idok-commit AT lists.psi.ch
Subject: Commit emails of the iDok project
List archive
[idok-commit] idok commit r196 - in branches/rest: java/ch/idok/service/client/search/rest java/ch/idok/service/server/rest misc/eclipse
Chronological Thread
- From: "AFS account Roman Geus" <geus AT savannah.psi.ch>
- To: idok-commit AT lists.psi.ch
- Subject: [idok-commit] idok commit r196 - in branches/rest: java/ch/idok/service/client/search/rest java/ch/idok/service/server/rest misc/eclipse
- Date: Thu, 28 Aug 2008 15:57:09 +0200
- List-archive: <https://lists.web.psi.ch/pipermail/idok-commit/>
- List-id: Commit emails of the iDok project <idok-commit.lists.psi.ch>
Author: geus
Date: Thu Aug 28 15:57:09 2008
New Revision: 196
Log:
Refactored NegotiateFilter class
Modified:
branches/rest/java/ch/idok/service/client/search/rest/RestSearchIterator.java
branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java
branches/rest/misc/eclipse/idok_client_rest.launch
Modified:
branches/rest/java/ch/idok/service/client/search/rest/RestSearchIterator.java
==============================================================================
---
branches/rest/java/ch/idok/service/client/search/rest/RestSearchIterator.java
(original)
+++
branches/rest/java/ch/idok/service/client/search/rest/RestSearchIterator.java
Thu Aug 28 15:57:09 2008
@@ -1,11 +1,13 @@
package ch.idok.service.client.search.rest;
+import java.security.PrivilegedExceptionAction;
import java.util.NoSuchElementException;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.ws.rs.core.UriBuilder;
+import org.ietf.jgss.GSSException;
import org.restlet.Client;
import org.restlet.Context;
import org.restlet.data.ChallengeResponse;
@@ -141,33 +143,34 @@
/**
* Build the Request object for the REST call.
+ *
+ * TODO do basic auth if cred.getSubject() == null
*/
private Request buildRequest(DmsCredentials cred, String uri)
throws DmsException {
final Request request = new Request(Method.GET, uri);
- // Add the client authentication to the call
- // final ChallengeScheme scheme1 = ChallengeScheme.HTTP_BASIC;
- // final ChallengeResponse authentication = new
- // ChallengeResponse(scheme,
- // "geus", "xxx");
-
- // authentication
- // .getParameters()
- // .add(
- //
NegotiateFilter.NegotiateAuthenticationHelper.NEGOTIATE_TOKEN_PARAM_NAME,
- // createAuthToken(cred.getSubject()));
-
-
// Use Negotiate authentication
+ NegotiateFilter.register();
final ChallengeScheme scheme = NegotiateFilter.HTTP_NEGOTIATE;
// Place the Negotiate token in the password field
- final ChallengeResponse authentication = new
ChallengeResponse(scheme,
- "", createAuthToken(cred.getSubject()));
-
- request.setChallengeResponse(authentication);
- return request;
+ final String serviceName = System
+ .getProperty("ch.idok.service.server.principal");
+ try {
+ final String token = Subject.doAsPrivileged(cred.getSubject(),
+ new PrivilegedExceptionAction<String>() {
+ public String run() throws Exception {
+ return NegotiateFilter.buildToken64(serviceName);
+ }
+ }, null);
+ request.setChallengeResponse(new ChallengeResponse(scheme,
token));
+ return request;
+
+ } catch (java.security.PrivilegedActionException pae) {
+ throw new DmsException(ErrorType.AUTHENTICATION, null,
+ "Could not generate Negotiate token", "",
pae.getCause());
+ }
}
/**
@@ -270,30 +273,4 @@
throw new UnsupportedOperationException();
}
- /**
- * Create a GSS-API token for the DMS service.
- */
- private String createAuthToken(Subject subject) throws DmsException {
- final String serviceName_ = System
- .getProperty("ch.idok.service.server.principal");
- ServiceTokenAction action = new ServiceTokenAction(serviceName_);
-
- // Push the subject into the current ACC
- try {
- Subject.doAsPrivileged(subject, action, null);
- logger.fine("Successfully created service token for "
- + action.getServiceName() + " as "
- + AuthUtil.principalSetToString(subject.getPrincipals())
- + ".");
- return action.getToken64();
- } catch (java.security.PrivilegedActionException pae) {
- if (pae.getCause() instanceof DmsException)
- throw (DmsException) pae.getCause();
- throw new DmsException(ErrorType.INTERNAL, null,
- "The privileged action threw an unknown exception", "",
pae
- .getCause());
- }
-
- }
-
}
Modified: branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java
==============================================================================
--- branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java
(original)
+++ branches/rest/java/ch/idok/service/server/rest/NegotiateFilter.java Thu
Aug 28 15:57:09 2008
@@ -36,11 +36,24 @@
* For the Negotiate authentication scheme, SPNEGO and Kerberos 5 GSSAPI
tokens
* are supported.
*
+ * This class also provides a method to generate Negotiate tokens for a
client's
+ * request.
+ *
* This filter is inspired by Bruno Harbulot's SpnegoFilter
*/
public abstract class NegotiateFilter extends Filter {
/**
+ * OID for Kerberos 5 authentication
+ */
+ static final String GSS_KRB5_MECH_OID = "1.2.840.113554.1.2.2";
+
+ /**
+ * OID for SPNEGO authentication
+ */
+ static final String GSS_SPNEGO_MECH_OID = "1.3.6.1.5.5.2";
+
+ /**
* Name of the request attribute that holds the Subject object
*/
protected static final String subjectAttributeName =
"NegotiateFilter.authenticatedSubject";
@@ -55,7 +68,7 @@
public static class NegotiateAuthenticationHelper extends
AuthenticationHelper {
- public static final String NEGOTIATE_TOKEN_PARAM_NAME =
"negotiate-token";
+ private static final String NEGOTIATE_TOKEN_PARAM_NAME =
"negotiate-token";
public NegotiateAuthenticationHelper() {
super(HTTP_NEGOTIATE, true, true);
@@ -64,12 +77,8 @@
@Override
public void formatCredentials(StringBuilder sb, ChallengeResponse cr,
Request request, Series<Parameter> httpHeaders) {
- String responseString = cr.getParameters().getFirstValue(
- NEGOTIATE_TOKEN_PARAM_NAME);
- if (responseString != null)
- sb.append(responseString);
if (cr.getSecret() != null)
- sb.append(cr.getSecret());
+ sb.append(cr.getCredentials());
}
@Override
@@ -84,6 +93,16 @@
}
/**
+ * Register the Negotiate authentication helper
+ *
+ * Restlet clients need to call this before connecting to REST servers
that
+ * understand Negotiate authentication scheme
+ */
+ public static void register() {
+ // Do nothing, just makes sure the static initializers are executed
+ }
+
+ /**
* The HTTP authentication realm
*/
private final String realm;
@@ -96,8 +115,8 @@
GSSManager gssManager = GSSManager.getInstance();
// Accept both SPNEGO and Kerberos v5 tokens
- Oid[] spnegoOid = new Oid[] { new Oid("1.3.6.1.5.5.2"),
- new Oid("1.2.840.113554.1.2.2") };
+ Oid[] spnegoOid = new Oid[] { new Oid(GSS_SPNEGO_MECH_OID),
+ new Oid(GSS_KRB5_MECH_OID) };
GSSCredential gssServerCreds = gssManager.createCredential(null,
GSSCredential.DEFAULT_LIFETIME, spnegoOid,
@@ -264,4 +283,38 @@
protected abstract Subject checkSecret(Logger logger, Request request,
String identifier, char[] secret);
+ /**
+ * Create a GSSAPI token for Negotiate authentication in a request
+ *
+ * This method must be called from a PrivilegedAction or a
+ * PrivilegedExceptionAction.
+ *
+ * @param serviceName
+ * GSSAPI service name to build the token for
+ * @return Base64 encoded GSSAPI token for Negotiate authentication
+ * @throws GSSException
+ */
+ public static String buildToken64(String serviceName) throws
GSSException {
+ GSSManager manager = GSSManager.getInstance();
+
+ // Here we choose Kerberos 5 token
+ Oid oid = new Oid(GSS_KRB5_MECH_OID);
+
+ // Setup "parameters" for service token
+ GSSName peerName = manager.createName(serviceName, null);
+ GSSContext secContext = manager.createContext(peerName, oid, null,
+ GSSContext.DEFAULT_LIFETIME);
+ secContext.requestMutualAuth(false);
+ secContext.requestCredDeleg(true);
+
+ // Create token
+ byte[] inToken = new byte[0];
+ byte[] outToken = secContext.initSecContext(inToken, 0,
inToken.length);
+
+ // Cleanup
+ secContext.dispose();
+
+ return Base64.encode(outToken, false);
+ }
+
}
Modified: branches/rest/misc/eclipse/idok_client_rest.launch
==============================================================================
--- branches/rest/misc/eclipse/idok_client_rest.launch (original)
+++ branches/rest/misc/eclipse/idok_client_rest.launch Thu Aug 28 15:57:09
2008
@@ -9,5 +9,5 @@
<stringAttribute key="org.eclipse.jdt.launching.MAIN_TYPE"
value="ch.idok.cli.DMS"/>
<stringAttribute key="org.eclipse.jdt.launching.PROGRAM_ARGUMENTS"
value="search foo/bar::geus -m"/>
<stringAttribute key="org.eclipse.jdt.launching.PROJECT_ATTR" value="idok"/>
-<stringAttribute key="org.eclipse.jdt.launching.VM_ARGUMENTS"
value="-Dch.idok.service.server.principal=${ch.idok.service.server.principal}
-Dch.idok.service.client.provider=ch.idok.service.client.rest.RestClientProvider
-Dch.idok.service.common.keypass=P7GXtm6rPr5pT988N4Gm
-Dch.idok.setupClass=ch.psi.idok.common.config.Setup"/>
+<stringAttribute key="org.eclipse.jdt.launching.VM_ARGUMENTS"
value="-Dch.idok.service.server.principal=${ch.idok.service.server.principal}
-Dch.idok.service.client.provider=ch.idok.service.client.rest.RestClientProvider
-Dch.idok.service.client.rest.serverUri=http://mpc1127.psi.ch:8183/v1
-Dch.idok.service.common.keypass=P7GXtm6rPr5pT988N4Gm
-Dch.idok.setupClass=ch.psi.idok.common.config.Setup"/>
</launchConfiguration>
- [idok-commit] idok commit r196 - in branches/rest: java/ch/idok/service/client/search/rest java/ch/idok/service/server/rest misc/eclipse, AFS account Roman Geus, 08/28/2008
Archive powered by MHonArc 2.6.19.