1 /* 2 * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27 package com.sun.security.auth.module; 28 29 import java.io.*; 30 import java.text.MessageFormat; 31 import java.util.*; 32 33 import javax.security.auth.*; 34 import javax.security.auth.kerberos.KerberosTicket; 35 import javax.security.auth.kerberos.KerberosPrincipal; 36 import javax.security.auth.kerberos.KerberosKey; 37 import javax.security.auth.kerberos.KeyTab; 38 import javax.security.auth.callback.*; 39 import javax.security.auth.login.*; 40 import javax.security.auth.spi.*; 41 42 import sun.security.krb5.*; 43 import sun.security.jgss.krb5.Krb5Util; 44 import sun.security.krb5.Credentials; 45 import sun.security.util.HexDumpEncoder; 46 import static sun.security.util.ResourcesMgr.getAuthResourceString; 47 48 /** 49 * This {@code LoginModule} authenticates users using 50 * Kerberos protocols. 51 * 52 * <p> The configuration entry for {@code Krb5LoginModule} has 53 * several options that control the authentication process and 54 * additions to the {@code Subject}'s private credential 55 * set. Irrespective of these options, the {@code Subject}'s 56 * principal set and private credentials set are updated only when 57 * {@code commit} is called. 58 * When {@code commit} is called, the {@code KerberosPrincipal} 59 * is added to the {@code Subject}'s principal set (unless the 60 * {@code principal} is specified as "*"). If {@code isInitiator} 61 * is true, the {@code KerberosTicket} is 62 * added to the {@code Subject}'s private credentials. 63 * 64 * <p> If the configuration entry for {@code KerberosLoginModule} 65 * has the option {@code storeKey} set to true, then 66 * {@code KerberosKey} or {@code KeyTab} will also be added to the 67 * subject's private credentials. {@code KerberosKey}, the principal's 68 * key(s) will be derived from user's password, and {@code KeyTab} is 69 * the keytab used when {@code useKeyTab} is set to true. The 70 * {@code KeyTab} object is restricted to be used by the specified 71 * principal unless the principal value is "*". 72 * 73 * <p> This {@code LoginModule} recognizes the {@code doNotPrompt} 74 * option. If set to true the user will not be prompted for the password. 75 * 76 * <p> The user can specify the location of the ticket cache by using 77 * the option {@code ticketCache} in the configuration entry. 78 * 79 * <p>The user can specify the keytab location by using 80 * the option {@code keyTab} 81 * in the configuration entry. 82 * 83 * <p> The principal name can be specified in the configuration entry 84 * by using the option {@code principal}. The principal name 85 * can either be a simple user name, a service name such as 86 * {@code host/mission.eng.sun.com}, or "*". The principal can also 87 * be set using the system property {@systemProperty sun.security.krb5.principal}. 88 * This property is checked during login. If this property is not set, then 89 * the principal name from the configuration is used. In the 90 * case where the principal property is not set and the principal 91 * entry also does not exist, the user is prompted for the name. 92 * When this property of entry is set, and {@code useTicketCache} 93 * is set to true, only TGT belonging to this principal is used. 94 * 95 * <p> The following is a list of configuration options supported 96 * for {@code Krb5LoginModule}: 97 * <blockquote><dl> 98 * <dt>{@code refreshKrb5Config}:</dt> 99 * <dd> Set this to true, if you want the configuration 100 * to be refreshed before the {@code login} method is called.</dd> 101 * <dt>{@code useTicketCache}:</dt> 102 * <dd>Set this to true, if you want the 103 * TGT to be obtained from the ticket cache. Set this option 104 * to false if you do not want this module to use the ticket cache. 105 * (Default is False). 106 * This module will search for the ticket 107 * cache in the following locations: On Linux 108 * it will look for the ticket cache in /tmp/krb5cc_{@code uid} 109 * where the uid is numeric user identifier. If the ticket cache is 110 * not available in the above location, or if we are on a 111 * Windows platform, it will look for the cache as 112 * {user.home}{file.separator}krb5cc_{user.name}. 113 * You can override the ticket cache location by using 114 * {@code ticketCache}. 115 * For Windows, if a ticket cannot be retrieved from the file ticket cache, 116 * it will use Local Security Authority (LSA) API to get the TGT. 117 * <dt>{@code ticketCache}:</dt> 118 * <dd>Set this to the name of the ticket 119 * cache that contains user's TGT. 120 * If this is set, {@code useTicketCache} 121 * must also be set to true; Otherwise a configuration error will 122 * be returned.</dd> 123 * <dt>{@code renewTGT}:</dt> 124 * <dd>Set this to true, if you want to renew the TGT when it's more than 125 * half-way expired (the time until expiration is less than the time 126 * since start time). If this is set, {@code useTicketCache} must also be 127 * set to true; otherwise a configuration error will be returned.</dd> 128 * <dt>{@code doNotPrompt}:</dt> 129 * <dd>Set this to true if you do not want to be 130 * prompted for the password 131 * if credentials can not be obtained from the cache, the keytab, 132 * or through shared state.(Default is false) 133 * If set to true, credential must be obtained through cache, keytab, 134 * or shared state. Otherwise, authentication will fail.</dd> 135 * <dt>{@code useKeyTab}:</dt> 136 * <dd>Set this to true if you 137 * want the module to get the principal's key from the 138 * the keytab.(default value is False) 139 * If {@code keytab} is not set then 140 * the module will locate the keytab from the 141 * Kerberos configuration file. 142 * If it is not specified in the Kerberos configuration file 143 * then it will look for the file 144 * {@code {user.home}{file.separator}}krb5.keytab.</dd> 145 * <dt>{@code keyTab}:</dt> 146 * <dd>Set this to the file name of the 147 * keytab to get principal's secret key.</dd> 148 * <dt>{@code storeKey}:</dt> 149 * <dd>Set this to true to if you want the keytab or the 150 * principal's key to be stored in the Subject's private credentials. 151 * For {@code isInitiator} being false, if {@code principal} 152 * is "*", the {@link KeyTab} stored can be used by anyone, otherwise, 153 * it's restricted to be used by the specified principal only.</dd> 154 * <dt>{@code principal}:</dt> 155 * <dd>The name of the principal that should 156 * be used. The principal can be a simple username such as 157 * "{@code testuser}" or a service name such as 158 * "{@code host/testhost.eng.sun.com}". You can use the 159 * {@code principal} option to set the principal when there are 160 * credentials for multiple principals in the 161 * {@code keyTab} or when you want a specific ticket cache only. 162 * The principal can also be set using the system property 163 * {@code sun.security.krb5.principal}. In addition, if this 164 * system property is defined, then it will be used. If this property 165 * is not set, then the principal name from the configuration will be 166 * used. 167 * The principal name can be set to "*" when {@code isInitiator} is false. 168 * In this case, the acceptor is not bound to a single principal. It can 169 * act as any principal an initiator requests if keys for that principal 170 * can be found. When {@code isInitiator} is true, the principal name 171 * cannot be set to "*". 172 * </dd> 173 * <dt>{@code isInitiator}:</dt> 174 * <dd>Set this to true, if initiator. Set this to false, if acceptor only. 175 * (Default is true). 176 * Note: Do not set this value to false for initiators.</dd> 177 * </dl></blockquote> 178 * 179 * <p> This {@code LoginModule} also recognizes the following additional 180 * {@code Configuration} 181 * options that enable you to share username and passwords across different 182 * authentication modules: 183 * <blockquote><dl> 184 * 185 * <dt>{@code useFirstPass}:</dt> 186 * <dd>if, true, this LoginModule retrieves the 187 * username and password from the module's shared state, 188 * using "javax.security.auth.login.name" and 189 * "javax.security.auth.login.password" as the respective 190 * keys. The retrieved values are used for authentication. 191 * If authentication fails, no attempt for a retry 192 * is made, and the failure is reported back to the 193 * calling application.</dd> 194 * 195 * <dt>{@code tryFirstPass}:</dt> 196 * <dd>if, true, this LoginModule retrieves the 197 * the username and password from the module's shared 198 * state using "javax.security.auth.login.name" and 199 * "javax.security.auth.login.password" as the respective 200 * keys. The retrieved values are used for 201 * authentication. 202 * If authentication fails, the module uses the 203 * CallbackHandler to retrieve a new username 204 * and password, and another attempt to authenticate 205 * is made. If the authentication fails, 206 * the failure is reported back to the calling application</dd> 207 * 208 * <dt>{@code storePass}:</dt> 209 * <dd>if, true, this LoginModule stores the username and 210 * password obtained from the CallbackHandler in the 211 * modules shared state, using 212 * "javax.security.auth.login.name" and 213 * "javax.security.auth.login.password" as the respective 214 * keys. This is not performed if existing values already 215 * exist for the username and password in the shared 216 * state, or if authentication fails.</dd> 217 * 218 * <dt>{@code clearPass}:</dt> 219 * <dd>if, true, this LoginModule clears the 220 * username and password stored in the module's shared 221 * state after both phases of authentication 222 * (login and commit) have completed.</dd> 223 * </dl></blockquote> 224 * <p>If the principal system property or key is already provided, the value of 225 * "javax.security.auth.login.name" in the shared state is ignored. 226 * <p>When multiple mechanisms to retrieve a ticket or key is provided, the 227 * preference order is: 228 * <ol> 229 * <li>ticket cache 230 * <li>keytab 231 * <li>shared state 232 * <li>user prompt 233 * </ol> 234 * 235 * <p>Note that if any step fails, it will fallback to the next step. 236 * There's only one exception, if the shared state step fails and 237 * {@code useFirstPass = true}, no user prompt is made. 238 * <p>Examples of some configuration values for Krb5LoginModule in 239 * JAAS config file and the results are: 240 * <blockquote> 241 * <pre>{@code 242 * doNotPrompt = true}</pre> 243 * This is an illegal combination since none of {@code useTicketCache, 244 * useKeyTab, useFirstPass} and {@code tryFirstPass} 245 * is set and the user can not be prompted for the password. 246 * 247 * <pre>{@code 248 * ticketCache = <filename>}</pre> 249 * This is an illegal combination since {@code useTicketCache} 250 * is not set to true and the ticketCache is set. A configuration error 251 * will occur. 252 * 253 * <pre>{@code 254 * renewTGT = true}</pre> 255 * This is an illegal combination since {@code useTicketCache} is 256 * not set to true and renewTGT is set. A configuration error will occur. 257 * 258 * <pre>{@code 259 * storeKey = true useTicketCache = true doNotPrompt = true}</pre> 260 * This is an illegal combination since {@code storeKey} is set to 261 * true but the key can not be obtained either by prompting the user or from 262 * the keytab, or from the shared state. A configuration error will occur. 263 * 264 * <pre>{@code 265 * keyTab = <filename> doNotPrompt = true}</pre> 266 * This is an illegal combination since useKeyTab is not set to true and 267 * the keyTab is set. A configuration error will occur. 268 * 269 * <pre>{@code 270 * debug = true}</pre> 271 * Prompt the user for the principal name and the password. 272 * Use the authentication exchange to get TGT from the KDC and 273 * populate the {@code Subject} with the principal and TGT. 274 * Output debug messages. 275 * 276 * <pre>{@code 277 * useTicketCache = true doNotPrompt = true}</pre> 278 * Check the default cache for TGT and populate the {@code Subject} 279 * with the principal and TGT. If the TGT is not available, 280 * do not prompt the user, instead fail the authentication. 281 * 282 * <pre>{@code 283 * principal = <name> useTicketCache = true doNotPrompt = true}</pre> 284 * Get the TGT from the default cache for the principal and populate the 285 * Subject's principal and private creds set. If ticket cache is 286 * not available or does not contain the principal's TGT 287 * authentication will fail. 288 * 289 * <pre>{@code 290 * useTicketCache = true 291 * ticketCache = <file name> 292 * useKeyTab = true 293 * keyTab = <keytab filename> 294 * principal = <principal name> 295 * doNotPrompt = true}</pre> 296 * Search the cache for the principal's TGT. If it is not available 297 * use the key in the keytab to perform authentication exchange with the 298 * KDC and acquire the TGT. 299 * The Subject will be populated with the principal and the TGT. 300 * If the key is not available or valid then authentication will fail. 301 * 302 * <pre>{@code 303 * useTicketCache = true ticketCache = <filename>}</pre> 304 * The TGT will be obtained from the cache specified. 305 * The Kerberos principal name used will be the principal name in 306 * the Ticket cache. If the TGT is not available in the 307 * ticket cache the user will be prompted for the principal name 308 * and the password. The TGT will be obtained using the authentication 309 * exchange with the KDC. 310 * The Subject will be populated with the TGT. 311 * 312 * <pre>{@code 313 * useKeyTab = true keyTab=<keytab filename> principal = <principal name> storeKey = true}</pre> 314 * The key for the principal will be retrieved from the keytab. 315 * If the key is not available in the keytab the user will be prompted 316 * for the principal's password. The Subject will be populated 317 * with the principal's key either from the keytab or derived from the 318 * password entered. 319 * 320 * <pre>{@code 321 * useKeyTab = true keyTab = <keytabname> storeKey = true doNotPrompt = false}</pre> 322 * The user will be prompted for the service principal name. 323 * If the principal's 324 * longterm key is available in the keytab , it will be added to the 325 * Subject's private credentials. An authentication exchange will be 326 * attempted with the principal name and the key from the Keytab. 327 * If successful the TGT will be added to the 328 * Subject's private credentials set. Otherwise the authentication will fail. 329 * 330 * <pre>{@code 331 * isInitiator = false useKeyTab = true keyTab = <keytabname> storeKey = true principal = *}</pre> 332 * The acceptor will be an unbound acceptor and it can act as any principal 333 * as long that principal has keys in the keytab. 334 * 335 * <pre>{@code 336 * useTicketCache = true 337 * ticketCache = <file name> 338 * useKeyTab = true 339 * keyTab = <file name> 340 * storeKey = true 341 * principal = <principal name>}</pre> 342 * The client's TGT will be retrieved from the ticket cache and added to the 343 * {@code Subject}'s private credentials. If the TGT is not available 344 * in the ticket cache, or the TGT's client name does not match the principal 345 * name, Java will use a secret key to obtain the TGT using the authentication 346 * exchange and added to the Subject's private credentials. 347 * This secret key will be first retrieved from the keytab. If the key 348 * is not available, the user will be prompted for the password. In either 349 * case, the key derived from the password will be added to the 350 * Subject's private credentials set. 351 * 352 * <pre>{@code 353 * isInitiator = false}</pre> 354 * Configured to act as acceptor only, credentials are not acquired 355 * via AS exchange. For acceptors only, set this value to false. 356 * For initiators, do not set this value to false. 357 * 358 * <pre>{@code 359 * isInitiator = true}</pre> 360 * Configured to act as initiator, credentials are acquired 361 * via AS exchange. For initiators, set this value to true, or leave this 362 * option unset, in which case default value (true) will be used. 363 * 364 * </blockquote> 365 * 366 * @author Ram Marti 367 */ 368 369 public class Krb5LoginModule implements LoginModule { 370 371 // initial state 372 private Subject subject; 373 private CallbackHandler callbackHandler; 374 private Map<String, Object> sharedState; 375 private Map<String, ?> options; 376 377 // configurable option 378 private boolean debug = false; 379 private boolean storeKey = false; 380 private boolean doNotPrompt = false; 381 private boolean useTicketCache = false; 382 private boolean useKeyTab = false; 383 private String ticketCacheName = null; 384 private String keyTabName = null; 385 private String princName = null; 386 387 private boolean useFirstPass = false; 388 private boolean tryFirstPass = false; 389 private boolean storePass = false; 390 private boolean clearPass = false; 391 private boolean refreshKrb5Config = false; 392 private boolean renewTGT = false; 393 394 // specify if initiator. 395 // perform authentication exchange if initiator 396 private boolean isInitiator = true; 397 398 // the authentication status 399 private boolean succeeded = false; 400 private boolean commitSucceeded = false; 401 private String username; 402 403 // Encryption keys calculated from password. Assigned when storekey == true 404 // and useKeyTab == false (or true but not found) 405 private EncryptionKey[] encKeys = null; 406 407 KeyTab ktab = null; 408 409 private Credentials cred = null; 410 411 private PrincipalName principal = null; 412 private KerberosPrincipal kerbClientPrinc = null; 413 private KerberosTicket kerbTicket = null; 414 private KerberosKey[] kerbKeys = null; 415 private StringBuffer krb5PrincName = null; 416 private boolean unboundServer = false; 417 private char[] password = null; 418 419 private static final String NAME = "javax.security.auth.login.name"; 420 private static final String PWD = "javax.security.auth.login.password"; 421 422 /** 423 * Initialize this {@code LoginModule}. 424 * 425 * @param subject the {@code Subject} to be authenticated. 426 * 427 * @param callbackHandler a {@code CallbackHandler} for 428 * communication with the end user (prompting for 429 * usernames and passwords, for example). 430 * 431 * @param sharedState shared {@code LoginModule} state. 432 * 433 * @param options options specified in the login 434 * {@code Configuration} for this particular 435 * {@code LoginModule}. 436 */ 437 // Unchecked warning from (Map<String, Object>)sharedState is safe 438 // since javax.security.auth.login.LoginContext passes a raw HashMap. 439 // Unchecked warnings from options.get(String) are safe since we are 440 // passing known keys. 441 @SuppressWarnings("unchecked") 442 public void initialize(Subject subject, 443 CallbackHandler callbackHandler, 444 Map<String, ?> sharedState, 445 Map<String, ?> options) { 446 447 this.subject = subject; 448 this.callbackHandler = callbackHandler; 449 this.sharedState = (Map<String, Object>)sharedState; 450 this.options = options; 451 452 // initialize any configured options 453 454 debug = "true".equalsIgnoreCase((String)options.get("debug")); 455 storeKey = "true".equalsIgnoreCase((String)options.get("storeKey")); 456 doNotPrompt = "true".equalsIgnoreCase((String)options.get 457 ("doNotPrompt")); 458 useTicketCache = "true".equalsIgnoreCase((String)options.get 459 ("useTicketCache")); 460 useKeyTab = "true".equalsIgnoreCase((String)options.get("useKeyTab")); 461 ticketCacheName = (String)options.get("ticketCache"); 462 keyTabName = (String)options.get("keyTab"); 463 if (keyTabName != null) { 464 keyTabName = sun.security.krb5.internal.ktab.KeyTab.normalize( 465 keyTabName); 466 } 467 princName = (String)options.get("principal"); 468 refreshKrb5Config = 469 "true".equalsIgnoreCase((String)options.get("refreshKrb5Config")); 470 renewTGT = 471 "true".equalsIgnoreCase((String)options.get("renewTGT")); 472 473 // check isInitiator value 474 String isInitiatorValue = ((String)options.get("isInitiator")); 475 if (isInitiatorValue == null) { 476 // use default, if value not set 477 } else { 478 isInitiator = "true".equalsIgnoreCase(isInitiatorValue); 479 } 480 481 tryFirstPass = 482 "true".equalsIgnoreCase 483 ((String)options.get("tryFirstPass")); 484 useFirstPass = 485 "true".equalsIgnoreCase 486 ((String)options.get("useFirstPass")); 487 storePass = 488 "true".equalsIgnoreCase((String)options.get("storePass")); 489 clearPass = 490 "true".equalsIgnoreCase((String)options.get("clearPass")); 491 if (debug) { 492 System.out.print("Debug is " + debug 493 + " storeKey " + storeKey 494 + " useTicketCache " + useTicketCache 495 + " useKeyTab " + useKeyTab 496 + " doNotPrompt " + doNotPrompt 497 + " ticketCache is " + ticketCacheName 498 + " isInitiator " + isInitiator 499 + " KeyTab is " + keyTabName 500 + " refreshKrb5Config is " + refreshKrb5Config 501 + " principal is " + princName 502 + " tryFirstPass is " + tryFirstPass 503 + " useFirstPass is " + useFirstPass 504 + " storePass is " + storePass 505 + " clearPass is " + clearPass + "\n"); 506 } 507 } 508 509 510 /** 511 * Authenticate the user 512 * 513 * @return true in all cases since this {@code LoginModule} 514 * should not be ignored. 515 * 516 * @exception FailedLoginException if the authentication fails. 517 * 518 * @exception LoginException if this {@code LoginModule} 519 * is unable to perform the authentication. 520 */ 521 public boolean login() throws LoginException { 522 523 if (refreshKrb5Config) { 524 try { 525 if (debug) { 526 System.out.println("Refreshing Kerberos configuration"); 527 } 528 sun.security.krb5.Config.refresh(); 529 } catch (KrbException ke) { 530 LoginException le = new LoginException(ke.getMessage()); 531 le.initCause(ke); 532 throw le; 533 } 534 } 535 String principalProperty = System.getProperty 536 ("sun.security.krb5.principal"); 537 if (principalProperty != null) { 538 krb5PrincName = new StringBuffer(principalProperty); 539 } else { 540 if (princName != null) { 541 krb5PrincName = new StringBuffer(princName); 542 } 543 } 544 545 validateConfiguration(); 546 547 if (krb5PrincName != null && krb5PrincName.toString().equals("*")) { 548 unboundServer = true; 549 } 550 551 if (tryFirstPass) { 552 try { 553 attemptAuthentication(true); 554 if (debug) 555 System.out.println("\t\t[Krb5LoginModule] " + 556 "authentication succeeded"); 557 succeeded = true; 558 cleanState(); 559 return true; 560 } catch (LoginException le) { 561 // authentication failed -- try again below by prompting 562 cleanState(); 563 if (debug) { 564 System.out.println("\t\t[Krb5LoginModule] " + 565 "tryFirstPass failed with:" + 566 le.getMessage()); 567 } 568 } 569 } else if (useFirstPass) { 570 try { 571 attemptAuthentication(true); 572 succeeded = true; 573 cleanState(); 574 return true; 575 } catch (LoginException e) { 576 // authentication failed -- clean out state 577 if (debug) { 578 System.out.println("\t\t[Krb5LoginModule] " + 579 "authentication failed \n" + 580 e.getMessage()); 581 } 582 succeeded = false; 583 cleanState(); 584 throw e; 585 } 586 } 587 588 // attempt the authentication by getting the username and pwd 589 // by prompting or configuration i.e. not from shared state 590 591 try { 592 attemptAuthentication(false); 593 succeeded = true; 594 cleanState(); 595 return true; 596 } catch (LoginException e) { 597 // authentication failed -- clean out state 598 if (debug) { 599 System.out.println("\t\t[Krb5LoginModule] " + 600 "authentication failed \n" + 601 e.getMessage()); 602 } 603 succeeded = false; 604 cleanState(); 605 throw e; 606 } 607 } 608 /** 609 * process the configuration options 610 * Get the TGT either out of 611 * cache or from the KDC using the password entered 612 * Check the permission before getting the TGT 613 */ 614 615 private void attemptAuthentication(boolean getPasswdFromSharedState) 616 throws LoginException { 617 618 /* 619 * Check the creds cache to see whether 620 * we have TGT for this client principal 621 */ 622 if (krb5PrincName != null) { 623 try { 624 principal = new PrincipalName 625 (krb5PrincName.toString(), 626 PrincipalName.KRB_NT_PRINCIPAL); 627 } catch (KrbException e) { 628 LoginException le = new LoginException(e.getMessage()); 629 le.initCause(e); 630 throw le; 631 } 632 } 633 634 try { 635 if (useTicketCache) { 636 // ticketCacheName == null implies the default cache 637 if (debug) 638 System.out.println("Acquire TGT from Cache"); 639 cred = Credentials.acquireTGTFromCache 640 (principal, ticketCacheName); 641 642 if (cred != null) { 643 if (renewTGT && isOld(cred)) { 644 // renew if ticket is old. 645 Credentials newCred = renewCredentials(cred); 646 if (newCred != null) { 647 newCred.setProxy(cred.getProxy()); 648 cred = newCred; 649 } 650 } 651 if (!isCurrent(cred)) { 652 // credentials have expired 653 cred = null; 654 if (debug) 655 System.out.println("Credentials are" + 656 " no longer valid"); 657 } 658 } 659 660 if (cred != null) { 661 // get the principal name from the ticket cache 662 if (principal == null) { 663 principal = cred.getClient(); 664 } 665 } 666 if (debug) { 667 System.out.println("Principal is " + principal); 668 if (cred == null) { 669 System.out.println 670 ("null credentials from Ticket Cache"); 671 } 672 } 673 } 674 675 // cred = null indicates that we didn't get the creds 676 // from the cache or useTicketCache was false 677 678 if (cred == null) { 679 // We need the principal name whether we use keytab 680 // or AS Exchange 681 if (principal == null) { 682 promptForName(getPasswdFromSharedState); 683 principal = new PrincipalName 684 (krb5PrincName.toString(), 685 PrincipalName.KRB_NT_PRINCIPAL); 686 } 687 688 /* 689 * Before dynamic KeyTab support (6894072), here we check if 690 * the keytab contains keys for the principal. If no, keytab 691 * will not be used and password is prompted for. 692 * 693 * After 6894072, we normally don't check it, and expect the 694 * keys can be populated until a real connection is made. The 695 * check is still done when isInitiator == true, where the keys 696 * will be used right now. 697 * 698 * Probably tricky relations: 699 * 700 * useKeyTab is config flag, but when it's true but the ktab 701 * does not contains keys for principal, we would use password 702 * and keep the flag unchanged (for reuse?). In this method, 703 * we use (ktab != null) to check whether keytab is used. 704 * After this method (and when storeKey == true), we use 705 * (encKeys == null) to check. 706 */ 707 if (useKeyTab) { 708 if (!unboundServer) { 709 KerberosPrincipal kp = 710 new KerberosPrincipal(principal.getName()); 711 ktab = (keyTabName == null) 712 ? KeyTab.getInstance(kp) 713 : KeyTab.getInstance(kp, new File(keyTabName)); 714 } else { 715 ktab = (keyTabName == null) 716 ? KeyTab.getUnboundInstance() 717 : KeyTab.getUnboundInstance(new File(keyTabName)); 718 } 719 if (isInitiator) { 720 if (Krb5Util.keysFromJavaxKeyTab(ktab, principal).length 721 == 0) { 722 ktab = null; 723 if (debug) { 724 System.out.println 725 ("Key for the principal " + 726 principal + 727 " not available in " + 728 ((keyTabName == null) ? 729 "default key tab" : keyTabName)); 730 } 731 } 732 } 733 } 734 735 KrbAsReqBuilder builder; 736 737 if (ktab == null) { 738 promptForPass(getPasswdFromSharedState); 739 builder = new KrbAsReqBuilder(principal, password); 740 if (isInitiator) { 741 // XXX Even if isInitiator=false, it might be 742 // better to do an AS-REQ so that keys can be 743 // updated with PA info 744 cred = builder.action().getCreds(); 745 } 746 if (storeKey) { 747 encKeys = builder.getKeys(isInitiator); 748 // When encKeys is empty, the login actually fails. 749 // For compatibility, exception is thrown in commit(). 750 } 751 } else { 752 builder = new KrbAsReqBuilder(principal, ktab); 753 if (isInitiator) { 754 cred = builder.action().getCreds(); 755 } 756 } 757 builder.destroy(); 758 759 if (debug) { 760 System.out.println("principal is " + principal); 761 HexDumpEncoder hd = new HexDumpEncoder(); 762 if (ktab != null) { 763 System.out.println("Will use keytab"); 764 } else if (storeKey) { 765 for (int i = 0; i < encKeys.length; i++) { 766 System.out.println("EncryptionKey: keyType=" + 767 encKeys[i].getEType() + 768 " keyBytes (hex dump)=" + 769 hd.encodeBuffer(encKeys[i].getBytes())); 770 } 771 } 772 } 773 774 // we should hava a non-null cred 775 if (isInitiator && (cred == null)) { 776 throw new LoginException 777 ("TGT Can not be obtained from the KDC "); 778 } 779 780 } 781 } catch (KrbException e) { 782 LoginException le = new LoginException(e.getMessage()); 783 le.initCause(e); 784 throw le; 785 } catch (IOException ioe) { 786 LoginException ie = new LoginException(ioe.getMessage()); 787 ie.initCause(ioe); 788 throw ie; 789 } 790 } 791 792 private void promptForName(boolean getPasswdFromSharedState) 793 throws LoginException { 794 krb5PrincName = new StringBuffer(""); 795 if (getPasswdFromSharedState) { 796 // use the name saved by the first module in the stack 797 username = (String)sharedState.get(NAME); 798 if (debug) { 799 System.out.println 800 ("username from shared state is " + username + "\n"); 801 } 802 if (username == null) { 803 System.out.println 804 ("username from shared state is null\n"); 805 throw new LoginException 806 ("Username can not be obtained from sharedstate "); 807 } 808 if (debug) { 809 System.out.println 810 ("username from shared state is " + username + "\n"); 811 } 812 if (username != null && username.length() > 0) { 813 krb5PrincName.insert(0, username); 814 return; 815 } 816 } 817 818 if (doNotPrompt) { 819 throw new LoginException 820 ("Unable to obtain Principal Name for authentication "); 821 } else { 822 if (callbackHandler == null) 823 throw new LoginException("No CallbackHandler " 824 + "available " 825 + "to garner authentication " 826 + "information from the user"); 827 try { 828 String defUsername = System.getProperty("user.name"); 829 830 Callback[] callbacks = new Callback[1]; 831 MessageFormat form = new MessageFormat( 832 getAuthResourceString( 833 "Kerberos.username.defUsername.")); 834 Object[] source = {defUsername}; 835 callbacks[0] = new NameCallback(form.format(source)); 836 callbackHandler.handle(callbacks); 837 username = ((NameCallback)callbacks[0]).getName(); 838 if (username == null || username.length() == 0) 839 username = defUsername; 840 krb5PrincName.insert(0, username); 841 842 } catch (java.io.IOException ioe) { 843 throw new LoginException(ioe.getMessage()); 844 } catch (UnsupportedCallbackException uce) { 845 throw new LoginException 846 (uce.getMessage() 847 +" not available to garner " 848 +" authentication information " 849 +" from the user"); 850 } 851 } 852 } 853 854 private void promptForPass(boolean getPasswdFromSharedState) 855 throws LoginException { 856 857 if (getPasswdFromSharedState) { 858 // use the password saved by the first module in the stack 859 password = (char[])sharedState.get(PWD); 860 if (password == null) { 861 if (debug) { 862 System.out.println 863 ("Password from shared state is null"); 864 } 865 throw new LoginException 866 ("Password can not be obtained from sharedstate "); 867 } 868 if (debug) { 869 System.out.println 870 ("password is " + new String(password)); 871 } 872 return; 873 } 874 if (doNotPrompt) { 875 throw new LoginException 876 ("Unable to obtain password from user\n"); 877 } else { 878 if (callbackHandler == null) 879 throw new LoginException("No CallbackHandler " 880 + "available " 881 + "to garner authentication " 882 + "information from the user"); 883 try { 884 Callback[] callbacks = new Callback[1]; 885 String userName = krb5PrincName.toString(); 886 MessageFormat form = new MessageFormat( 887 getAuthResourceString( 888 "Kerberos.password.for.username.")); 889 Object[] source = {userName}; 890 callbacks[0] = new PasswordCallback( 891 form.format(source), 892 false); 893 callbackHandler.handle(callbacks); 894 char[] tmpPassword = ((PasswordCallback) 895 callbacks[0]).getPassword(); 896 if (tmpPassword == null) { 897 throw new LoginException("No password provided"); 898 } 899 password = new char[tmpPassword.length]; 900 System.arraycopy(tmpPassword, 0, 901 password, 0, tmpPassword.length); 902 ((PasswordCallback)callbacks[0]).clearPassword(); 903 904 905 // clear tmpPassword 906 for (int i = 0; i < tmpPassword.length; i++) 907 tmpPassword[i] = ' '; 908 tmpPassword = null; 909 if (debug) { 910 System.out.println("\t\t[Krb5LoginModule] " + 911 "user entered username: " + 912 krb5PrincName); 913 System.out.println(); 914 } 915 } catch (java.io.IOException ioe) { 916 throw new LoginException(ioe.getMessage()); 917 } catch (UnsupportedCallbackException uce) { 918 throw new LoginException(uce.getMessage() 919 +" not available to garner " 920 +" authentication information " 921 + "from the user"); 922 } 923 } 924 } 925 926 private void validateConfiguration() throws LoginException { 927 if (doNotPrompt && !useTicketCache && !useKeyTab 928 && !tryFirstPass && !useFirstPass) 929 throw new LoginException 930 ("Configuration Error" 931 + " - either doNotPrompt should be " 932 + " false or at least one of useTicketCache, " 933 + " useKeyTab, tryFirstPass and useFirstPass" 934 + " should be true"); 935 if (ticketCacheName != null && !useTicketCache) 936 throw new LoginException 937 ("Configuration Error " 938 + " - useTicketCache should be set " 939 + "to true to use the ticket cache" 940 + ticketCacheName); 941 if (keyTabName != null & !useKeyTab) 942 throw new LoginException 943 ("Configuration Error - useKeyTab should be set to true " 944 + "to use the keytab" + keyTabName); 945 if (storeKey && doNotPrompt && !useKeyTab 946 && !tryFirstPass && !useFirstPass) 947 throw new LoginException 948 ("Configuration Error - either doNotPrompt should be set to " 949 + " false or at least one of tryFirstPass, useFirstPass " 950 + "or useKeyTab must be set to true for storeKey option"); 951 if (renewTGT && !useTicketCache) 952 throw new LoginException 953 ("Configuration Error" 954 + " - either useTicketCache should be " 955 + " true or renewTGT should be false"); 956 if (krb5PrincName != null && krb5PrincName.toString().equals("*")) { 957 if (isInitiator) { 958 throw new LoginException 959 ("Configuration Error" 960 + " - principal cannot be * when isInitiator is true"); 961 } 962 } 963 } 964 965 private static boolean isCurrent(Credentials creds) 966 { 967 Date endTime = creds.getEndTime(); 968 if (endTime != null) { 969 return (System.currentTimeMillis() <= endTime.getTime()); 970 } 971 return true; 972 } 973 974 private static boolean isOld(Credentials creds) 975 { 976 Date endTime = creds.getEndTime(); 977 if (endTime != null) { 978 Date authTime = creds.getAuthTime(); 979 long now = System.currentTimeMillis(); 980 if (authTime != null) { 981 // pass the mid between auth and end 982 return now - authTime.getTime() > endTime.getTime() - now; 983 } else { 984 // will expire in less than 2 hours 985 return now <= endTime.getTime() - 1000*3600*2L; 986 } 987 } 988 return false; 989 } 990 991 private Credentials renewCredentials(Credentials creds) 992 { 993 Credentials lcreds; 994 try { 995 if (!creds.isRenewable()) 996 throw new RefreshFailedException("This ticket" + 997 " is not renewable"); 998 if (creds.getRenewTill() == null) { 999 // Renewable ticket without renew-till. Illegal and ignored. 1000 return creds; 1001 } 1002 if (System.currentTimeMillis() > cred.getRenewTill().getTime()) 1003 throw new RefreshFailedException("This ticket is past " 1004 + "its last renewal time."); 1005 lcreds = creds.renew(); 1006 if (debug) 1007 System.out.println("Renewed Kerberos Ticket"); 1008 } catch (Exception e) { 1009 lcreds = null; 1010 if (debug) 1011 System.out.println("Ticket could not be renewed : " 1012 + e.getMessage()); 1013 } 1014 return lcreds; 1015 } 1016 1017 /** 1018 * This method is called if the LoginContext's 1019 * overall authentication succeeded 1020 * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL 1021 * LoginModules succeeded). 1022 * 1023 * <p> If this LoginModule's own authentication attempt 1024 * succeeded (checked by retrieving the private state saved by the 1025 * {@code login} method), then this method associates a 1026 * {@code Krb5Principal} 1027 * with the {@code Subject} located in the 1028 * {@code LoginModule}. It adds Kerberos Credentials to the 1029 * the Subject's private credentials set. If this LoginModule's own 1030 * authentication attempted failed, then this method removes 1031 * any state that was originally saved. 1032 * 1033 * @exception LoginException if the commit fails. 1034 * 1035 * @return true if this LoginModule's own login and commit 1036 * attempts succeeded, or false otherwise. 1037 */ 1038 1039 public boolean commit() throws LoginException { 1040 1041 /* 1042 * Let us add the Krb5 Creds to the Subject's 1043 * private credentials. The credentials are of type 1044 * KerberosKey or KerberosTicket 1045 */ 1046 if (succeeded == false) { 1047 return false; 1048 } else { 1049 1050 if (isInitiator && (cred == null)) { 1051 succeeded = false; 1052 throw new LoginException("Null Client Credential"); 1053 } 1054 1055 if (subject.isReadOnly()) { 1056 cleanKerberosCred(); 1057 throw new LoginException("Subject is Readonly"); 1058 } 1059 1060 /* 1061 * Add the Principal (authenticated identity) 1062 * to the Subject's principal set and 1063 * add the credentials (TGT or Service key) to the 1064 * Subject's private credentials 1065 */ 1066 1067 Set<Object> privCredSet = subject.getPrivateCredentials(); 1068 Set<java.security.Principal> princSet = subject.getPrincipals(); 1069 kerbClientPrinc = new KerberosPrincipal(principal.getName()); 1070 1071 // create Kerberos Ticket 1072 if (isInitiator) { 1073 kerbTicket = Krb5Util.credsToTicket(cred); 1074 if (cred.getProxy() != null) { 1075 KerberosSecrets.getJavaxSecurityAuthKerberosAccess() 1076 .kerberosTicketSetProxy(kerbTicket,Krb5Util.credsToTicket(cred.getProxy())); 1077 } 1078 } 1079 1080 if (storeKey && encKeys != null) { 1081 if (encKeys.length == 0) { 1082 succeeded = false; 1083 throw new LoginException("Null Server Key "); 1084 } 1085 1086 kerbKeys = new KerberosKey[encKeys.length]; 1087 for (int i = 0; i < encKeys.length; i ++) { 1088 Integer temp = encKeys[i].getKeyVersionNumber(); 1089 kerbKeys[i] = new KerberosKey(kerbClientPrinc, 1090 encKeys[i].getBytes(), 1091 encKeys[i].getEType(), 1092 (temp == null? 1093 0: temp.intValue())); 1094 } 1095 1096 } 1097 // Let us add the kerbClientPrinc,kerbTicket and KeyTab/KerbKey (if 1098 // storeKey is true) 1099 1100 // We won't add "*" as a KerberosPrincipal 1101 if (!unboundServer && 1102 !princSet.contains(kerbClientPrinc)) { 1103 princSet.add(kerbClientPrinc); 1104 } 1105 1106 // add the TGT 1107 if (kerbTicket != null) { 1108 if (!privCredSet.contains(kerbTicket)) 1109 privCredSet.add(kerbTicket); 1110 } 1111 1112 if (storeKey) { 1113 if (encKeys == null) { 1114 if (ktab != null) { 1115 if (!privCredSet.contains(ktab)) { 1116 privCredSet.add(ktab); 1117 } 1118 } else { 1119 succeeded = false; 1120 throw new LoginException("No key to store"); 1121 } 1122 } else { 1123 for (int i = 0; i < kerbKeys.length; i ++) { 1124 if (!privCredSet.contains(kerbKeys[i])) { 1125 privCredSet.add(kerbKeys[i]); 1126 } 1127 encKeys[i].destroy(); 1128 encKeys[i] = null; 1129 if (debug) { 1130 System.out.println("Added server's key" 1131 + kerbKeys[i]); 1132 System.out.println("\t\t[Krb5LoginModule] " + 1133 "added Krb5Principal " + 1134 kerbClientPrinc.toString() 1135 + " to Subject"); 1136 } 1137 } 1138 } 1139 } 1140 } 1141 commitSucceeded = true; 1142 if (debug) 1143 System.out.println("Commit Succeeded \n"); 1144 return true; 1145 } 1146 1147 /** 1148 * This method is called if the LoginContext's 1149 * overall authentication failed. 1150 * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL 1151 * LoginModules did not succeed). 1152 * 1153 * <p> If this LoginModule's own authentication attempt 1154 * succeeded (checked by retrieving the private state saved by the 1155 * {@code login} and {@code commit} methods), 1156 * then this method cleans up any state that was originally saved. 1157 * 1158 * @exception LoginException if the abort fails. 1159 * 1160 * @return false if this LoginModule's own login and/or commit attempts 1161 * failed, and true otherwise. 1162 */ 1163 1164 public boolean abort() throws LoginException { 1165 if (succeeded == false) { 1166 return false; 1167 } else if (succeeded == true && commitSucceeded == false) { 1168 // login succeeded but overall authentication failed 1169 succeeded = false; 1170 cleanKerberosCred(); 1171 } else { 1172 // overall authentication succeeded and commit succeeded, 1173 // but someone else's commit failed 1174 logout(); 1175 } 1176 return true; 1177 } 1178 1179 /** 1180 * Logout the user. 1181 * 1182 * <p> This method removes the {@code Krb5Principal} 1183 * that was added by the {@code commit} method. 1184 * 1185 * @exception LoginException if the logout fails. 1186 * 1187 * @return true in all cases since this {@code LoginModule} 1188 * should not be ignored. 1189 */ 1190 public boolean logout() throws LoginException { 1191 1192 if (debug) { 1193 System.out.println("\t\t[Krb5LoginModule]: " + 1194 "Entering logout"); 1195 } 1196 1197 if (subject.isReadOnly()) { 1198 cleanKerberosCred(); 1199 throw new LoginException("Subject is Readonly"); 1200 } 1201 1202 subject.getPrincipals().remove(kerbClientPrinc); 1203 // Let us remove all Kerberos credentials stored in the Subject 1204 Iterator<Object> it = subject.getPrivateCredentials().iterator(); 1205 while (it.hasNext()) { 1206 Object o = it.next(); 1207 if (o instanceof KerberosTicket || 1208 o instanceof KerberosKey || 1209 o instanceof KeyTab) { 1210 it.remove(); 1211 } 1212 } 1213 // clean the kerberos ticket and keys 1214 cleanKerberosCred(); 1215 1216 succeeded = false; 1217 commitSucceeded = false; 1218 if (debug) { 1219 System.out.println("\t\t[Krb5LoginModule]: " + 1220 "logged out Subject"); 1221 } 1222 return true; 1223 } 1224 1225 /** 1226 * Clean Kerberos credentials 1227 */ 1228 private void cleanKerberosCred() throws LoginException { 1229 // Clean the ticket and server key 1230 try { 1231 if (kerbTicket != null) 1232 kerbTicket.destroy(); 1233 if (kerbKeys != null) { 1234 for (int i = 0; i < kerbKeys.length; i++) { 1235 kerbKeys[i].destroy(); 1236 } 1237 } 1238 } catch (DestroyFailedException e) { 1239 throw new LoginException 1240 ("Destroy Failed on Kerberos Private Credentials"); 1241 } 1242 kerbTicket = null; 1243 kerbKeys = null; 1244 kerbClientPrinc = null; 1245 } 1246 1247 /** 1248 * Clean out the state 1249 */ 1250 private void cleanState() { 1251 1252 // save input as shared state only if 1253 // authentication succeeded 1254 if (succeeded) { 1255 if (storePass && 1256 !sharedState.containsKey(NAME) && 1257 !sharedState.containsKey(PWD)) { 1258 sharedState.put(NAME, username); 1259 sharedState.put(PWD, password); 1260 } 1261 } else { 1262 // remove temp results for the next try 1263 encKeys = null; 1264 ktab = null; 1265 principal = null; 1266 } 1267 username = null; 1268 password = null; 1269 if (krb5PrincName != null && krb5PrincName.length() != 0) 1270 krb5PrincName.delete(0, krb5PrincName.length()); 1271 krb5PrincName = null; 1272 if (clearPass) { 1273 sharedState.remove(NAME); 1274 sharedState.remove(PWD); 1275 } 1276 } 1277 }