in services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java [158:206]
private Principal validateKerberosToken(
KerberosServiceRequestToken token,
IdpSTSClient sts
) {
if (kerberosTokenValidator == null) {
LOG.error("KerberosTokenValidator must be configured to support kerberos "
+ "credential delegation");
return null;
}
final Principal kerberosPrincipal;
try {
KerberosServiceContext kerberosContext = kerberosTokenValidator.validate(token);
if (kerberosContext == null || kerberosContext.getDelegationCredential() == null) {
LOG.info("Kerberos Validation failure");
return null;
}
GSSCredential delegatedCredential = kerberosContext.getDelegationCredential();
sts.getProperties().put(SecurityConstants.DELEGATED_CREDENTIAL,
delegatedCredential);
sts.getProperties().put(SecurityConstants.KERBEROS_USE_CREDENTIAL_DELEGATION, "true");
kerberosPrincipal = kerberosContext.getPrincipal();
} catch (LoginException ex) {
LOG.info("Failed to authenticate user", ex);
return null;
} catch (PrivilegedActionException ex) {
LOG.info("Failed to authenticate user", ex);
return null;
}
if (kerberosTokenValidator.getContextName() != null) {
sts.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME,
kerberosTokenValidator.getContextName());
}
if (kerberosTokenValidator.getServiceName() != null) {
sts.getProperties().put(SecurityConstants.KERBEROS_SPN,
kerberosTokenValidator.getServiceName());
}
if (kerberosCallbackHandler != null) {
sts.getProperties().put(SecurityConstants.CALLBACK_HANDLER,
kerberosCallbackHandler);
}
if (kerberosUsernameServiceNameForm) {
sts.getProperties().put(SecurityConstants.KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM,
"true");
}
return kerberosPrincipal;
}