[jcifs] Kerberos over HTTP
Eric
eglass1 at attbi.com
Tue Jan 21 00:19:30 EST 2003
Eric wrote:
> Christopher R. Hertel wrote:
> > I assume folks are aware of this draft:
> >
> > http://meta.cesnet.cz/software/heimdal/draft-brezak-spnego-http-04.txt
> >
> > Would be interesting to extend the jCIFS tools to do Kerberos. ;)
> >
>
> I actually looked at this awhile back; Java 1.4 provides the GSSAPI
> framework in the org.ietf.jgss package. The authentication protocol
> presented in the draft, if I remember correctly, simply encodes the
> token generated by GSSContext.initSecContext() in Base64 and sends that
> to the client; the client produces a reply in similar form, and the
> server Base64-decodes that and applies it as the argument to
> GSSContext.acceptSecContext(). This sequence continues until
> GSSContext.isEstablished() returns true (in which case the session has
> been established).
>
>
I actually had the above a bit mixed up -- the server sends
"WWW-Authenticate Negotiate", and the CLIENT sends the initSecContext()
output -- the server just applies acceptSecContext() and sending until
isEstablished() returns true.
Attached is what I had; I just gave up when I got "Unsupported
Mechanism" errors and realized there was actually a significant effort
involved ;). Assuming my interpretation is correct (a big leap of
faith) this should work with an installed SPNEGO mechanism provider.
Eric
-------------- next part --------------
package jcifs.http;
import java.io.IOException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import jcifs.util.Base64;
public class GSSAuthFilter implements Filter {
static {
// example for testing
System.setProperty("java.security.krb5.realm", "TEST.COM");
System.setProperty("java.security.krb5.kdc", "TEST.TEST.COM:88");
}
public void init(FilterConfig config) throws ServletException { }
public void destroy() { }
public void doFilter(ServletRequest req, ServletResponse resp,
FilterChain chain) throws ServletException, IOException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) resp;
HttpSession session = request.getSession();
synchronized (session) {
try {
GSSContext context = (GSSContext) session.getAttribute(
"jcifs.http.GSSContext");
if (context == null) {
context = GSSManager.getInstance().createContext(
(GSSCredential) null);
session.setAttribute("jcifs.http.GSSContext", context);
}
if (context.isEstablished()) {
chain.doFilter(request, response);
return;
}
String authorization = request.getHeader("Authorization");
System.out.println(authorization);
int index = -1;
if (authorization == null ||
(index = authorization.indexOf(' ')) == -1 ||
!authorization.substring(0, index).equals(
"Negotiate")) {
response.reset();
response.setHeader("WWW-Authenticate", "Negotiate");
response.setContentLength(0);
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.flushBuffer();
return;
}
byte[] token = Base64.decode(authorization.substring(index +
1));
token = context.acceptSecContext(token, 0, token.length);
boolean established = context.isEstablished();
if (!established) response.reset();
if (token != null) {
response.setHeader("WWW-Authenticate", "Negotiate " +
Base64.encodeBytes(token));
}
if (!established) {
response.setContentLength(0);
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.flushBuffer();
}
} catch (GSSException ex) {
System.out.println("Message is " + ex.getMessage());
System.out.println("Major code is " + ex.getMajor());
System.out.println("Major String is " + ex.getMajorString());
System.out.println("Minor code is " + ex.getMinor());
System.out.println("Minor String is " + ex.getMinorString());
ex.printStackTrace();
throw new ServletException(ex);
}
}
}
}
More information about the jcifs
mailing list