Java KerberosPrincipal类代码示例

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
private Subject loginViaKerberos(Builder b) {
  Set<Principal> principals = new HashSet<Principal>();
  principals.add(new KerberosPrincipal(b.kerberosPrincipal));

  Subject subject = new Subject(false, principals, new HashSet<Object>(),
      new HashSet<Object>());

  ServerKeytabJaasConf conf = new ServerKeytabJaasConf(b.kerberosPrincipal,
      b.keytab.toString());
  String confName = "NotUsed";
  try {
    LoginContext loginContext = new LoginContext(confName, subject, null, conf);
    loginContext.login();
    return loginContext.getSubject();
  } catch (LoginException e) {
    throw new RuntimeException(e);
  }
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
/**
 * Create a UserGroupInformation from a Subject with Kerberos principal.
 *
 * @param user                The KerberosPrincipal to use in UGI
 *
 * @throws IOException        if the kerberos login fails
 */
public static UserGroupInformation getUGIFromSubject(Subject subject)
    throws IOException {
  if (subject == null) {
    throw new IOException("Subject must not be null");
  }

  if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
    throw new IOException("Provided Subject must contain a KerberosPrincipal");
  }

  KerberosPrincipal principal =
      subject.getPrincipals(KerberosPrincipal.class).iterator().next();

  User ugiUser = new User(principal.getName(),
      AuthenticationMethod.KERBEROS, null);
  subject.getPrincipals().add(ugiUser);
  UserGroupInformation ugi = new UserGroupInformation(subject);
  ugi.setLogin(null);
  ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
  return ugi;
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
public static KerberosTicket credsToTicket(Credentials serviceCreds) {
    EncryptionKey sessionKey =  serviceCreds.getSessionKey();
    return new KerberosTicket(
        serviceCreds.getEncoded(),
        new KerberosPrincipal(serviceCreds.getClient().getName()),
        new KerberosPrincipal(serviceCreds.getServer().getName(),
                            KerberosPrincipal.KRB_NT_SRV_INST),
        sessionKey.getBytes(),
        sessionKey.getEType(),
        serviceCreds.getFlags(),
        serviceCreds.getAuthTime(),
        serviceCreds.getStartTime(),
        serviceCreds.getEndTime(),
        serviceCreds.getRenewTill(),
        serviceCreds.getClientAddresses());
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
    throws Exception {
  Set<Principal> principals = new HashSet<Principal>();
  principals.add(new KerberosPrincipal(user));

  //client login
  Subject subject = new Subject(false, principals,
      new HashSet<Object>(), new HashSet<Object>());
  LoginContext loginContext = new LoginContext("", subject, null,
      KerberosConfiguration.createClientConfig(user, keytab));
  try {
    loginContext.login();
    subject = loginContext.getSubject();
    UserGroupInformation ugi =
        UserGroupInformation.getUGIFromSubject(subject);
    return ugi.doAs(action);
  } finally {
    loginContext.logout();
  }
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
public static void main(String[] args) throws Exception {
    X500Principal duke = new X500Principal("CN=Duke");
    // should not throw NullPointerException
    testImplies(duke, (Subject)null, false);

    Set<Principal> principals = new HashSet<>();
    principals.add(duke);
    testImplies(duke, principals, true);

    X500Principal tux = new X500Principal("CN=Tux");
    principals.add(tux);
    testImplies(duke, principals, true);

    principals.add(new KerberosPrincipal("[email protected]"));
    testImplies(duke, principals, true);

    principals.clear();
    principals.add(tux);
    testImplies(duke, principals, false);

    System.out.println("test passed");
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
public static void main(String[] args) throws Exception {

        byte[] data = new byte[aes.length()/2];
        KerberosPrincipal kp = new KerberosPrincipal("[email protected]");

        // aes128
        for (int i=0; i<data.length; i++) {
            data[i] = Integer.valueOf(
                    aes.substring(2*i,2*i+2), 16).byteValue();
        }
        Files.write(Paths.get("aes"), data);
        if(KeyTab.getInstance(kp, new File("aes")).getKeys(kp).length == 0) {
            throw new Exception("AES key not read");
        }

        // camellia128
        for (int i=0; i<data.length; i++) {
            data[i] = Integer.valueOf(
                    camellia.substring(2*i,2*i+2), 16).byteValue();
        }
        Files.write(Paths.get("camellia"), data);
        if(KeyTab.getInstance(kp, new File("camellia")).getKeys(kp).length != 0) {
            throw new Exception("Unknown key read");
        }
    }
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
public static void main(String[] args) throws Exception {
    byte[] asn1Bytes = "asn1".getBytes();
    KerberosPrincipal client = new KerberosPrincipal("client");
    KerberosPrincipal server = new KerberosPrincipal("server");
    byte[] keyBytes = "sessionKey".getBytes();
    long originalTime = 12345678L;
    Date inDate = new Date(originalTime);
    boolean[] flags = new boolean[9];
    flags[8] = true; // renewable
    KerberosTicket t = new KerberosTicket(asn1Bytes, client, server,
            keyBytes, 1 /*keyType*/, flags, inDate /*authTime*/,
            inDate /*startTime*/, inDate /*endTime*/,
            inDate /*renewTill*/, null /*clientAddresses*/);
    inDate.setTime(0); // for testing the constructor

    testDateImmutability(t, originalTime);
    testS11nCompatibility(t); // S11n: Serialization
    testDestroy(t);
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    kkeys[i].getVersionNumber());
    }
    return ekeys;
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
public static void main(String[] args) throws Exception {
    byte[] asn1Bytes = "asn1".getBytes();
    KerberosPrincipal client = new KerberosPrincipal("[email protected]");
    KerberosPrincipal server = new KerberosPrincipal("[email protected]");
    byte[] keyBytes = "sessionKey".getBytes();
    long originalTime = 12345678L;
    Date inDate = new Date(originalTime);
    boolean[] flags = new boolean[9];
    flags[8] = true; // renewable
    KerberosTicket t = new KerberosTicket(asn1Bytes, client, server,
            keyBytes, 1 /*keyType*/, flags, inDate /*authTime*/,
            inDate /*startTime*/, inDate /*endTime*/,
            inDate /*renewTill*/, null /*clientAddresses*/);
    inDate.setTime(0); // for testing the constructor

    testDateImmutability(t, originalTime);
    testS11nCompatibility(t); // S11n: Serialization
    testDestroy(t);
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
/**
 * Performs a Kerberos login given the {@code principal} and {@code keytab}.
 *
 * @return The {@code Subject} and {@code LoginContext} from the successful login.
 * @throws RuntimeException if the login failed
 */
Entry<LoginContext, Subject> performKerberosLogin() {
  // Loosely based on Apache Kerby's JaasKrbUtil class
  // Synchronized by the caller

  // Create a KerberosPrincipal given the principal.
  final Set<Principal> principals = new HashSet<Principal>();
  principals.add(new KerberosPrincipal(principal));

  final Subject subject = new Subject(false, principals, new HashSet<Object>(),
      new HashSet<Object>());

  try {
    return login(null, jaasConf, subject);
  } catch (Exception e) {
    throw new RuntimeException("Failed to perform Kerberos login");
  }
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
@Override
public void afterPropertiesSet() throws Exception {
    Assert.notNull(this.servicePrincipal, "servicePrincipal must be specified");
    Assert.notNull(this.keyTabLocation, "keyTab must be specified");
    if (keyTabLocation instanceof ClassPathResource) {
        LOG.warn("Your keytab is in the classpath. This file needs special protection and shouldn't be in the classpath. JAAS may also not be able to load this file from classpath.");
    }
    String keyTabLocationAsString = this.keyTabLocation.getURL().toExternalForm();
    // We need to remove the file prefix (if there is one), as it is not supported in Java 7 anymore.
    // As Java 6 accepts it with and without the prefix, we don't need to check for Java 7
    if (keyTabLocationAsString.startsWith("file:"))
    {
        keyTabLocationAsString = keyTabLocationAsString.substring(5);
    }
    LoginConfig loginConfig = new LoginConfig(keyTabLocationAsString, this.servicePrincipal,
            this.debug);
    Set<Principal> princ = new HashSet<Principal>(1);
    princ.add(new KerberosPrincipal(this.servicePrincipal));
    Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
    LoginContext lc = new LoginContext("", sub, null, loginConfig);
    lc.login();
    this.serviceSubject = lc.getSubject();
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
public static <T> T doAsKerberosUser(String principal, String keytab,
    final Callable<T> callable) throws Exception {
  LoginContext loginContext = null;
  try {
    Set<Principal> principals = new HashSet<Principal>();
    principals.add(new KerberosPrincipal(principal));
    Subject subject = new Subject(false, principals, new HashSet<Object>(),
        new HashSet<Object>());
    loginContext = new LoginContext("", subject, null,
        new KerberosConfiguration(principal, keytab));
    loginContext.login();
    subject = loginContext.getSubject();
    return Subject.doAs(subject, new PrivilegedExceptionAction<T>() {
      @Override
      public T run() throws Exception {
        return callable.call();
      }
    });
  } catch (PrivilegedActionException ex) {
    throw ex.getException();
  } finally {
    if (loginContext != null) {
      loginContext.logout();
    }
  }
}
 

import javax.security.auth.kerberos.KerberosPrincipal; //导入依赖的package包/类
public static <T> T doAs(String principal, final Callable<T> callable) throws Exception {
  LoginContext loginContext = null;
  try {
    Set<Principal> principals = new HashSet<Principal>();
    principals.add(new KerberosPrincipal(KerberosTestUtils.getClientPrincipal()));
    Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>());
    loginContext = new LoginContext("", subject, null, new KerberosConfiguration(principal));
    loginContext.login();
    subject = loginContext.getSubject();
    return Subject.doAs(subject, new PrivilegedExceptionAction<T>() {
      @Override
      public T run() throws Exception {
        return callable.call();
      }
    });
  } catch (PrivilegedActionException ex) {
    throw ex.getException();
  } finally {
    if (loginContext != null) {
      loginContext.logout();
    }
  }
}