1 /* 2 * Copyright 2005-2009 Sun Microsystems, Inc. All Rights Reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Sun designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Sun in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, 22 * CA 95054 USA or visit www.sun.com if you need additional information or 23 * have any questions. 24 */ 25 26 package sun.net.www.protocol.http; 27 28 import java.io.IOException; 29 30 import org.ietf.jgss.GSSContext; 31 import org.ietf.jgss.GSSException; 32 import org.ietf.jgss.GSSName; 33 import org.ietf.jgss.Oid; 34 35 import sun.security.jgss.GSSManagerImpl; 36 import sun.security.jgss.GSSUtil; 37 import sun.security.jgss.HttpCaller; 38 39 /** 40 * This class encapsulates all JAAS and JGSS API calls in a separate class 41 * outside NegotiateAuthentication.java so that J2SE build can go smoothly 42 * without the presence of it. 43 * 44 * @author weijun.wang@sun.com 45 * @since 1.6 46 */ 47 public class NegotiatorImpl extends Negotiator { 48 49 private static final boolean DEBUG = 50 java.security.AccessController.doPrivileged( 51 new sun.security.action.GetBooleanAction("sun.security.krb5.debug")); 52 53 private GSSContext context; 54 private byte[] oneToken; 55 56 /** 57 * Initialize the object, which includes:<ul> 58 * <li>Find out what GSS mechanism to use from the system property 59 * <code>http.negotiate.mechanism.oid</code>, defaults SPNEGO 60 * <li>Creating the GSSName for the target host, "HTTP/"+hostname 61 * <li>Creating GSSContext 62 * <li>A first call to initSecContext</ul> 63 */ 64 private void init(HttpCallerInfo hci) throws GSSException { 65 final Oid oid; 66 67 if (hci.scheme.equalsIgnoreCase("Kerberos")) { 68 // we can only use Kerberos mech when the scheme is kerberos 69 oid = GSSUtil.GSS_KRB5_MECH_OID; 70 } else { 71 String pref = java.security.AccessController.doPrivileged( 72 new java.security.PrivilegedAction<String>() { 73 public String run() { 74 return System.getProperty( 75 "http.auth.preference", 76 "spnego"); 77 } 78 }); 79 if (pref.equalsIgnoreCase("kerberos")) { 80 oid = GSSUtil.GSS_KRB5_MECH_OID; 81 } else { 82 // currently there is no 3rd mech we can use 83 oid = GSSUtil.GSS_SPNEGO_MECH_OID; 84 } 85 } 86 87 GSSManagerImpl manager = new GSSManagerImpl( 88 new HttpCaller(hci)); 89 90 // RFC 4559 4.1 uses uppercase service name "HTTP". 91 // RFC 4120 6.2.1 demands the host be lowercase 92 String peerName = "HTTP@" + hci.host.toLowerCase(); 93 94 GSSName serverName = manager.createName(peerName, 95 GSSName.NT_HOSTBASED_SERVICE); 96 context = manager.createContext(serverName, 97 oid, 98 null, 99 GSSContext.DEFAULT_LIFETIME); 100 101 // In order to support credential delegation in HTTP/SPNEGO, 102 // we always request it before initSecContext. The current 103 // implementation will check the OK-AS-DELEGATE flag inside 104 // the service ticket of the web server, and only enable 105 // delegation when this flag is set. This check is only 106 // performed when the GSS caller is CALLER_HTTP_NEGOTIATE, 107 // so all other normal GSS-API calls are not affected. 108 109 context.requestCredDeleg(true); 110 oneToken = context.initSecContext(new byte[0], 0, 0); 111 } 112 113 /** 114 * Constructor 115 * @throws java.io.IOException If negotiator cannot be constructed 116 */ 117 public NegotiatorImpl(HttpCallerInfo hci) throws IOException { 118 try { 119 init(hci); 120 } catch (GSSException e) { 121 if (DEBUG) { 122 System.out.println("Negotiate support not initiated, will " + 123 "fallback to other scheme if allowed. Reason:"); 124 e.printStackTrace(); 125 } 126 IOException ioe = new IOException("Negotiate support not initiated"); 127 ioe.initCause(e); 128 throw ioe; 129 } 130 } 131 132 /** 133 * Return the first token of GSS, in SPNEGO, it's called NegTokenInit 134 * @return the first token 135 */ 136 public byte[] firstToken() { 137 return oneToken; 138 } 139 140 /** 141 * Return the rest tokens of GSS, in SPNEGO, it's called NegTokenTarg 142 * @param token the token received from server 143 * @return the next token 144 * @throws java.io.IOException if the token cannot be created successfully 145 */ 146 public byte[] nextToken(byte[] token) throws IOException { 147 try { 148 return context.initSecContext(token, 0, token.length); 149 } catch (GSSException e) { 150 if (DEBUG) { 151 System.out.println("Negotiate support cannot continue. Reason:"); 152 e.printStackTrace(); 153 } 154 IOException ioe = new IOException("Negotiate support cannot continue"); 155 ioe.initCause(e); 156 throw ioe; 157 } 158 } 159 }