18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package com.sun.security.sasl.gsskerb;
27
28 import java.util.Map;
29 import java.util.logging.Level;
30 import javax.security.sasl.*;
31
32 import static java.nio.charset.StandardCharsets.UTF_8;
33
34 // JAAS
35 import javax.security.auth.callback.CallbackHandler;
36
37 // JGSS
38 import org.ietf.jgss.*;
39
40 /**
41 * Implements the GSSAPI SASL client mechanism for Kerberos V5.
42 * (<A HREF="http://www.ietf.org/rfc/rfc2222.txt">RFC 2222</A>,
43 * <a HREF="http://www.ietf.org/internet-drafts/draft-ietf-cat-sasl-gssapi-04.txt">draft-ietf-cat-sasl-gssapi-04.txt</a>).
44 * It uses the Java Bindings for GSSAPI
45 * (<A HREF="http://www.ietf.org/rfc/rfc2853.txt">RFC 2853</A>)
46 * for getting GSSAPI/Kerberos V5 support.
47 *
48 * The client/server interactions are:
49 * C0: bind (GSSAPI, initial response)
50 * S0: sasl-bind-in-progress, challenge 1 (output of accept_sec_context or [])
51 * C1: bind (GSSAPI, response 1 (output of init_sec_context or []))
52 * S1: sasl-bind-in-progress challenge 2 (security layer, server max recv size)
53 * C2: bind (GSSAPI, response 2 (security layer, client max recv size, authzid))
54 * S2: bind success response
55 *
56 * Expects the client's credentials to be supplied from the
57 * javax.security.sasl.credentials property or from the thread's Subject.
133 // mutual is by default true if there is a security layer
134 boolean mutual;
135 if ((allQop & INTEGRITY_ONLY_PROTECTION) != 0
136 || (allQop & PRIVACY_PROTECTION) != 0) {
137 mutual = true;
138 secCtx.requestSequenceDet(true);
139 } else {
140 mutual = false;
141 }
142
143 // User can override default mutual flag
144 if (props != null) {
145 // Mutual authentication
146 String prop = (String)props.get(Sasl.SERVER_AUTH);
147 if (prop != null) {
148 mutual = "true".equalsIgnoreCase(prop);
149 }
150 }
151 secCtx.requestMutualAuth(mutual);
152
153 // Always specify potential need for integrity and confidentiality
154 // Decision will be made during final handshake
155 secCtx.requestConf(true);
156 secCtx.requestInteg(true);
157
158 } catch (GSSException e) {
159 throw new SaslException("Failure to initialize security context", e);
160 }
161
162 if (authzID != null && authzID.length() > 0) {
163 this.authzID = authzID.getBytes(UTF_8);
164 }
165 }
166
167 public boolean hasInitialResponse() {
168 return true;
169 }
170
171 /**
172 * Processes the challenge data.
|
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package com.sun.security.sasl.gsskerb;
27
28 import java.util.Map;
29 import java.util.logging.Level;
30 import javax.security.sasl.*;
31
32 import static java.nio.charset.StandardCharsets.UTF_8;
33
34 // JAAS
35 import javax.security.auth.callback.CallbackHandler;
36
37 // JGSS
38 import sun.security.jgss.krb5.internal.TlsChannelBindingImpl;
39 import org.ietf.jgss.*;
40
41 /**
42 * Implements the GSSAPI SASL client mechanism for Kerberos V5.
43 * (<A HREF="http://www.ietf.org/rfc/rfc2222.txt">RFC 2222</A>,
44 * <a HREF="http://www.ietf.org/internet-drafts/draft-ietf-cat-sasl-gssapi-04.txt">draft-ietf-cat-sasl-gssapi-04.txt</a>).
45 * It uses the Java Bindings for GSSAPI
46 * (<A HREF="http://www.ietf.org/rfc/rfc2853.txt">RFC 2853</A>)
47 * for getting GSSAPI/Kerberos V5 support.
48 *
49 * The client/server interactions are:
50 * C0: bind (GSSAPI, initial response)
51 * S0: sasl-bind-in-progress, challenge 1 (output of accept_sec_context or [])
52 * C1: bind (GSSAPI, response 1 (output of init_sec_context or []))
53 * S1: sasl-bind-in-progress challenge 2 (security layer, server max recv size)
54 * C2: bind (GSSAPI, response 2 (security layer, client max recv size, authzid))
55 * S2: bind success response
56 *
57 * Expects the client's credentials to be supplied from the
58 * javax.security.sasl.credentials property or from the thread's Subject.
134 // mutual is by default true if there is a security layer
135 boolean mutual;
136 if ((allQop & INTEGRITY_ONLY_PROTECTION) != 0
137 || (allQop & PRIVACY_PROTECTION) != 0) {
138 mutual = true;
139 secCtx.requestSequenceDet(true);
140 } else {
141 mutual = false;
142 }
143
144 // User can override default mutual flag
145 if (props != null) {
146 // Mutual authentication
147 String prop = (String)props.get(Sasl.SERVER_AUTH);
148 if (prop != null) {
149 mutual = "true".equalsIgnoreCase(prop);
150 }
151 }
152 secCtx.requestMutualAuth(mutual);
153
154 if (props != null) {
155 // TLS Channel Binding
156 byte[] tlsCB = (byte[])props.get("jdk.internal.sasl.tlschannelbinding");
157 if (tlsCB != null) {
158 secCtx.setChannelBinding(new TlsChannelBindingImpl(tlsCB));
159 }
160 }
161
162 // Always specify potential need for integrity and confidentiality
163 // Decision will be made during final handshake
164 secCtx.requestConf(true);
165 secCtx.requestInteg(true);
166
167 } catch (GSSException e) {
168 throw new SaslException("Failure to initialize security context", e);
169 }
170
171 if (authzID != null && authzID.length() > 0) {
172 this.authzID = authzID.getBytes(UTF_8);
173 }
174 }
175
176 public boolean hasInitialResponse() {
177 return true;
178 }
179
180 /**
181 * Processes the challenge data.
|