下面列出了怎么用javax.security.auth.kerberos.KerberosTicket的API类实例代码及写法,或者点击链接到github查看源代码。
/**
* Retrieves the ticket corresponding to the client/server principal
* pair from the Subject in the specified AccessControlContext.
* If the ticket can not be found in the Subject, and if
* useSubjectCredsOnly is false, then obtain ticket from
* a LoginContext.
*/
static KerberosTicket getTicket(GSSCaller caller,
String clientPrincipal, String serverPrincipal,
AccessControlContext acc) throws LoginException {
// Try to get ticket from acc's Subject
Subject accSubj = Subject.getSubject(acc);
KerberosTicket ticket =
SubjectComber.find(accSubj, serverPrincipal, clientPrincipal,
KerberosTicket.class);
// Try to get ticket from Subject obtained from GSSUtil
if (ticket == null && !GSSUtil.useSubjectCredsOnly(caller)) {
Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
ticket = SubjectComber.find(subject,
serverPrincipal, clientPrincipal, KerberosTicket.class);
}
return ticket;
}
private static void testDateImmutability(KerberosTicket t, long origTime)
throws Exception {
// test the constructor
System.out.println("Testing constructor...");
checkTime(t, origTime);
// test the getAuth/Start/EndTime() & getRenewTill() methods
System.out.println("Testing getAuth/Start/EndTime() & getRenewTill()...");
t.getAuthTime().setTime(0);
t.getStartTime().setTime(0);
t.getEndTime().setTime(0);
t.getRenewTill().setTime(0);
checkTime(t, origTime);
System.out.println("DateImmutability Test Passed");
}
static Krb5CredElement tryImpersonation(GSSCaller caller,
Krb5InitCredential initiator) throws GSSException {
try {
KerberosTicket proxy = initiator.proxyTicket;
if (proxy != null) {
Credentials proxyCreds = Krb5Util.ticketToCreds(proxy);
return new Krb5ProxyCredential(initiator,
Krb5NameElement.getInstance(proxyCreds.getClient()),
proxyCreds.getTicket());
} else {
return initiator;
}
} catch (KrbException | IOException e) {
throw new GSSException(GSSException.DEFECTIVE_CREDENTIAL, -1,
"Cannot create proxy credential");
}
}
/**
* Retrieves the initial TGT corresponding to the client principal
* from the Subject in the specified AccessControlContext.
* If the ticket can not be found in the Subject, and if
* useSubjectCredsOnly is false, then obtain ticket from
* a LoginContext.
*/
static KerberosTicket getInitialTicket(GSSCaller caller,
String clientPrincipal,
AccessControlContext acc) throws LoginException {
// Try to get ticket from acc's Subject
Subject accSubj = Subject.getSubject(acc);
KerberosTicket ticket =
SubjectComber.find(accSubj, null, clientPrincipal,
KerberosTicket.class);
// Try to get ticket from Subject obtained from GSSUtil
if (ticket == null && !GSSUtil.useSubjectCredsOnly(caller)) {
Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
ticket = SubjectComber.find(subject,
null, clientPrincipal, KerberosTicket.class);
}
return ticket;
}
/**
* Creates an instance of KerberosClientKeyExchange consisting of the
* Kerberos service ticket, authenticator and encrypted premaster secret.
* Called by client handshaker.
*
* @param serverName name of server with which to do handshake;
* this is used to get the Kerberos service ticket
* @param protocolVersion Maximum version supported by client (i.e,
* version it requested in client hello)
* @param rand random number generator to use for generating pre-master
* secret
*/
@Override
public void init(String serverName,
AccessControlContext acc, ProtocolVersion protocolVersion,
SecureRandom rand) throws IOException {
// Get service ticket
KerberosTicket ticket = getServiceTicket(serverName, acc);
encodedTicket = ticket.getEncoded();
// Record the Kerberos principals
peerPrincipal = ticket.getServer();
localPrincipal = ticket.getClient();
// Optional authenticator, encrypted using session key,
// currently ignored
// Generate premaster secret and encrypt it using session key
EncryptionKey sessionKey = new EncryptionKey(
ticket.getSessionKeyType(),
ticket.getSessionKey().getEncoded());
preMaster = new KerberosPreMasterSecret(protocolVersion,
rand, sessionKey);
}
ExchangerImpl(String serverName, AccessControlContext acc,
ProtocolVersion protocolVersion, SecureRandom rand) throws IOException {
// Get service ticket
KerberosTicket ticket = getServiceTicket(serverName, acc);
encodedTicket = ticket.getEncoded();
// Record the Kerberos principals
peerPrincipal = ticket.getServer();
localPrincipal = ticket.getClient();
// Optional authenticator, encrypted using session key,
// currently ignored
// Generate premaster secret and encrypt it using session key
EncryptionKey sessionKey = new EncryptionKey(
ticket.getSessionKeyType(),
ticket.getSessionKey().getEncoded());
preMaster = new KerberosPreMasterSecret(protocolVersion,
rand, sessionKey);
}
public static KerberosTicket credsToTicket(Credentials serviceCreds) {
EncryptionKey sessionKey = serviceCreds.getSessionKey();
return new KerberosTicket(
serviceCreds.getEncoded(),
new KerberosPrincipal(serviceCreds.getClient().getName()),
new KerberosPrincipal(serviceCreds.getServer().getName(),
KerberosPrincipal.KRB_NT_SRV_INST),
sessionKey.getBytes(),
sessionKey.getEType(),
serviceCreds.getFlags(),
serviceCreds.getAuthTime(),
serviceCreds.getStartTime(),
serviceCreds.getEndTime(),
serviceCreds.getRenewTill(),
serviceCreds.getClientAddresses());
}
private synchronized long calculateRenewalTime(KerberosTicket kerberosTicket) {
long start = kerberosTicket.getStartTime().getTime();
long end = kerberosTicket.getEndTime().getTime();
long renewTime = getRenewalTime(start, end);
if (LOG.isDebugEnabled()) {
LOG.trace(
"Ticket: {}, numPrivateCredentials: {}, ticketStartTime: {}, ticketEndTime: {}, now: {}, renewalTime: {}",
System.identityHashCode(kerberosTicket),
getSubject().getPrivateCredentials(KerberosTicket.class).size(),
new Date(start),
new Date(end),
new Date(),
new Date(renewTime)
);
}
return Math.max(1, renewTime - System.currentTimeMillis());
}
public static KerberosTicket credsToTicket(Credentials serviceCreds) {
EncryptionKey sessionKey = serviceCreds.getSessionKey();
return new KerberosTicket(
serviceCreds.getEncoded(),
new KerberosPrincipal(serviceCreds.getClient().getName()),
new KerberosPrincipal(serviceCreds.getServer().getName(),
KerberosPrincipal.KRB_NT_SRV_INST),
sessionKey.getBytes(),
sessionKey.getEType(),
serviceCreds.getFlags(),
serviceCreds.getAuthTime(),
serviceCreds.getStartTime(),
serviceCreds.getEndTime(),
serviceCreds.getRenewTill(),
serviceCreds.getClientAddresses());
}
/**
* Creates an instance of KerberosClientKeyExchange consisting of the
* Kerberos service ticket, authenticator and encrypted premaster secret.
* Called by client handshaker.
*
* @param serverName name of server with which to do handshake;
* this is used to get the Kerberos service ticket
* @param protocolVersion Maximum version supported by client (i.e,
* version it requested in client hello)
* @param rand random number generator to use for generating pre-master
* secret
*/
@Override
public void init(String serverName,
AccessControlContext acc, ProtocolVersion protocolVersion,
SecureRandom rand) throws IOException {
// Get service ticket
KerberosTicket ticket = getServiceTicket(serverName, acc);
encodedTicket = ticket.getEncoded();
// Record the Kerberos principals
peerPrincipal = ticket.getServer();
localPrincipal = ticket.getClient();
// Optional authenticator, encrypted using session key,
// currently ignored
// Generate premaster secret and encrypt it using session key
EncryptionKey sessionKey = new EncryptionKey(
ticket.getSessionKeyType(),
ticket.getSessionKey().getEncoded());
preMaster = new KerberosPreMasterSecret(protocolVersion,
rand, sessionKey);
}
public void traceServiceTickets() {
if (subject == null)
return;
Set<Object> creds = subject.getPrivateCredentials();
if (creds.size() == 0) {
log.debug("[" + getName() + "] No service tickets");
}
synchronized (creds) {
// The Subject's private credentials is a synchronizedSet
// We must manually synchronize when iterating through the set.
for (Object cred : creds) {
if (cred instanceof KerberosTicket) {
KerberosTicket ticket = (KerberosTicket) cred;
log.debug("[" + getName() + "] Service ticket " + "belonging to client principal ["
+ ticket.getClient().getName() + "] for server principal ["
+ ticket.getServer().getName() + "] End time=[" + ticket.getEndTime()
+ "] isCurrent=" + ticket.isCurrent());
}
}
}
}
private static void testDestroy(KerberosTicket t) throws Exception {
t.destroy();
if (!t.isDestroyed()) {
throw new RuntimeException("ticket should have been destroyed");
}
// Although these methods are meaningless, they can be called
for (Method m: KerberosTicket.class.getDeclaredMethods()) {
if (Modifier.isPublic(m.getModifiers())
&& m.getParameterCount() == 0) {
System.out.println("Testing " + m.getName() + "...");
try {
m.invoke(t);
} catch (InvocationTargetException e) {
Throwable cause = e.getCause();
if (cause instanceof RefreshFailedException ||
cause instanceof IllegalStateException) {
// this is OK
} else {
throw e;
}
}
}
}
System.out.println("Destroy Test Passed");
}
/**
* Creates an instance of KerberosClientKeyExchange consisting of the
* Kerberos service ticket, authenticator and encrypted premaster secret.
* Called by client handshaker.
*
* @param serverName name of server with which to do handshake;
* this is used to get the Kerberos service ticket
* @param protocolVersion Maximum version supported by client (i.e,
* version it requested in client hello)
* @param rand random number generator to use for generating pre-master
* secret
*/
@Override
public void init(String serverName,
AccessControlContext acc, ProtocolVersion protocolVersion,
SecureRandom rand) throws IOException {
// Get service ticket
KerberosTicket ticket = getServiceTicket(serverName, acc);
encodedTicket = ticket.getEncoded();
// Record the Kerberos principals
peerPrincipal = ticket.getServer();
localPrincipal = ticket.getClient();
// Optional authenticator, encrypted using session key,
// currently ignored
// Generate premaster secret and encrypt it using session key
EncryptionKey sessionKey = new EncryptionKey(
ticket.getSessionKeyType(),
ticket.getSessionKey().getEncoded());
preMaster = new KerberosPreMasterSecret(protocolVersion,
rand, sessionKey);
}
private static void testDateImmutability(KerberosTicket t, long origTime)
throws Exception {
// test the constructor
System.out.println("Testing constructor...");
checkTime(t, origTime);
// test the getAuth/Start/EndTime() & getRenewTill() methods
System.out.println("Testing getAuth/Start/EndTime() & getRenewTill()...");
t.getAuthTime().setTime(0);
t.getStartTime().setTime(0);
t.getEndTime().setTime(0);
t.getRenewTill().setTime(0);
checkTime(t, origTime);
System.out.println("DateImmutability Test Passed");
}
static Krb5CredElement tryImpersonation(GSSCaller caller,
Krb5InitCredential initiator) throws GSSException {
try {
KerberosTicket proxy = initiator.proxyTicket;
if (proxy != null) {
Credentials proxyCreds = Krb5Util.ticketToCreds(proxy);
return new Krb5ProxyCredential(initiator,
Krb5NameElement.getInstance(proxyCreds.getClient()),
proxyCreds.getTicket());
} else {
return initiator;
}
} catch (KrbException | IOException e) {
throw new GSSException(GSSException.DEFECTIVE_CREDENTIAL, -1,
"Cannot create proxy credential");
}
}
/**
* Retrieves the ticket corresponding to the client/server principal
* pair from the Subject in the specified AccessControlContext.
* If the ticket can not be found in the Subject, and if
* useSubjectCredsOnly is false, then obtain ticket from
* a LoginContext.
*/
static KerberosTicket getTicket(GSSCaller caller,
String clientPrincipal, String serverPrincipal,
AccessControlContext acc) throws LoginException {
// Try to get ticket from acc's Subject
Subject accSubj = Subject.getSubject(acc);
KerberosTicket ticket =
SubjectComber.find(accSubj, serverPrincipal, clientPrincipal,
KerberosTicket.class);
// Try to get ticket from Subject obtained from GSSUtil
if (ticket == null && !GSSUtil.useSubjectCredsOnly(caller)) {
Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
ticket = SubjectComber.find(subject,
serverPrincipal, clientPrincipal, KerberosTicket.class);
}
return ticket;
}
@Test
public void testGetKerberosTicket() {
long now = System.currentTimeMillis();
Date v1 = new Date(now + TimeUnit.DAYS.toMillis(1));
Date v2 = new Date(now + TimeUnit.DAYS.toMillis(12));
Date v3 = new Date(now + TimeUnit.DAYS.toMillis(5));
KerberosTicket ticket = createMockTGT("short", v1, v1);
KerberosTicket ticket2 = createMockTGT("long", v2, v2);
KerberosTicket ticket3 = createMockTGT("medium", v3, v3);
Configuration conf = new Configuration();
SecurityContext context = new SecurityContext(getMockRuntimeInfo(), conf);
context = Mockito.spy(context);
Mockito.doReturn(now).when(context).getTimeNow();
Subject subject = new Subject();
Mockito.doReturn(subject).when(context).getSubject();
subject.getPrivateCredentials().add(ticket);
subject.getPrivateCredentials().add(ticket2);
subject.getPrivateCredentials().add(ticket3);
Assert.assertEquals(ticket2, context.getNewestTGT());
}
/**
* Creates an instance of KerberosClientKeyExchange consisting of the
* Kerberos service ticket, authenticator and encrypted premaster secret.
* Called by client handshaker.
*
* @param serverName name of server with which to do handshake;
* this is used to get the Kerberos service ticket
* @param protocolVersion Maximum version supported by client (i.e,
* version it requested in client hello)
* @param rand random number generator to use for generating pre-master
* secret
*/
@Override
public void init(String serverName,
AccessControlContext acc, ProtocolVersion protocolVersion,
SecureRandom rand) throws IOException {
// Get service ticket
KerberosTicket ticket = getServiceTicket(serverName, acc);
encodedTicket = ticket.getEncoded();
// Record the Kerberos principals
peerPrincipal = ticket.getServer();
localPrincipal = ticket.getClient();
// Optional authenticator, encrypted using session key,
// currently ignored
// Generate premaster secret and encrypt it using session key
EncryptionKey sessionKey = new EncryptionKey(
ticket.getSessionKeyType(),
ticket.getSessionKey().getEncoded());
preMaster = new KerberosPreMasterSecret(protocolVersion,
rand, sessionKey);
}
/**
* Retrieves the ticket corresponding to the client/server principal
* pair from the Subject in the specified AccessControlContext.
* If the ticket can not be found in the Subject, and if
* useSubjectCredsOnly is false, then obtain ticket from
* a LoginContext.
*/
static KerberosTicket getTicket(GSSCaller caller,
String clientPrincipal, String serverPrincipal,
AccessControlContext acc) throws LoginException {
// Try to get ticket from acc's Subject
Subject accSubj = Subject.getSubject(acc);
KerberosTicket ticket =
SubjectComber.find(accSubj, serverPrincipal, clientPrincipal,
KerberosTicket.class);
// Try to get ticket from Subject obtained from GSSUtil
if (ticket == null && !GSSUtil.useSubjectCredsOnly(caller)) {
Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
ticket = SubjectComber.find(subject,
serverPrincipal, clientPrincipal, KerberosTicket.class);
}
return ticket;
}
static void checkLogin(
String s1, // ticket_lifetime in krb5.conf, null if none
String s2, // renew_lifetime in krb5.conf, null if none
int t1, int t2 // expected lifetimes, -1 of unexpected
) throws Exception {
KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
s1 != null ? ("ticket_lifetime = " + s1) : "",
s2 != null ? ("renew_lifetime = " + s2) : "");
Config.refresh();
Context c;
c = Context.fromJAAS("client");
Set<KerberosTicket> tickets =
c.s().getPrivateCredentials(KerberosTicket.class);
if (tickets.size() != 1) {
throw new Exception();
}
KerberosTicket ticket = tickets.iterator().next();
checkRough(ticket.getEndTime(), t1);
checkRough(ticket.getRenewTill(), t2);
}
/**
* Creates an instance of KerberosClientKeyExchange consisting of the
* Kerberos service ticket, authenticator and encrypted premaster secret.
* Called by client handshaker.
*
* @param serverName name of server with which to do handshake;
* this is used to get the Kerberos service ticket
* @param protocolVersion Maximum version supported by client (i.e,
* version it requested in client hello)
* @param rand random number generator to use for generating pre-master
* secret
*/
@Override
public void init(String serverName,
AccessControlContext acc, ProtocolVersion protocolVersion,
SecureRandom rand) throws IOException {
// Get service ticket
KerberosTicket ticket = getServiceTicket(serverName, acc);
encodedTicket = ticket.getEncoded();
// Record the Kerberos principals
peerPrincipal = ticket.getServer();
localPrincipal = ticket.getClient();
// Optional authenticator, encrypted using session key,
// currently ignored
// Generate premaster secret and encrypt it using session key
EncryptionKey sessionKey = new EncryptionKey(
ticket.getSessionKeyType(),
ticket.getSessionKey().getEncoded());
preMaster = new KerberosPreMasterSecret(protocolVersion,
rand, sessionKey);
}
private static void testDateImmutability(KerberosTicket t, long origTime)
throws Exception {
// test the constructor
System.out.println("Testing constructor...");
checkTime(t, origTime);
// test the getAuth/Start/EndTime() & getRenewTill() methods
System.out.println("Testing getAuth/Start/EndTime() & getRenewTill()...");
t.getAuthTime().setTime(0);
t.getStartTime().setTime(0);
t.getEndTime().setTime(0);
t.getRenewTill().setTime(0);
checkTime(t, origTime);
System.out.println("DateImmutability Test Passed");
}
/**
* Retrieves the ticket corresponding to the client/server principal
* pair from the Subject in the specified AccessControlContext.
* If the ticket can not be found in the Subject, and if
* useSubjectCredsOnly is false, then obtain ticket from
* a LoginContext.
*/
static KerberosTicket getTicket(GSSCaller caller,
String clientPrincipal, String serverPrincipal,
AccessControlContext acc) throws LoginException {
// Try to get ticket from acc's Subject
Subject accSubj = Subject.getSubject(acc);
KerberosTicket ticket =
SubjectComber.find(accSubj, serverPrincipal, clientPrincipal,
KerberosTicket.class);
// Try to get ticket from Subject obtained from GSSUtil
if (ticket == null && !GSSUtil.useSubjectCredsOnly(caller)) {
Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
ticket = SubjectComber.find(subject,
serverPrincipal, clientPrincipal, KerberosTicket.class);
}
return ticket;
}
@Override
public void renew(Map<String, String> credentials, Map topologyConf) {
KerberosTicket tgt = getTGT(credentials);
if (tgt != null) {
long refreshTime = getRefreshTime(tgt);
long now = System.currentTimeMillis();
if (now >= refreshTime) {
try {
LOG.info("Renewing TGT for " + tgt.getClient());
tgt.refresh();
saveTGT(tgt, credentials);
} catch (RefreshFailedException e) {
LOG.warn("Failed to refresh TGT", e);
}
}
}
}
public static void main(String[] args) throws Exception {
byte[] asn1Bytes = "asn1".getBytes();
KerberosPrincipal client = new KerberosPrincipal("client");
KerberosPrincipal server = new KerberosPrincipal("server");
byte[] keyBytes = "sessionKey".getBytes();
long originalTime = 12345678L;
Date inDate = new Date(originalTime);
boolean[] flags = new boolean[9];
flags[8] = true; // renewable
KerberosTicket t = new KerberosTicket(asn1Bytes, client, server,
keyBytes, 1 /*keyType*/, flags, inDate /*authTime*/,
inDate /*startTime*/, inDate /*endTime*/,
inDate /*renewTill*/, null /*clientAddresses*/);
inDate.setTime(0); // for testing the constructor
testDateImmutability(t, originalTime);
testS11nCompatibility(t); // S11n: Serialization
testDestroy(t);
}
public static void main(String[] args) throws Exception {
new OneKDC(null).writeJAASConf();
Context c, s;
c = Context.fromJAAS("client");
s = Context.fromJAAS("server");
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
Context.handshake(c, s);
String expected = OneKDC.SERVER + "@" + OneKDC.REALM;
if (!c.s().getPrivateCredentials(KerberosTicket.class)
.stream()
.anyMatch(t -> t.getServer().toString().equals(expected))) {
c.status();
throw new Exception("no " + expected);
}
}
public static void main(String[] args) throws Exception {
byte[] asn1Bytes = "asn1".getBytes();
KerberosPrincipal client = new KerberosPrincipal("client");
KerberosPrincipal server = new KerberosPrincipal("server");
byte[] keyBytes = "sessionKey".getBytes();
long originalTime = 12345678L;
Date inDate = new Date(originalTime);
boolean[] flags = new boolean[9];
flags[8] = true; // renewable
KerberosTicket t = new KerberosTicket(asn1Bytes, client, server,
keyBytes, 1 /*keyType*/, flags, inDate /*authTime*/,
inDate /*startTime*/, inDate /*endTime*/,
inDate /*renewTill*/, null /*clientAddresses*/);
inDate.setTime(0); // for testing the constructor
testDateImmutability(t, originalTime);
testS11nCompatibility(t); // S11n: Serialization
}
private static void testS11nCompatibility(KerberosTicket t)
throws Exception {
System.out.println("Testing against KerberosTicket from JDK6...");
byte[] serializedBytes =
Base64.getMimeDecoder().decode(serializedKerberosTix);
checkEqualsAndHashCode(serializedBytes, t);
System.out.println("Testing against KerberosTicket from current rel...");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
new ObjectOutputStream(baos).writeObject(t);
checkEqualsAndHashCode(baos.toByteArray(), t);
System.out.println("S11nCompatibility Test Passed");
}
/**
* Get the Kerberos TGT
* @return the user's TGT or null if none was found
*/
private KerberosTicket getTGT() {
Set<KerberosTicket> tickets = subject.getPrivateCredentials(KerberosTicket.class);
for(KerberosTicket ticket: tickets) {
KerberosPrincipal server = ticket.getServer();
if (server.getName().equals("krbtgt/" + server.getRealm() +
"@" + server.getRealm())) {
return ticket;
}
}
return null;
}
private static boolean checkTime(KerberosTicket krbTkt, long startTime) {
long ticketEndTime = krbTkt.getEndTime().getTime();
long roughLifeTime = ticketEndTime - startTime;
System.out.println("start time = " + startTime);
System.out.println("end time = " + ticketEndTime);
System.out.println("rough life time = " + roughLifeTime);
return roughLifeTime >= TICKET_LIFTETIME;
}