code>principal</code> option to set the principal when there are * credentials for multiple principals in the * <code>keyTab</code> or when you want a specific ticket cache only. * The principal can also be set using the system property * <code>sun.security.krb5.principal</code>. In addition, if this * system property is defined, then it will be used. If this property * is not set, then the principal name from the configuration will be * used.</dd> * <P> * <dt><b><code>isInitiator</code></b>:</dt> * <dd>Set this to true, if initiator. Set this to false, if acceptor only. * (Default is true). * Note: Do not set this value to false for initiators.</dd> * </dl></blockquote> * * <p> This <code>LoginModule</code> also recognizes the following additional * <code>Configuration</code> * options that enable you to share username and passwords across different * authentication modules: * <pre> * * useFirstPass if, true, this LoginModule retrieves the * username and password from the module's shared state, * using "javax.security.auth.login.name" and * "javax.security.auth.login.password" as the respective * keys. The retrieved values are used for authentication. * If authentication fails, no attempt for a retry * is made, and the failure is reported back to the * calling application. * * tryFirstPass if, true, this LoginModule retrieves the * the username and password from the module's shared * state using "javax.security.auth.login.name" and * "javax.security.auth.login.password" as the respective * keys. The retrieved values are used for * authentication. * If authentication fails, the module uses the * CallbackHandler to retrieve a new username * and password, and another attempt to authenticate * is made. If the authentication fails, * the failure is reported back to the calling application * * storePass if, true, this LoginModule stores the username and * password obtained from the CallbackHandler in the * modules shared state, using * "javax.security.auth.login.name" and * "javax.security.auth.login.password" as the respective * keys. This is not performed if existing values already * exist for the username and password in the shared * state, or if authentication fails. * * clearPass if, true, this <code>LoginModule</code> clears the * username and password stored in the module's shared * state after both phases of authentication * (login and commit) have completed. * </pre> * <p>Examples of some configuration values for Krb5LoginModule in * JAAS config file and the results are: * <ul> * <p> <code>doNotPrompt</code>=true; * </ul> * <p> This is an illegal combination since <code>useTicketCache</code> * is not set and the user can not be prompted for the password. *<ul> * <p> <code>ticketCache</code> = < filename >; *</ul> * <p> This is an illegal combination since <code>useTicketCache</code> * is not set to true and the ticketCache is set. A configuration error * will occur. * <ul> * <p> <code>renewTGT</code>=true; *</ul> * <p> This is an illegal combination since <code>useTicketCache</code> is * not set to true and renewTGT is set. A configuration error will occur. * <ul> * <p> <code>storeKey</code>=true * <code>useTicketCache</code> = true * <code>doNotPrompt</code>=true;; *</ul> * <p> This is an illegal combination since <code>storeKey</code> is set to * true but the key can not be obtained either by prompting the user or from * the keytab.A configuration error will occur. * <ul> * <p> <code>keyTab</code> = < filename > <code>doNotPrompt</code>=true ; * </ul> * <p>This is an illegal combination since useKeyTab is not set to true and * the keyTab is set. A configuration error will occur. * <ul> * <p> <code>debug=true </code> *</ul> * <p> Prompt the user for the principal name and the password. * Use the authentication exchange to get TGT from the KDC and * populate the <code>Subject</code> with the principal and TGT. * Output debug messages. * <ul> * <p> <code>useTicketCache</code> = true <code>doNotPrompt</code>=true; *</ul> * <p>Check the default cache for TGT and populate the <code>Subject</code> * with the principal and TGT. If the TGT is not available, * do not prompt the user, instead fail the authentication. * <ul> * <p><code>principal</code>=< name ><code>useTicketCache</code> = true * <code>doNotPrompt</code>=true; *</ul> * <p> Get the TGT from the default cache for the principal and populate the * Subject's principal and private creds set. If ticket cache is * not available or does not contain the principal's TGT * authentication will fail. * <ul> * <p> <code>useTicketCache</code> = true * <code>ticketCache</code>=< file name ><code>useKeyTab</code> = true * <code> keyTab</code>=< keytab filename > * <code>principal</code> = < principal name > * <code>doNotPrompt</code>=true; *</ul> * <p> Search the cache for the principal's TGT. If it is not available * use the key in the keytab to perform authentication exchange with the * KDC and acquire the TGT. * The Subject will be populated with the principal and the TGT. * If the key is not available or valid then authentication will fail. * <ul> * <p><code>useTicketCache</code> = true * <code>ticketCache</code>=< file name > *</ul> * <p> The TGT will be obtained from the cache specified. * The Kerberos principal name used will be the principal name in * the Ticket cache. If the TGT is not available in the * ticket cache the user will be prompted for the principal name * and the password. The TGT will be obtained using the authentication * exchange with the KDC. * The Subject will be populated with the TGT. *<ul> * <p> <code>useKeyTab</code> = true * <code>keyTab</code>=< keytab filename > * <code>principal</code>= < principal name > * <code>storeKey</code>=true; *</ul> * <p> The key for the principal will be retrieved from the keytab. * If the key is not available in the keytab the user will be prompted * for the principal's password. The Subject will be populated * with the principal's key either from the keytab or derived from the * password entered. * <ul> * <p> <code>useKeyTab</code> = true * <code>keyTab</code>=< keytabname > * <code>storeKey</code>=true * <code>doNotPrompt</code>=true; *</ul> * <p>The user will be prompted for the service principal name. * If the principal's * longterm key is available in the keytab , it will be added to the * Subject's private credentials. An authentication exchange will be * attempted with the principal name and the key from the Keytab. * If successful the TGT will be added to the * Subject's private credentials set. Otherwise the authentication will * fail. *<ul> * <p><code>useKeyTab</code> = true * <code>keyTab</code>=< file name > <code>storeKey</code>=true * <code>principal</code>= < principal name > * <code>useTicketCache</code>=true * <code>ticketCache</code>=< file name >; *</ul> * <p>The principal's key will be retrieved from the keytab and added * to the <code>Subject</code>'s private credentials. If the key * is not available, the * user will be prompted for the password; the key derived from the password * will be added to the Subject's private credentials set. The * client's TGT will be retrieved from the ticket cache and added to the * <code>Subject</code>'s private credentials. If the TGT is not available * in the ticket cache, it will be obtained using the authentication * exchange and added to the Subject's private credentials. * <ul> * <p><code>isInitiator</code> = false *</ul> * <p>Configured to act as acceptor only, credentials are not acquired * via AS exchange. For acceptors only, set this value to false. * For initiators, do not set this value to false. * <ul> * <p><code>isInitiator</code> = true *</ul> * <p>Configured to act as initiator, credentials are acquired * via AS exchange. For initiators, set this value to true, or leave this * option unset, in which case default value (true) will be used. * * @version 1.18, 01/11/00 * @author Ram Marti */public class Krb5LoginModule implements LoginModule { // initial state private Subject subject; private CallbackHandler callbackHandler; private Map sharedState; private Map options; // configurable option private boolean debug = false; private boolean storeKey = false; private boolean doNotPrompt = false; private boolean useTicketCache = false; private boolean useKeyTab = false; private String ticketCacheName = null; private String keyTabName = null; private String princName = null; private boolean useFirstPass = false; private boolean tryFirstPass = false; private boolean storePass = false; private boolean clearPass = false; private boolean refreshKrb5Config = false; private boolean renewTGT = false; // specify if initiator. // perform authentication exchange if initiator private boolean isInitiator = true; // the authentication status private boolean succeeded = false; private boolean commitSucceeded = false; private String username; private EncryptionKey[] encKeys = null; private Credentials cred = null; private PrincipalName principal = null; private KerberosPrincipal kerbClientPrinc = null; private KerberosTicket kerbTicket = null; private KerberosKey[] kerbKeys = null; private StringBuffer krb5PrincName = null; private char[] password = null; private static final String NAME = "javax.security.auth.login.name"; private static final String PWD = "javax.security.auth.login.password"; static final java.util.ResourceBundle rb = java.util.ResourceBundle.getBundle("sun.security.util.AuthResources"); /**⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?