Adding support for using delegated GSSCredential for Kerberos authentication

Contributed by Vipul Mehta <vipulmehta.1989@gmail.com> Internally httpclient relies on GSS API which uses JAAS login configuration specified by user to get the GSSCredential. This patch will allow a user to avoid the config file and directly set a delegated or normal GSSCredential. A normal GSSCredential can be obtained programatically from spn-keytab or user-password using custom Login module. git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1623311 13f79535-47bb-0310-9956-ffa450edef68
2014-09-08 07:44:18 +00:00 · 2014-09-08 07:44:18 +00:00 · e82fdff2e9
parent 6f706c2328
commit e82fdff2e9
5 changed files with 128 additions and 10 deletions
--- a/httpclient/src/main/java-deprecated/org/apache/http/impl/auth/NegotiateScheme.java
+++ b/httpclient/src/main/java-deprecated/org/apache/http/impl/auth/NegotiateScheme.java
@ -113,6 +113,11 @@ public class NegotiateScheme extends GGSSchemeBase {

    @Override
    protected byte[] generateToken(final byte[] input, final String authServer) throws GSSException {
+        return super.generateToken(input, authServer);
+    }
+
+    @Override
+    protected byte[] generateToken(final byte[] input, final String authServer, final Credentials credentials) throws GSSException {
        /* Using the SPNEGO OID is the correct method.
         * Kerberos v5 works for IIS but not JBoss. Unwrapping
         * the initial token when using SPNEGO OID looks like what is
@ -133,7 +138,7 @@ public class NegotiateScheme extends GGSSchemeBase {
        byte[] token = input;
        boolean tryKerberos = false;
        try {
-            token = generateGSSToken(token, negotiationOid, authServer);
+            token = generateGSSToken(token, negotiationOid, authServer, credentials);
        } catch (final GSSException ex){
            // BAD MECH means we are likely to be using 1.5, fall back to Kerberos MECH.
            // Rethrow any other exception.
@ -149,7 +154,7 @@ public class NegotiateScheme extends GGSSchemeBase {
            /* Kerberos v5 GSS-API mechanism defined in RFC 1964.*/
            log.debug("Using Kerberos MECH " + KERBEROS_OID);
            negotiationOid  = new Oid(KERBEROS_OID);
-            token = generateGSSToken(token, negotiationOid, authServer);
+            token = generateGSSToken(token, negotiationOid, authServer, credentials);

            /*
             * IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish?
--- a/httpclient/src/main/java/org/apache/http/auth/KerberosCredentials.java
+++ b/httpclient/src/main/java/org/apache/http/auth/KerberosCredentials.java
@ -0,0 +1,69 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+package org.apache.http.auth;
+
+import java.io.Serializable;
+import java.security.Principal;
+
+import org.apache.http.annotation.Immutable;
+import org.ietf.jgss.GSSCredential;
+
+/**
+ * {@link Credentials} implementation based on GSSCredential for Kerberos Authentication.
+ *
+ * @since 4.4
+ */
+@Immutable
+public class KerberosCredentials implements Credentials, Serializable {
+
+    private static final long serialVersionUID = 487421613855550713L;
+
+    /** GSSCredential  */
+    private final GSSCredential gssCredential;
+
+    /**
+     * Constructor with GSSCredential argument
+     *
+     * @param gssCredential
+     */
+    public KerberosCredentials(final GSSCredential gssCredential) {
+        this.gssCredential = gssCredential;
+    }
+
+    public GSSCredential getGSSCredential() {
+        return gssCredential;
+    }
+
+    public Principal getUserPrincipal() {
+        return null;
+    }
+
+    public String getPassword() {
+        return null;
+    }
+
+}
--- a/httpclient/src/main/java/org/apache/http/impl/auth/GGSSchemeBase.java
+++ b/httpclient/src/main/java/org/apache/http/impl/auth/GGSSchemeBase.java
@ -40,6 +40,7 @@ import org.apache.http.auth.AUTH;
 import org.apache.http.auth.AuthenticationException;
 import org.apache.http.auth.Credentials;
 import org.apache.http.auth.InvalidCredentialsException;
+import org.apache.http.auth.KerberosCredentials;
 import org.apache.http.auth.MalformedChallengeException;
 import org.apache.http.client.protocol.HttpClientContext;
 import org.apache.http.conn.routing.HttpRoute;
@ -48,6 +49,7 @@ import org.apache.http.protocol.HttpContext;
 import org.apache.http.util.Args;
 import org.apache.http.util.CharArrayBuffer;
 import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSManager;
 import org.ietf.jgss.GSSName;
@ -100,21 +102,53 @@ public abstract class GGSSchemeBase extends AuthSchemeBase {

    protected byte[] generateGSSToken(
            final byte[] input, final Oid oid, final String authServer) throws GSSException {
+        return generateGSSToken(input, oid, authServer, null);
+    }
+
+    /**
+     * @since 4.4
+     */
+    protected byte[] generateGSSToken(
+            final byte[] input, final Oid oid, final String authServer,
+            final Credentials credentials) throws GSSException {
        byte[] inputBuff = input;
        if (inputBuff == null) {
            inputBuff = new byte[0];
        }
        final GSSManager manager = getManager();
        final GSSName serverName = manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);
+
+        final GSSCredential gssCredential;
+        if (credentials instanceof KerberosCredentials) {
+            gssCredential = ((KerberosCredentials) credentials).getGSSCredential();
+        } else {
+            gssCredential = null;
+        }
+
        final GSSContext gssContext = manager.createContext(
-                serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
+                serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME);
        gssContext.requestMutualAuth(true);
        gssContext.requestCredDeleg(true);
        return gssContext.initSecContext(inputBuff, 0, inputBuff.length);
    }

-    protected abstract byte[] generateToken(
-            byte[] input, final String authServer) throws GSSException;
+    /**
+     * @deprecated (4.4) Use {@link #generateToken(byte[], String, org.apache.http.auth.Credentials)}.
+     */
+    @Deprecated
+    protected byte[] generateToken(final byte[] input, final String authServer) throws GSSException {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    //TODO: make this method abstract
+    @SuppressWarnings("deprecation")
+    protected byte[] generateToken(
+            final byte[] input, final String authServer, final Credentials credentials) throws GSSException {
+        return generateToken(input, authServer);
+    }

    @Override
    public boolean isComplete() {
@ -181,7 +215,7 @@ public abstract class GGSSchemeBase extends AuthSchemeBase {
                if (log.isDebugEnabled()) {
                    log.debug("init " + authServer);
                }
-                token = generateToken(token, authServer);
+                token = generateToken(token, authServer, credentials);
                state = State.TOKEN_GENERATED;
            } catch (final GSSException gsse) {
                state = State.FAILED;
--- a/httpclient/src/main/java/org/apache/http/impl/auth/KerberosScheme.java
+++ b/httpclient/src/main/java/org/apache/http/impl/auth/KerberosScheme.java
@ -86,9 +86,14 @@ public class KerberosScheme extends GGSSchemeBase {
        return super.authenticate(credentials, request, context);
    }

-    @Override
+    @Override @SuppressWarnings("deprecation")
    protected byte[] generateToken(final byte[] input, final String authServer) throws GSSException {
-        return generateGSSToken(input, new Oid(KERBEROS_OID), authServer);
+        return super.generateToken(input, authServer);
+    }
+
+    @Override
+    protected byte[] generateToken(final byte[] input, final String authServer, final Credentials credentials) throws GSSException {
+        return generateGSSToken(input, new Oid(KERBEROS_OID), authServer, credentials);
    }

    /**
--- a/httpclient/src/main/java/org/apache/http/impl/auth/SPNegoScheme.java
+++ b/httpclient/src/main/java/org/apache/http/impl/auth/SPNegoScheme.java
@ -87,9 +87,14 @@ public class SPNegoScheme extends GGSSchemeBase {
        return super.authenticate(credentials, request, context);
    }

-    @Override
+    @Override @SuppressWarnings("deprecation")
    protected byte[] generateToken(final byte[] input, final String authServer) throws GSSException {
-        return generateGSSToken(input, new Oid(SPNEGO_OID), authServer);
+        return super.generateToken(input, authServer);
+    }
+
+    @Override
+    protected byte[] generateToken(final byte[] input, final String authServer, final Credentials credentials) throws GSSException {
+        return generateGSSToken(input, new Oid(SPNEGO_OID), authServer, credentials);
    }

    /**