本文整理汇总了Java中javax.security.auth.kerberos.KeyTab类的典型用法代码示例。如果您正苦于以下问题:Java KeyTab类的具体用法?Java KeyTab怎么用?Java KeyTab使用的例子?那么, 这里精选的类代码示例或许可以为您提供帮助。
KeyTab类属于javax.security.auth.kerberos包,在下文中一共展示了KeyTab类的12个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Java代码示例。
示例1: decryptUsingKeyTab
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
/**
* Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
* @param ktab the keytab, not null
* @param asReq the original AS-REQ sent, used to validate AS-REP
* @param cname the user principal name, used to locate keys in ktab
*/
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
throws KrbException, Asn1Exception, IOException {
EncryptionKey dkey = null;
int encPartKeyType = rep.encPart.getEType();
Integer encPartKvno = rep.encPart.kvno;
try {
dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
Krb5Util.keysFromJavaxKeyTab(ktab, cname));
} catch (KrbException ke) {
if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
// Fallback to no kvno. In some cases, keytab is generated
// not by sysadmin but Java's ktab command
dkey = EncryptionKey.findKey(encPartKeyType,
Krb5Util.keysFromJavaxKeyTab(ktab, cname));
}
}
if (dkey == null) {
throw new KrbException(Krb5.API_INVALID_ARG,
"Cannot find key for type/kvno to decrypt AS REP - " +
EType.toString(encPartKeyType) + "/" + encPartKvno);
}
decrypt(dkey, asReq);
}
示例2: isRelated
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
@Override
public boolean isRelated(Subject subject, Principal princ) {
if (princ == null) return false;
Set<Principal> principals =
subject.getPrincipals(Principal.class);
if (principals.contains(princ)) {
// bound to this principal
return true;
}
for (KeyTab pc: subject.getPrivateCredentials(KeyTab.class)) {
if (!pc.isBound()) {
return true;
}
}
return false;
}
示例3: main
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
public static void main(String[] args) throws Exception {
byte[] data = new byte[aes.length()/2];
KerberosPrincipal kp = new KerberosPrincipal("[email protected]");
// aes128
for (int i=0; i<data.length; i++) {
data[i] = Integer.valueOf(
aes.substring(2*i,2*i+2), 16).byteValue();
}
Files.write(Paths.get("aes"), data);
if(KeyTab.getInstance(kp, new File("aes")).getKeys(kp).length == 0) {
throw new Exception("AES key not read");
}
// camellia128
for (int i=0; i<data.length; i++) {
data[i] = Integer.valueOf(
camellia.substring(2*i,2*i+2), 16).byteValue();
}
Files.write(Paths.get("camellia"), data);
if(KeyTab.getInstance(kp, new File("camellia")).getKeys(kp).length != 0) {
throw new Exception("Unknown key read");
}
}
示例4: getKKeys
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
/**
* Gets keys for "someone". Used in 2 cases:
* 1. By TLS because it needs to get keys before client comes in.
* 2. As a fallback in getEKeys() below.
* This method can still return an empty array.
*/
public KerberosKey[] getKKeys() {
if (destroyed) {
throw new IllegalStateException("This object is destroyed");
}
KerberosPrincipal one = kp; // named principal
if (one == null && !allPrincs.isEmpty()) { // or, a known principal
one = allPrincs.iterator().next();
}
if (one == null) { // Or, some random one
for (KeyTab ktab: ktabs) {
// Must be unbound keytab, otherwise, allPrincs is not empty
PrincipalName pn =
Krb5Util.snapshotFromJavaxKeyTab(ktab).getOneName();
if (pn != null) {
one = new KerberosPrincipal(pn.getName());
break;
}
}
}
if (one != null) {
return getKKeys(one);
} else {
return new KerberosKey[0];
}
}
示例5: testCheckTGTAfterLoginFromSubject
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
@Test
public void testCheckTGTAfterLoginFromSubject() throws Exception {
// security on, default is remove default realm
SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
UserGroupInformation.setConfiguration(conf);
// Login from a pre-set subject with a keytab
final Subject subject = new Subject();
KeyTab keytab = KeyTab.getInstance();
subject.getPrivateCredentials().add(keytab);
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws IOException {
UserGroupInformation.loginUserFromSubject(subject);
// this should not throw.
UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
return null;
}
});
}
示例6: getTGT
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
/**
* Get a Ticket Granting Ticket (TGT) from Authentication Server (AS) with required keytab file.
*
* 1. Create and send AS-REQ
* 2. Receive KRB ERROR (PRE-AUTH is mandatory in Kerberos v5)
* 3. Re-send AS-REQ
* 4. Receive AS-REP
* 5. Return TGT credentials ticket in Java object
*
* @param keytabFileName Path file name to keytab (required already on disk storage, for instance
* /etc/bob.keytab)
* @param userName user name principal (UPN) (ex: [email protected])
* @param realm Kerberos domain of the Authentication Server (ex: EXAMPLE.COM)
* @return TGT credentials
* @throws KrbException
* @throws IOException
*
* Note:
* - For system administrator it is like the command: kinit -kt keytab upn
* - [WARNING] dependencies with internal proprietary API and may be removed in a future release
*/
public static Credentials getTGT(String keytabFileName, String userName, String realm)
throws KrbException, IOException {
KrbAsReqBuilder builder = null;
try {
PrincipalName userPrincipalName = new PrincipalName(userName);
KeyTab keyTab = KeyTab.getInstance(new File(keytabFileName));
builder = new KrbAsReqBuilder(userPrincipalName, keyTab);
PrincipalName tgsPrincipalName = PrincipalName.tgsService(realm, realm);
builder.setTarget(tgsPrincipalName);
// see http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/default/src/share/classes/sun/security/krb5/KdcComm.java#l145
// for default parameters (timeout, max retries ...)
builder.action();
Credentials tgtCredentials = builder.getCCreds();
if (DEBUG) {
System.out.println(">>>TGT credentials : " +
ReflectionToStringBuilder.toString(tgtCredentials));
}
return tgtCredentials;
} finally {
if (builder != null) {
builder.destroy();
}
}
}
示例7: UserGroupInformation
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
/**
* Create a UserGroupInformation for the given subject.
* This does not change the subject or acquire new credentials.
* @param subject the user's subject
*/
UserGroupInformation(Subject subject) {
this.subject = subject;
this.user = subject.getPrincipals(User.class).iterator().next();
this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty();
this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
}
示例8: check
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
/**
* Checks the correct bound
* @param a get a creds for this principal, null for default one
* @param b expected name, null for still unbound, "NOCRED" for no creds
* @param objs princs, keys and keytabs in the subject
*/
private static void check(final String a, String b, Object... objs)
throws Exception {
Subject subj = new Subject();
for (Object obj: objs) {
if (obj instanceof KerberosPrincipal) {
subj.getPrincipals().add((KerberosPrincipal)obj);
} else if (obj instanceof KerberosKey || obj instanceof KeyTab) {
subj.getPrivateCredentials().add(obj);
}
}
final GSSManager man = GSSManager.getInstance();
try {
String result = Subject.doAs(
subj, new PrivilegedExceptionAction<String>() {
@Override
public String run() throws GSSException {
GSSCredential cred = man.createCredential(
a == null ? null : man.createName(r(a), null),
GSSCredential.INDEFINITE_LIFETIME,
GSSUtil.GSS_KRB5_MECH_OID,
GSSCredential.ACCEPT_ONLY);
GSSName name = cred.getName();
return name == null ? null : name.toString();
}
});
if (!Objects.equals(result, r(b))) {
throw new Exception("Check failed: getInstance(" + a
+ ") has name " + result + ", not " + b);
}
} catch (PrivilegedActionException e) {
if (!"NOCRED".equals(b)) {
throw new Exception("Check failed: getInstance(" + a
+ ") is null " + ", but not one with name " + b);
}
}
}
示例9: main
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
public static void main(String[] args) throws Exception {
new OneKDC(null).writeJAASConf();
Context c = Context.fromJAAS("client");
Context s = Context.fromThinAir();
KerberosPrincipal kp = new KerberosPrincipal(
OneKDC.SERVER + "@" + OneKDC.REALM,
KerberosPrincipal.KRB_NT_SRV_INST);
s.s().getPrincipals().add(kp);
for (KerberosKey k: KeyTab.getInstance(kp).getKeys(kp)) {
s.s().getPrivateCredentials().add(k);
}
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
s.startAsServer(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
Context.handshake(c, s);
}
示例10: logout
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
/**
* Logout the user.
*
* <p> This method removes the {@code Krb5Principal}
* that was added by the {@code commit} method.
*
* @exception LoginException if the logout fails.
*
* @return true in all cases since this {@code LoginModule}
* should not be ignored.
*/
public boolean logout() throws LoginException {
if (debug) {
System.out.println("\t\t[Krb5LoginModule]: " +
"Entering logout");
}
if (subject.isReadOnly()) {
cleanKerberosCred();
throw new LoginException("Subject is Readonly");
}
subject.getPrincipals().remove(kerbClientPrinc);
// Let us remove all Kerberos credentials stored in the Subject
Iterator<Object> it = subject.getPrivateCredentials().iterator();
while (it.hasNext()) {
Object o = it.next();
if (o instanceof KerberosTicket ||
o instanceof KerberosKey ||
o instanceof KeyTab) {
it.remove();
}
}
// clean the kerberos ticket and keys
cleanKerberosCred();
succeeded = false;
commitSucceeded = false;
if (debug) {
System.out.println("\t\t[Krb5LoginModule]: " +
"logged out Subject");
}
return true;
}
示例11: getDeprivilegedClasses
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
private static List<Class<?>> getDeprivilegedClasses() {
List<Class<?>> classes = new ArrayList<Class<?>>();
// Test from java.xml.crypto/javax/xml/crypto/dsig package
classes.add(XMLSignatureFactory.class);
// Test from java.xml.crypto/javax/xml/crypto package
classes.add(KeySelectorException.class);
// Test From java.security.jgss/javax/security/auth/kerberos package
classes.add(KeyTab.class);
// Test from jdk.security.jgss/com/sun/security/jgss package
classes.add(AuthorizationDataEntry.class);
// Test from jdk.security.auth/com/sun/security/auth/callback package
classes.add(TextCallbackHandler.class);
return classes;
}
示例12: isRelated
import javax.security.auth.kerberos.KeyTab; //导入依赖的package包/类
@Override
public boolean isRelated(boolean isClient,
AccessControlContext acc, Principal p) {
if (p == null) return false;
try {
Subject subject = AccessController.doPrivileged(
(PrivilegedExceptionAction<Subject>)
() -> Krb5Util.getSubject(
isClient ? GSSCaller.CALLER_SSL_CLIENT
: GSSCaller.CALLER_SSL_SERVER,
acc));
if (subject == null) {
if (debug != null && Debug.isOn("session")) {
System.out.println("Kerberos credentials are" +
" not present in the current Subject;" +
" check if " +
" javax.security.auth.useSubjectAsCreds" +
" system property has been set to false");
}
return false;
}
Set<Principal> principals =
subject.getPrincipals(Principal.class);
if (principals.contains(p)) {
// bound to this principal
return true;
} else {
if (isClient) {
return false;
} else {
for (KeyTab pc : subject.getPrivateCredentials(KeyTab.class)) {
if (!pc.isBound()) {
return true;
}
}
return false;
}
}
} catch (PrivilegedActionException pae) {
if (debug != null && Debug.isOn("session")) {
System.out.println("Attempt to obtain" +
" subject failed! " + pae);
}
return false;
}
}