KerberosServiceAction xref

View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.ws.security.message.token;
21  
22  import java.security.Principal;
23  import java.security.PrivilegedAction;
24  
25  import javax.security.auth.kerberos.KerberosPrincipal;
26  
27  import org.ietf.jgss.GSSContext;
28  import org.ietf.jgss.GSSCredential;
29  import org.ietf.jgss.GSSException;
30  import org.ietf.jgss.GSSManager;
31  import org.ietf.jgss.GSSName;
32  import org.ietf.jgss.Oid;
33  
34  /**
35   * This class represents a PrivilegedAction implementation to validate a received ticket to a KDC.
36   */
37  public class KerberosServiceAction implements PrivilegedAction<Principal> {
38      private static org.apache.commons.logging.Log log =
39          org.apache.commons.logging.LogFactory.getLog(KerberosServiceAction.class);
40      
41      private byte[] ticket;
42      private String serviceName;
43      
44      public KerberosServiceAction(byte[] ticket, String serviceName) {
45          this.ticket = ticket;
46          this.serviceName = serviceName;
47      }
48  
49      public Principal run() {
50          try {
51              GSSManager gssManager = GSSManager.getInstance();
52          
53              Oid kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
54              GSSName gssService = gssManager.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE);
55              GSSCredential credentials = 
56                  gssManager.createCredential(
57                      gssService, GSSCredential.DEFAULT_LIFETIME, kerberos5Oid, GSSCredential.ACCEPT_ONLY
58                  );
59              
60              GSSContext secContext =
61                  gssManager.createContext(credentials);
62              secContext.acceptSecContext(ticket, 0, ticket.length);
63   
64              GSSName clientName = secContext.getSrcName();
65              secContext.dispose();
66              return new KerberosPrincipal(clientName.toString());
67          } catch (GSSException e) {
68              if (log.isDebugEnabled()) {
69                  log.debug("Error in validating a Kerberos token", e);
70              }
71          }
72  
73          return null;
74          
75      }
76      
77  }