in ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/KerberosTokenValidator.java [131:246]
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
if (credential == null || credential.getBinarySecurityToken() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential");
}
BinarySecurity binarySecurity = credential.getBinarySecurityToken();
if (!(binarySecurity instanceof KerberosSecurity)) {
return credential;
}
if (LOG.isDebugEnabled()) {
try {
String jaasAuth = System.getProperty("java.security.auth.login.config");
String krbConf = System.getProperty("java.security.krb5.conf");
LOG.debug("KerberosTokenValidator - Using JAAS auth login file: " + jaasAuth);
LOG.debug("KerberosTokenValidator - Using KRB conf file: " + krbConf);
} catch (SecurityException ex) {
LOG.debug(ex.getMessage(), ex);
}
}
// Get a TGT from the KDC using JAAS
LoginContext loginContext = null;
try {
if (callbackHandler != null) {
loginContext = new LoginContext(getContextName(), callbackHandler);
} else if (data.getCallbackHandler() != null) {
loginContext = new LoginContext(getContextName(), data.getCallbackHandler());
} else {
loginContext = new LoginContext(getContextName());
}
loginContext.login();
} catch (LoginException ex) {
LOG.debug(ex.getMessage(), ex);
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, ex,
"kerberosLoginError",
new Object[] {ex.getMessage()}
);
}
LOG.debug("Successfully authenticated to the TGT");
byte[] token = binarySecurity.getToken();
// Get the service name to use - fall back on the principal
Subject subject = loginContext.getSubject();
String service = serviceName;
if (service == null) {
Set<Principal> principals = subject.getPrincipals();
if (principals.isEmpty()) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE,
"kerberosLoginError",
new Object[] {"No Client principals found after login"});
}
service = principals.iterator().next().getName();
}
// Validate the ticket
KerberosServiceExceptionAction action =
new KerberosServiceExceptionAction(token, service,
isUsernameServiceNameForm(), spnego);
KerberosServiceContext krbServiceCtx = null;
try {
krbServiceCtx = Subject.doAs(subject, action);
} catch (PrivilegedActionException e) {
Throwable cause = e.getCause();
if (cause instanceof WSSecurityException) {
throw (WSSecurityException) cause;
} else {
throw new WSSecurityException(
ErrorCode.FAILURE, new Exception(cause), "kerberosTicketValidationError"
);
}
}
credential.setPrincipal(krbServiceCtx.getPrincipal());
credential.setDelegationCredential(krbServiceCtx.getDelegationCredential());
// Check to see if the session key is available in KerberosServiceContext
LOG.debug("Trying to obtain the Session Key from the KerberosServiceContext.");
Key sessionKey = krbServiceCtx.getSessionKey();
if (null != sessionKey) {
LOG.debug("Found session key in the KerberosServiceContext.");
credential.setSecretKey(sessionKey.getEncoded());
} else {
LOG.debug("Session key is not found in the KerberosServiceContext.");
}
// Otherwise, try to extract the session key from the token if a KerberosTokenDecoder implementation is
// available
if (null == credential.getSecretKey() && kerberosTokenDecoder != null) {
LOG.debug("KerberosTokenDecoder is set.Trying to obtain the session key from it.");
kerberosTokenDecoder.clear();
kerberosTokenDecoder.setToken(token);
kerberosTokenDecoder.setSubject(subject);
try {
byte[] key = kerberosTokenDecoder.getSessionKey();
if (null != key) {
LOG.debug("Session key obtained from the KerberosTokenDecoder.");
credential.setSecretKey(key);
} else {
LOG.debug("Session key could not be obtained from the KerberosTokenDecoder.");
}
} catch (KerberosTokenDecoderException e) {
// TODO
throw new WSSecurityException(ErrorCode.FAILURE, e, "Error retrieving session key.");
}
} else {
LOG.debug("KerberosTokenDecoder is not set.");
}
LOG.debug("Successfully validated a ticket");
return credential;
}