krb5loginmodule.java

来自「JAVA 所有包」· Java 代码 · 共 1,143 行 · 第 1/3 页

     * Initialize this <code>LoginModule</code>.
     *
     * <p>
     * @param subject the <code>Subject</code> to be authenticated. <p>
     *
     * @param callbackHandler a <code>CallbackHandler</code> for 
     *                  communication with the end user (prompting for
     *                  usernames and passwords, for example). <p>
     *
     * @param sharedState shared <code>LoginModule</code> state. <p>
     *
     * @param options options specified in the login
     *			<code>Configuration</code> for this particular
     *			<code>LoginModule</code>.
     */

    public void initialize(Subject subject, 
			   CallbackHandler callbackHandler,
			   Map<String, ?> sharedState,
			   Map<String, ?> options) {
 
	this.subject = subject;
	this.callbackHandler = callbackHandler;
	this.sharedState = sharedState;
	this.options = options;

	// initialize any configured options

	debug = "true".equalsIgnoreCase((String)options.get("debug"));
	storeKey = "true".equalsIgnoreCase((String)options.get("storeKey"));
	doNotPrompt = "true".equalsIgnoreCase((String)options.get
					      ("doNotPrompt"));
	useTicketCache = "true".equalsIgnoreCase((String)options.get
						 ("useTicketCache"));
	useKeyTab = "true".equalsIgnoreCase((String)options.get("useKeyTab"));
	ticketCacheName = (String)options.get("ticketCache");
	keyTabName = (String)options.get("keyTab");
	princName = (String)options.get("principal");
	refreshKrb5Config =
	    "true".equalsIgnoreCase((String)options.get("refreshKrb5Config"));
	renewTGT =
	    "true".equalsIgnoreCase((String)options.get("renewTGT"));

	// check isInitiator value
	String isInitiatorValue = ((String)options.get("isInitiator"));
	if (isInitiatorValue == null) {
	    // use default, if value not set
	} else {
	    isInitiator = "true".equalsIgnoreCase(isInitiatorValue);
	}

	tryFirstPass =
	    "true".equalsIgnoreCase
	    ((String)options.get("tryFirstPass"));
	useFirstPass =
	    "true".equalsIgnoreCase
	    ((String)options.get("useFirstPass"));
	storePass =
	    "true".equalsIgnoreCase((String)options.get("storePass"));
	clearPass =
	    "true".equalsIgnoreCase((String)options.get("clearPass"));
	if (debug) {
	    System.out.print("Debug is  " + debug  
			     + " storeKey " + storeKey 
			     + " useTicketCache " + useTicketCache
			     + " useKeyTab " + useKeyTab
			     + " doNotPrompt " + doNotPrompt
			     + " ticketCache is " + ticketCacheName
			     + " isInitiator " + isInitiator
			     + " KeyTab is " + keyTabName
			     + " refreshKrb5Config is " + refreshKrb5Config
		     	     + " principal is " + princName
			     + " tryFirstPass is " + tryFirstPass 
			     + " useFirstPass is " + useFirstPass
			     + " storePass is " + storePass
			     + " clearPass is " + clearPass + "\n");
	}
    }
    

    /**
     * Authenticate the user 
     *
     * <p>
     *
     * @return true in all cases since this <code>LoginModule</code>
     *		should not be ignored.
     *
     * @exception FailedLoginException if the authentication fails. <p>
     *
     * @exception LoginException if this <code>LoginModule</code>
     *		is unable to perform the authentication.
     */
    public boolean login() throws LoginException {

	int len;	
	validateConfiguration();
	if (refreshKrb5Config) {
	    try {
		if (debug) {
		    System.out.println("Refreshing Kerberos configuration");
		}
	        sun.security.krb5.Config.refresh();
	    } catch (KrbException ke) {
	        LoginException le = new LoginException(ke.getMessage());
	        le.initCause(ke);
	        throw le;
	    }
	}
	String principalProperty = System.getProperty
	    ("sun.security.krb5.principal"); 
	if (principalProperty != null) {
	    krb5PrincName = new StringBuffer(principalProperty);
	} else {
	    if (princName != null) {
		krb5PrincName = new StringBuffer(princName);
	    }
    	}
    
	if (tryFirstPass) {
	    try {
		attemptAuthentication(true);    
		if (debug)
		    System.out.println("\t\t[Krb5LoginModule] " +
				       "authentication succeeded");
		succeeded = true;
		cleanState();
		return true;
	    } catch (LoginException le) {
		// authentication failed -- try again below by prompting
		cleanState();
		if (debug) {
		    System.out.println("\t\t[Krb5LoginModule] " +
				       "tryFirstPass failed with:" +
				       le.getMessage());
		}
	    } 
	} else if (useFirstPass) {
	    try {
		attemptAuthentication(true);
		succeeded = true;
		cleanState();
		return true;
	    } catch (LoginException e) {
		// authentication failed -- clean out state
		if (debug) {
		    System.out.println("\t\t[Krb5LoginModule] " +
				       "authentication failed \n" +
				       e.getMessage());
		}
		succeeded = false;
		cleanState();
		throw e;
	    } 
	}
    
	// attempt the authentication by getting the username and pwd 
	// by prompting or configuration i.e. not from shared state
	
	try {
	    attemptAuthentication(false);
	    succeeded = true;
	    cleanState();
	    return true;
	} catch (LoginException e) {
	    // authentication failed -- clean out state
	    if (debug) {
		System.out.println("\t\t[Krb5LoginModule] " +
				   "authentication failed \n" +
				   e.getMessage());
	    }
	    succeeded = false;
	    cleanState();
	    throw e;
	}
    }
    /** 
     * process the configuration options
     * Get the TGT either out of
     * cache or from the KDC using the password entered
     * Check the  permission before getting the TGT
     */

    private void attemptAuthentication(boolean getPasswdFromSharedState)
	throws LoginException {
	
	/* 
	 * Check the creds cache to see whether 
	 * we have TGT for this client principal
	 */
	if (krb5PrincName != null) {
	    try {
	        principal = new PrincipalName
		    (krb5PrincName.toString(),
		     PrincipalName.KRB_NT_PRINCIPAL);
	    } catch (KrbException e) {
		LoginException le = new LoginException(e.getMessage());
		le.initCause(e);
		throw le;
	    }
	}

	try { 
	    if (useTicketCache) {
		// ticketCacheName == null implies the default cache
		if (debug)
		    System.out.println("Acquire TGT from Cache");
		cred  = Credentials.acquireTGTFromCache
		    (principal, ticketCacheName);

		if (cred != null) {
		    // check to renew credentials
		    if (!isCurrent(cred)) {
			if (renewTGT) {
			    cred = renewCredentials(cred);
			} else {
			    // credentials have expired
			    cred = null;
			    if (debug)
				System.out.println("Credentials are" +
						" no longer valid");
			}
		    }
		}

		if (cred != null) {
		   // get the principal name from the ticket cache
		   if (principal == null) { 
			principal = cred.getClient();
		   }
		}
		if (debug) {
		    System.out.println("Principal is " + principal);
		    if (cred == null) {
			System.out.println
			    ("null credentials from Ticket Cache");
		    }
		}
	    }		     

	    // cred = null indicates that we didn't get the creds
	    // from the cache or useTicketCache was false
		
	    if (cred == null) {
		// We need the principal name whether we use keytab
		// or AS Exchange
		if (principal == null) {
		    promptForName(getPasswdFromSharedState);
		    principal = new PrincipalName
			(krb5PrincName.toString(),
			 PrincipalName.KRB_NT_PRINCIPAL);
		}
		if (useKeyTab) {
		    encKeys = 
			EncryptionKey.acquireSecretKeys(principal, keyTabName);

		    if (debug) {
			if (encKeys != null)
			    System.out.println
				("principal's key obtained from the keytab");
			else
			    System.out.println
				("Key for the principal " + 
				 principal  + 
				 " not available in " + 
				 ((keyTabName == null) ? 
				  "default key tab" : keyTabName));
		    }
		    
		}   
		// We can't get the key from the keytab so prompt    
		if (encKeys == null) {	
		    promptForPass(getPasswdFromSharedState);

		    encKeys = EncryptionKey.acquireSecretKeys(
			password, principal.getSalt());

		    if (isInitiator) {
			if (debug)
			    System.out.println("Acquire TGT using AS Exchange");
			cred = Credentials.acquireTGT(principal, 
						encKeys, password);
			// update keys after pre-auth
			encKeys = EncryptionKey.acquireSecretKeys(password, 
							principal.getSalt());
		    }
		} else {
		    if (isInitiator) {
			if (debug)
			    System.out.println("Acquire TGT using AS Exchange");
			cred = Credentials.acquireTGT(principal, 
						encKeys, password);
		    }
		}

		// Get the TGT using AS Exchange
		if (debug) {
		    System.out.println("principal is " + principal);
		    HexDumpEncoder hd = new HexDumpEncoder();	
		    for (int i = 0; i < encKeys.length; i++) {
			System.out.println("EncryptionKey: keyType=" + 
			    encKeys[i].getEType() + " keyBytes (hex dump)=" +
                            hd.encode(encKeys[i].getBytes()));
		    }
		}

		// we should hava a non-null cred
		if (isInitiator && (cred == null)) {
		    throw new LoginException 
			("TGT Can not be obtained from the KDC ");
		}

	    }
	} catch (KrbException e) {
	    LoginException le = new LoginException(e.getMessage());
	    le.initCause(e);
	    throw le;
	} catch (IOException ioe) {
	    LoginException ie = new LoginException(ioe.getMessage());
	    ie.initCause(ioe);
	    throw ie;
	}
    }
    
    private void promptForName(boolean getPasswdFromSharedState)
	throws LoginException {
	krb5PrincName = new StringBuffer("");
	if (getPasswdFromSharedState) {
	    // use the name saved by the first module in the stack
	    username = (String)sharedState.get(NAME);
	    if (debug) {
		System.out.println
		    ("username from shared state is " + username + "\n");
	    }
	    if (username == null) {
		System.out.println
		    ("username from shared state is null\n");
		throw new LoginException
		    ("Username can not be obtained from sharedstate ");
	    }
	    if (debug) {
		System.out.println
		    ("username from shared state is " + username + "\n");
	    }
	    if (username != null && username.length() > 0) {
		krb5PrincName.insert(0, username);
		return;
	    }
	}
   
	if (doNotPrompt) {
	    throw new LoginException
		("Unable to obtain Princpal Name for authentication ");
	} else {
	    if (callbackHandler == null)
		throw new LoginException("No CallbackHandler "
					 + "available "
					 + "to garner authentication " 
					 + "information from the user");
	    try {
		String defUsername = System.getProperty("user.name");
		
		Callback[] callbacks = new Callback[1];
		MessageFormat form = new MessageFormat(
				       rb.getString(
				       "Kerberos username [[defUsername]]: "));
	        Object[] source =  {defUsername};
		callbacks[0] = new NameCallback(form.format(source));
		callbackHandler.handle(callbacks);
		username = ((NameCallback)callbacks[0]).getName();
		if (username == null || username.length() == 0)
		    username = defUsername;
		krb5PrincName.insert(0, username);
		
	    } catch (java.io.IOException ioe) {
		throw new LoginException(ioe.getMessage());
	    } catch (UnsupportedCallbackException uce) {
		throw new LoginException
		    (uce.getMessage()
		     +" not available to garner " 
		     +" authentication information "