1. /*

  2.  * @(#)Krb5LoginModule.java	1.21 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. 

  9. package com.sun.security.auth.module;

  10. 

  11. import java.io.*;

  12. import java.net.*;

  13. import java.text.MessageFormat;

  14. import java.util.*;

  15. 

  16. import javax.security.auth.*;

  17. import javax.security.auth.kerberos.*;

  18. import javax.security.auth.callback.*;

  19. import javax.security.auth.login.*;

  20. import javax.security.auth.spi.*;

  21. 

  22. import sun.security.krb5.*;

  23. import sun.security.krb5.Config;

  24. import sun.security.krb5.RealmException;

  25. import sun.security.util.AuthResources;

  26. 

  27. /**

  28.  * <p> This <code>LoginModule</code> authenticates users using 

  29.  * Kerberos protocols. 

  30.  * <p> Configuration entry for <code>Krb5LoginModule</code> has 

  31.  * several options that control the authentication process and 

  32.  * additions to the <code>Subject</code>'s private credential

  33.  * set.

  34.  * Irrespective of the options, only when <code>commit</code> 

  35.  * is called the Subject's principal set and private credentials 

  36.  * set are updated.

  37.  * When <code>commit</code> is called the <code>KerberosPrincipal</code>

  38.  * is added to the  <code>Subject</code>'s

  39.  * principal set and <code>KerberosTicket</code> will be

  40.  * added to the <code>Subject</code>'s private credentials.

  41.  * 

  42.  * <p> If the configuration entry for

  43.  * KerberosLoginModule has the option <code>storeKey</code> set to true , 

  44.  * then   

  45.  * <code>KerberosKey</code> will also be added to the 

  46.  * subject's private credentials. <code>KerberosKey</code>, the principal's

  47.  * key will be  obtained either from the keytab or

  48.  * derived from user's password

  49.  * 

  50.  * <p> This LoginModule recogonizes the <code>doNotPrompt</code> option.

  51.  * If set to true the user will not be prompted for the password.

  52.  *

  53.  * <p> The user can  specify the location of the ticket cache by using 

  54.  * the option <code>ticketCache</code> in the configuration entry. 

  55.  * 

  56.  * <p>The user can specify the keytab location by using 

  57.  * the option <code>keyTab</code>

  58.  * in the configuraion entry.

  59.  *

  60.  * <p> The principal name can be specified in the configuration entry 

  61.  * by 

  62.  * using the option <code>principal</code> The principal name 

  63.  * can either be a simple 

  64.  * user name or a service name such as

  65.  * <code>host/mission.eng.sun.com</code>

  66.  *

  67.  * <p> The following are the list of configuration options supported 

  68.  * for <code>Krb5LoginModule</code>

  69.  *<p><code>useTicketCache</code>: Set this to true, if you want the 

  70.  * TGT to be obtained

  71.  * from the ticket cache. Set this option 

  72.  * to false if you do not want this module to use the ticket cache.

  73.  * (Default is False).

  74.  * This module will 

  75.  * search for the tickect 

  76.  * cache in the following locations:

  77.  * For Windows 2000, it will use Local Security Authority (LSA) API 

  78.  * to get the TGT. On Solaris and Linux 

  79.  * it will look for the ticket cache in /tmp/krb5cc_<code>uid</code>

  80.  * where the uid is numeric user

  81.  * identifier. If the ticket cache is 

  82.  * not available in either of the above locations, or if we are on a

  83.  * different WIndows platform,  it will look for the cache as 

  84.  * {user.home}{file.separator}krb5cc_{user.name}.

  85.  * You can override the ticket cache location by using

  86.  * <code>ticketCache</code> 

  87.  *

  88.  * <p><code>ticketCache</code>: Set this to the name of the ticket 

  89.  * cache that  contains user's TGT. 

  90.  * If this is set,  <code>useTicketcache</code> 

  91.  * must also be set to true; Otherwise a configuration error will 

  92.  * be returned.

  93.  *   

  94.  * <p> <code>doNotPrompt</code>: Set this to true if you do not want to be

  95.  * prompted for the password 

  96.  * if credentials can 

  97.  * not be obtained from the cache or keytab.(Default is false)  

  98.  * If set to true authentication will fail if credentials can 

  99.  * not be obtained from the cache or keytab. 

  100.  *

  101.  *<p><code>useKeyTab</code>:Set this to true if you 

  102.  * want the module to get the principal's key from the

  103.  * the keytab.(default value is False) 

  104.  * If <code>keyatb</code> 

  105.  * is not set then

  106.  * the module will locate the keytab from the 

  107.  * Kerberos configuration file. 

  108.  * If it is not specifed in the Kerberos configuration file 

  109.  * then it will look for the file

  110.  * <code>{user.home}{file.separator}</code>krb5.keytab.

  111.  *

  112.  * <p><code>keyTab</code>: Set this to the file name of the 

  113.  * keytab to get principal's secret key.

  114.  *

  115.  * <p> <code>storeKey</code>: Set  this to True to if you want the

  116.  * principal's key to be stored in the Subject's private credentials. 

  117.  * 

  118.  * <p> <code>principal</code>: The name of the principal that should 

  119.  * be used. It could be

  120.  * simple username such as <code>"testuser"</code> or a service name 

  121.  * such as

  122.  * <code>"host/testhost.eng.sun.com" </code>. You can use 

  123.  * <code>principal</code>  option to set the principal when there are

  124.  * credentials for multiple principals in the

  125.  * <code>keyTab</code> or when you want a specific ticket cache only.  

  126.  *

  127.  * <p> This LoginModule also recognizes the following additional 

  128.  * <code>Configuration</code>

  129.  * options that enable you to share username and passwords across different 

  130.  * authentication modules:

  131.  * <pre>

  132.  *

  133.  *    useFirstPass   if, true, this LoginModule retrieves the

  134.  *                   username and password from the module's shared state,

  135.  *                   using "javax.security.auth.login.name" and

  136.  *                   "javax.security.auth.login.password" as the respective

  137.  *                   keys. The retrieved values are used for authentication.

  138.  *                   If authentication fails, no attempt for a retry

  139.  *                   is made, and the failure is reported back to the

  140.  *                   calling application.

  141.  *

  142.  *    tryFirstPass   if, true, this LoginModule retrieves the

  143.  *                   the username and password from the module's shared

  144.  *                   state using "javax.security.auth.login.name" and

  145.  *                   "javax.security.auth.login.password" as the respective

  146.  *                   keys.  The retrieved values are used for

  147.  *                   authentication.

  148.  *                   If authentication fails, the module uses the

  149.  *                   CallbackHandler to retrieve a new username

  150.  *                   and password, and another attempt to authenticate

  151.  *                   is made. If the authentication fails, 

  152.  *                   the failure is reported back to the calling application

  153.  *

  154.  *    storePass      if, true, this LoginModule stores the username and

  155.  *                   password obtained from the CallbackHandler in the

  156.  *                   modules shared state, using 

  157.  *                   "javax.security.auth.login.name" and 

  158.  *                   "javax.security.auth.login.password" as the respective

  159.  *                   keys.  This is not performed if existing values already

  160.  *                   exist for the username and password in the shared

  161.  *                   state, or if authentication fails.

  162.  *

  163.  *    clearPass     if, true, this <code>LoginModule</code> clears the

  164.  *                  username and password stored in the module's shared

  165.  *                  state  after both phases of authentication

  166.  *                  (login and commit)  have completed.

  167.  * </pre>

  168.  * <p>Examples of some configuration values for Krb5LoginModule in 

  169.  * JAAS config file and the results are:

  170.  * <ul>

  171.  * <p> <code>doNotPrompt</code>=true;

  172.  * </ul>

  173.  * <p> This is an illegal combination since <code>useTicketCache</code>

  174.  * is not set and the user can not be prompted for the password.

  175.  *<ul>

  176.  * <p> <code>ticketCache</code> = < filename >

  177.  *</ul>

  178.  * <p> This is an illegal combination since useTicketCache is not set to 

  179.  * true and the ticketCache is set. A configuratin error will occur.

  180.  * <ul>

  181.  * <p> <code>storeKey</code>=true

  182.  * <code>useTicketCache</code> = true

  183.  * <code>doNotPrompt</code>=true;;

  184.  *</ul>

  185.  * <p> This is an illegal combination since  <code>storeKey</code> is set to

  186.  * true but the key can not be obtained either by prompting the user or from

  187.  * the keytab.A configuratin error will occur.

  188.  * <ul>

  189.  * <p>  <code>keyTab</code> = < filename > <code>doNotPrompt</code>=true ;

  190.  * </ul>

  191.  * <p>This is an illegal combination since useKeyTab is not set to true and

  192.  * the keyTab is set. A configuration error will occur.

  193.  * <ul>

  194.  * <p> <code>debug=true </code>

  195.  *</ul>

  196.  * <p> Prompt the user for the principal name and the password.

  197.  * Use the authentication exchange to get TGT from the KDC and 

  198.  * populate the <code>Subject</code> with the principal and TGT. 

  199.  * Output debug messages.

  200.  * <ul>

  201.  * <p> <code>useTicketCache</code> = true <code>doNotPrompt</code>=true;

  202.  *</ul>

  203.  * <p>Check the default cache for TGT and populate the <code>Subject</code>

  204.  * with the principal and TGT. If the TGT is not available, 

  205.  * do not prompt the user, instead fail the authentication.

  206.  * <ul>

  207.  * <p><code>principal</code>=< name ><code>useTicketCache</code> = true 

  208.  * <code>doNotPrompt</code>=true;

  209.  *</ul>

  210.  * <p> Get the TGT from the default cache for the principal and populate the

  211.  * Subject's principal and private creds set. If ticket cache is

  212.  * not available or does not contain the principal's TGT 

  213.  * authentication will fail.

  214.  * <ul>

  215.  * <p> <code>useTicketCache</code> = true 

  216.  * <code>ticketCache</code>=< file name ><code>useKeyTab</code> = true 

  217.  * <code> keyTab</code>=< keytab filename >

  218.  * <code>principal</code> = < principal name >

  219.  * <code>doNotPrompt</code>=true;

  220.  *</ul>

  221.  * <p>  Search the cache for the principal's TGT. If it is not available 

  222.  * use the key in the keytab to perform authentication exchange with the 

  223.  * KDC and acquire the TGT.

  224.  * The Subject will be populated with the principal and the TGT.

  225.  * If the key is not available or valid then authentication will fail.

  226.  * <ul>

  227.  * <p><code>useTicketCache</code> = true 

  228.  * <code>ticketCache</code>=< file name >

  229.  *</ul>

  230.  * <p> The TGT will be obtained from the cache specified. 

  231.  * The Kerberos principal name used will be the principal name in

  232.  * the Ticket cache. If the TGT is not available in the

  233.  * ticket cache the user will be prompted for the principal name 

  234.  * and the password. The TGT will be obtained using the authentication 

  235.  * exchange with the KDC.

  236.  * The Subject will be populated with the TGT.

  237.  *<ul>

  238.  * <p> <code>useKeyTab</code> = true 

  239.  * <code>keyTab</code>=< keytab filename >

  240.  * <code>principal</code>= < principal name > 

  241.  * <code>storeKey</code>=true;

  242.  *</ul>

  243.  * <p>  The key for the principal will be retrieved from the keytab.

  244.  * If the key is not available in the keytab the user will be prompted

  245.  * for the principal's password. The Subject will be populated

  246.  * with the principal's key either from the keytab or derived from the

  247.  * password entered.

  248.  * <ul>

  249.  * <p> <code>useKeyTab</code> = true 

  250.  * <code>keyTab</code>=< keytabname >

  251.  * <code>storeKey</code>=true</code>

  252.  * <code>doNotPrompt</code>=true;

  253.  *</ul>

  254.  * <p>The user will be prompted for the service principal name. 

  255.  * If the principal's

  256.  * longterm key is available in the keytab , it will be added to the

  257.  * Subject's private credentials. An authentication exchange will be 

  258.  * attempted with the principal name and the key from the Keytab. 

  259.  * If successful the TGT will be added to the

  260.  * Subject's private credentials set. Otherwise the authentication will

  261.  * fail.

  262.  *<ul>

  263.  * <p><code>useKeyTab</code> = true

  264.  * <code>keyTab</code>=< file name > <code>storeKey</code>=true

  265.  * <code>principal</code>= < principal name > 

  266.  * <code>useTicketCache</code>=true

  267.  * <code>ticketCache</code>=< file name >

  268.  *</ul>

  269.  * <p>The principal's key will be retrieved from the keytab and added

  270.  * to the <code>Subject</code>'s private credentials. If the key 

  271.  * is not available, the

  272.  * user will be prompted for the password; the key derived from the password

  273.  * will be added to the Subject's private credentials set. The

  274.  * client's TGT will be retrieved from the ticket cache and added to the

  275.  * <code>Subject</code>'s private credentials. If the TGT is not available  

  276.  * in the ticket cache, it will be obtained using the authentication

  277.  * exchange and added to the Subject's private credentials.

  278.  *

  279.  *

  280.  * @version 1.18, 01/11/00

  281.  * @author Ram Marti

  282.  */

  283. 

  284. public class Krb5LoginModule implements LoginModule {

  285. 

  286.     // initial state

  287.     private Subject subject;

  288.     private CallbackHandler callbackHandler;

  289.     private Map sharedState;

  290.     private Map options;

  291. 

  292.     // configurable option

  293.     private boolean debug = false;

  294.     private boolean storeKey = false;

  295.     private boolean doNotPrompt = false;

  296.     private boolean useTicketCache = false;

  297.     private boolean useKeyTab = false;

  298.     private String ticketCacheName = null;

  299.     private String keyTabName = null;

  300.     private String princName = null;

  301. 

  302.     private boolean useFirstPass = false;

  303.     private boolean tryFirstPass = false;

  304.     private boolean storePass = false;

  305.     private boolean clearPass = false;

  306.     private boolean refreshKrb5Config = false;

  307. 

  308.     // the authentication status

  309.     private boolean succeeded = false;

  310.     private boolean commitSucceeded = false;

  311.     private String username;

  312.     private EncryptionKey encKey;

  313.     private sun.security.krb5.Credentials cred = null;

  314. 

  315.     private PrincipalName principal = null;

  316.     private KerberosPrincipal kerbClientPrinc = null;

  317.     private KerberosTicket kerbTicket = null;

  318.     private KerberosKey kerbKey = null;

  319.     private StringBuffer krb5PrincName = null;

  320.     private char[] password = null;

  321. 

  322.     private static final String NAME = "javax.security.auth.login.name";

  323.     private static final String PWD = "javax.security.auth.login.password";

  324.     static final java.util.ResourceBundle rb =

  325.         java.util.ResourceBundle.getBundle("sun.security.util.AuthResources");

  326. 

  327.     /**

  328.      * Initialize this <code>LoginModule</code>.

  329.      *

  330.      * <p>

  331.      * @param subject the <code>Subject</code> to be authenticated. <p>

  332.      *

  333.      * @param callbackHandler a <code>CallbackHandler</code> for 

  334.      *                  communication with the end user (prompting for

  335.      *                  usernames and passwords, for example). <p>

  336.      *

  337.      * @param sharedState shared <code>LoginModule</code> state. <p>

  338.      *

  339.      * @param options options specified in the login

  340.      *			<code>Configuration</code> for this particular

  341.      *			<code>LoginModule</code>.

  342.      */

  343. 

  344.     public void initialize(Subject subject, 

  345. 			   CallbackHandler callbackHandler,

  346. 			   Map sharedState, Map options) {

  347.  

  348. 	this.subject = subject;

  349. 	this.callbackHandler = callbackHandler;

  350. 	this.sharedState = sharedState;

  351. 	this.options = options;

  352. 

  353. 	// initialize any configured options

  354. 

  355. 	debug = "true".equalsIgnoreCase((String)options.get("debug"));

  356. 	storeKey = "true".equalsIgnoreCase((String)options.get("storeKey"));

  357. 	doNotPrompt = "true".equalsIgnoreCase((String)options.get

  358. 					      ("doNotPrompt"));

  359. 	useTicketCache = "true".equalsIgnoreCase((String)options.get

  360. 						 ("useTicketCache"));

  361. 	useKeyTab = "true".equalsIgnoreCase((String)options.get("useKeyTab"));

  362. 	ticketCacheName = (String)options.get("ticketCache");

  363. 	keyTabName = (String)options.get("keyTab");

  364. 	princName = (String)options.get("principal");

  365. 	refreshKrb5Config =

  366. 	    "true".equalsIgnoreCase((String)options.get("refreshKrb5Config"));

  367. 	tryFirstPass =

  368. 	    "true".equalsIgnoreCase

  369. 	    ((String)options.get("tryFirstPass"));

  370. 	useFirstPass =

  371. 	    "true".equalsIgnoreCase

  372. 	    ((String)options.get("useFirstPass"));

  373. 	storePass =

  374. 	    "true".equalsIgnoreCase((String)options.get("storePass"));

  375. 	clearPass =

  376. 	    "true".equalsIgnoreCase((String)options.get("clearPass"));

  377. 	if (debug) {

  378. 	    System.out.print("Debug is  " + debug  

  379. 			     + " storeKey " + storeKey 

  380. 			     + " useTicketCache " + useTicketCache

  381. 			     + " useKeyTab " + useKeyTab

  382. 			     + " doNotPrompt " + doNotPrompt

  383. 			     + " ticketCache is " + ticketCacheName

  384. 			     + " KeyTab is " + keyTabName

  385. 			     + " refreshKrb5Config is " + refreshKrb5Config

  386. 		     	     + " principal is " + princName

  387. 			     + " tryFirstPass is " + tryFirstPass 

  388. 			     + " useFirstPass is " + useFirstPass

  389. 			     + " storePass is " + storePass

  390. 			     + " clearPass is " + clearPass + "\n");

  391. 	}

  392.     }

  393.     

  394. 

  395.     /**

  396.      * Authenticate the user 

  397.      *

  398.      * <p>

  399.      *

  400.      * @return true in all cases since this <code>LoginModule</code>

  401.      *		should not be ignored.

  402.      *

  403.      * @exception FailedLoginException if the authentication fails. <p>

  404.      *

  405.      * @exception LoginException if this <code>LoginModule</code>

  406.      *		is unable to perform the authentication.

  407.      */

  408.     public boolean login() throws LoginException {

  409. 

  410. 	int len;	

  411. 	validateConfiguration();

  412. 	if (refreshKrb5Config) {

  413. 	    try {

  414. 		if (debug) {

  415. 		    System.out.println("Refreshing Kerberos configuration");

  416. 		}

  417. 	        sun.security.krb5.Config.refresh();

  418. 	    } catch (KrbException ke) {

  419. 	        LoginException le = new LoginException(ke.getMessage());

  420. 	        le.initCause(ke);

  421. 	        throw le;

  422. 	    }

  423. 	}

  424. 	String principalProperty = System.getProperty

  425. 	    ("sun.security.krb5.principal"); 

  426. 	if (principalProperty != null) {

  427. 	    krb5PrincName = new StringBuffer(principalProperty);

  428. 	} else {

  429. 	    if (princName != null) {

  430. 		krb5PrincName = new StringBuffer(princName);

  431. 	    }

  432.     	}

  433.     

  434. 	if (tryFirstPass) {

  435. 	    try {

  436. 		attemptAuthentication(true);    

  437. 		if (debug)

  438. 		    System.out.println("\t\t[Krb5LoginModule] " +

  439. 				       "authentication succeeded");

  440. 		succeeded = true;

  441. 		cleanState();

  442. 		return true;

  443. 	    } catch (LoginException le) {

  444. 		// authentication failed -- try again below by prompting

  445. 		cleanState();

  446. 		if (debug) {

  447. 		    System.out.println("\t\t[Krb5LoginModule] " +

  448. 				       "tryFirstPass failed with:" +

  449. 				       le.getMessage());

  450. 		}

  451. 	    } 

  452. 	} else if (useFirstPass) {

  453. 	    try {

  454. 		attemptAuthentication(true);

  455. 		succeeded = true;

  456. 		cleanState();

  457. 		return true;

  458. 	    } catch (LoginException e) {

  459. 		// authentication failed -- clean out state

  460. 		if (debug) {

  461. 		    System.out.println("\t\t[Krb5LoginModule] " +

  462. 				       "authentication failed \n" +

  463. 				       e.getMessage());

  464. 		}

  465. 		succeeded = false;

  466. 		cleanState();

  467. 		throw e;

  468. 	    } 

  469. 	}

  470.     

  471. 	// attempt the authentication by getting the username and pwd 

  472. 	// by prompting or configuration i.e. not from shared state

  473. 	

  474. 	try {

  475. 	    attemptAuthentication(false);

  476. 	    succeeded = true;

  477. 	    cleanState();

  478. 	    return true;

  479. 	} catch (LoginException e) {

  480. 	    // authentication failed -- clean out state

  481. 	    if (debug) {

  482. 		System.out.println("\t\t[Krb5LoginModule] " +

  483. 				   "authentication failed \n" +

  484. 				   e.getMessage());

  485. 	    }

  486. 	    succeeded = false;

  487. 	    cleanState();

  488. 	    throw e;

  489. 	}

  490.     }

  491.     /** 

  492.      * process the configuration options

  493.      * Get the TGT either out of

  494.      * cache or from the KDC using the password entered

  495.      * Check the  permission before getting the TGT

  496.      */

  497. 

  498.     private void attemptAuthentication(boolean getPasswdFromSharedState)

  499. 	throws LoginException {

  500. 	

  501. 	/* 

  502. 	 * Check the creds cache to see whether 

  503. 	 * we have TGT for this client principal

  504. 	 */

  505. 	if (krb5PrincName != null) {

  506. 	    try {

  507. 	        principal = new PrincipalName

  508. 		    (krb5PrincName.toString(),

  509. 		     PrincipalName.KRB_NT_PRINCIPAL);

  510. 	    } catch (KrbException e) {

  511. 		LoginException le = new LoginException(e.getMessage());

  512. 		le.initCause(e);

  513. 		throw le;

  514. 	    }

  515. 	}

  516. 	

  517. 	try { 

  518. 	    if (useTicketCache) {

  519. 		// ticketCacheName == null implies the default cache

  520. 		cred  = Credentials.acquireTGTFromCache

  521. 		    (principal, ticketCacheName);

  522. 		if (cred != null) {

  523. 		    // get the principal name from the ticket cache

  524. 		    if (principal == null) { 

  525. 			principal = cred.getClient();

  526. 		    }

  527. 		}

  528. 		if (debug) {

  529. 		    System.out.println("Principal is " + principal);

  530. 		    if (cred ==  null) {

  531. 			System.out.println

  532. 			    ("null credentials from Ticket Cache");

  533. 		    }

  534. 		}

  535. 	    }		     

  536. 

  537. 	    // cred = null indicates that we did n't get the creds

  538. 	    // from the cache or useTicketCache was false

  539. 		

  540. 	    if (cred == null) {

  541. 		// We need the principal name whether we use keytab

  542. 		// or AS Exchange

  543. 		if (principal == null) {

  544. 		    promptForName(getPasswdFromSharedState);

  545. 		    principal = new PrincipalName

  546. 			(krb5PrincName.toString(),

  547. 			 PrincipalName.KRB_NT_PRINCIPAL);

  548. 		}

  549. 		if (useKeyTab) {

  550. 		    encKey = EncryptionKey.acquireSecretKey

  551. 			(principal, keyTabName);

  552. 		    if (debug) {

  553. 			if (encKey != null)

  554. 			    System.out.println

  555. 				("principal's key obtained from the keytab");

  556. 			else

  557. 			    System.out.println

  558. 				("Key for the principal " + 

  559. 				 principal  + 

  560. 				 " not available in " + 

  561. 				 ((keyTabName == null) ? 

  562. 				  "default key tab" : keyTabName));

  563. 		    }

  564. 		    

  565. 		}   

  566. 		// We can't get the key from the keytab so prompt    

  567. 		if (encKey == null) {	

  568. 		    promptForPass(getPasswdFromSharedState);

  569. 		    encKey = new EncryptionKey(

  570. 				     new StringBuffer().append(password),

  571. 				     principal.getSalt());

  572. 		}

  573. 		// Get the TGT using AS Exchange

  574. 		if (debug)

  575. 		    System.out.println("principal is " + principal);

  576. 		cred = Credentials.acquireTGT(principal, encKey);

  577. 

  578. 		// we should hava a  non-null cred 

  579. 		if (cred == null) {

  580. 		    throw new LoginException 

  581. 			("TGT Can not be obtained from the KDC ");

  582. 		}

  583. 	    }

  584. 	} catch (KrbException e) {

  585. 	    LoginException le = new LoginException(e.getMessage());

  586. 	    le.initCause(e);

  587. 	    throw le;

  588. 	} catch (IOException ioe) {

  589. 	    LoginException ie = new LoginException(ioe.getMessage());

  590. 	    ie.initCause(ioe);

  591. 	    throw ie;

  592. 	}

  593.     }

  594.     

  595.     private void promptForName(boolean getPasswdFromSharedState)

  596. 	throws LoginException {

  597. 	krb5PrincName = new StringBuffer("");

  598. 	if (getPasswdFromSharedState) {

  599. 	    // use the name saved by the first module in the stack

  600. 	    username = (String)sharedState.get(NAME);

  601. 	    if (debug) {

  602. 		System.out.println

  603. 		    ("username from shared state is " + username + "\n");

  604. 	    }

  605. 	    if (username == null) {

  606. 		System.out.println

  607. 		    ("username from shared state is null\n");

  608. 		throw new LoginException

  609. 		    ("Username can not be obtained from sharedstate ");

  610. 	    }

  611. 	    if (debug) {

  612. 		System.out.println

  613. 		    ("username from shared state is " + username + "\n");

  614. 	    }

  615. 	    if (username != null && username.length() > 0) {

  616. 		krb5PrincName.insert(0, username);

  617. 		return;

  618. 	    }

  619. 	}

  620.    

  621. 	if (doNotPrompt) {

  622. 	    throw new LoginException

  623. 		("Unable to obtain Princpal Name for authentication ");

  624. 	} else {

  625. 	    if (callbackHandler == null)

  626. 		throw new LoginException("No CallbackHandler "

  627. 					 + "available "

  628. 					 + "to garner authentication " 

  629. 					 + "information from the user");

  630. 	    try {

  631. 		String defUsername = System.getProperty("user.name");

  632. 		

  633. 		Callback[] callbacks = new Callback[1];

  634. 		MessageFormat form = new MessageFormat(

  635. 				       rb.getString(

  636. 				       "Kerberos username [[defUsername]]: "));

  637. 	        Object[] source =  {defUsername};

  638. 		callbacks[0] = new NameCallback(form.format(source));

  639. 		callbackHandler.handle(callbacks);

  640. 		username = ((NameCallback)callbacks[0]).getName();

  641. 		if (username == null || username.length() == 0)

  642. 		    username = defUsername;

  643. 		krb5PrincName.insert(0, username);

  644. 		

  645. 	    } catch (java.io.IOException ioe) {

  646. 		throw new LoginException(ioe.getMessage());

  647. 	    } catch (UnsupportedCallbackException uce) {

  648. 		throw new LoginException

  649. 		    (uce.getMessage()

  650. 		     +" not available to garner " 

  651. 		     +" authentication information " 

  652. 		     +" from the user");

  653. 	    }

  654. 	}

  655.     }

  656.     

  657.     private void promptForPass(boolean getPasswdFromSharedState) 

  658. 	throws LoginException {

  659. 

  660. 	if (getPasswdFromSharedState) {

  661. 	    // use the password saved by the first module in the stack

  662. 	    password = (char[])sharedState.get(PWD);

  663. 	    if (password == null) {

  664. 		if (debug) {

  665. 		    System.out.println

  666. 			("Password from shared state is null");

  667. 		}

  668. 		throw new LoginException

  669. 		    ("Password can not be obtained from sharedstate ");

  670. 	    }

  671. 	    if (debug) {

  672. 		System.out.println

  673. 		    ("password is " + new String(password));

  674. 	    }

  675. 	    return;

  676. 	}

  677. 	if (doNotPrompt) {

  678. 	    throw new LoginException

  679. 		("Unable to obtain password from user\n");

  680. 	} else {

  681. 	    try {

  682. 		Callback[] callbacks = new Callback[1];

  683. 		String userName = krb5PrincName.toString();

  684. 		MessageFormat form = new MessageFormat(

  685. 					 rb.getString(

  686. 					 "Kerberos password for [username]: "));

  687. 	        Object[] source = {userName};

  688. 		callbacks[0] = new PasswordCallback(

  689. 						    form.format(source),

  690. 						    false);

  691. 		callbackHandler.handle(callbacks);

  692. 		char[] tmpPassword = ((PasswordCallback)

  693. 				      callbacks[0]).getPassword();

  694. 		if (tmpPassword == null) {

  695. 		    // treat a NULL password as an empty password

  696. 		    tmpPassword = new char[0];

  697. 		}

  698. 		password = new char[tmpPassword.length];

  699. 		System.arraycopy(tmpPassword, 0,

  700. 				 password, 0, tmpPassword.length);

  701. 		((PasswordCallback)callbacks[0]).clearPassword();

  702. 		

  703. 

  704. 		// clear tmpPassword

  705. 		for (int i = 0; i < tmpPassword.length; i++)

  706. 		    tmpPassword[i] = ' ';

  707. 		tmpPassword = null;

  708. 		if (debug) {

  709. 		    System.out.println("\t\t[Krb5LoginModule] " +

  710. 				       "user entered username: " +

  711. 				       krb5PrincName);

  712. 		    System.out.println();

  713. 		}

  714. 	    } catch (java.io.IOException ioe) {

  715. 		throw new LoginException(ioe.getMessage());

  716. 	    } catch (UnsupportedCallbackException uce) {

  717. 		throw new LoginException(uce.getMessage()

  718. 					 +" not available to garner " 

  719. 					 +" authentication information " 

  720. 					 + "from the user");

  721. 	    }

  722. 	}	

  723.     }

  724. 

  725.     private void validateConfiguration() throws LoginException {

  726. 	if (doNotPrompt && !useTicketCache && !useKeyTab)

  727. 	    throw new LoginException

  728. 		("Configuration Error" 

  729. 		 + " - either doNotPrompt should be "

  730. 		 + " false or useTicketCache/useKeyTab "

  731. 		 + " should be true");

  732. 	if (ticketCacheName != null && !useTicketCache)

  733. 	    throw new LoginException

  734. 		("Configuration Error " 

  735. 		 + " - useTicketCache should be set "

  736. 		 + "to true to use the ticket cache" 

  737. 		 + ticketCacheName);

  738. 	if (keyTabName != null & !useKeyTab)

  739. 	    throw new LoginException

  740. 		("Configuration Error - useKeyTab should be set to true "

  741. 		 + "to use the keytab" + keyTabName);

  742. 	if (storeKey && doNotPrompt && !useKeyTab) 

  743. 	    throw new LoginException

  744. 		("Configuration Error - either doNotPrompt "

  745. 		 + "should be set to false or "

  746. 		 + "useKeyTab must be set to true for storeKey option");

  747.     }

  748.     

  749.     

  750.     /**

  751.      * <p> This method is called if the LoginContext's

  752.      * overall authentication succeeded

  753.      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL

  754.      * LoginModules succeeded).

  755.      *

  756.      * <p> If this LoginModule's own authentication attempt

  757.      * succeeded (checked by retrieving the private state saved by the

  758.      * <code>login</code> method), then this method associates a

  759.      * <code>Krb5Principal</code>

  760.      * with the <code>Subject</code> located in the

  761.      * <code>LoginModule</code>. It adds Kerberos Credentials to the

  762.      *  the Subject's private credentials set. If this LoginModule's own

  763.      * authentication attempted failed, then this method removes

  764.      * any state that was originally saved.

  765.      *

  766.      * <p>

  767.      *

  768.      * @exception LoginException if the commit fails.

  769.      *

  770.      * @return true if this LoginModule's own login and commit

  771.      *		attempts succeeded, or false otherwise.

  772.      */

  773. 

  774.     public boolean commit() throws LoginException {

  775. 

  776. 	/*

  777. 	 * Let us add the Krb5 Creds to the Subject's 

  778. 	 * private credentials. The credentials are of type

  779. 	 * KerberosKey or KerberosTicket

  780. 	 */

  781. 	if (succeeded == false) {

  782. 	    return false;

  783. 	} else {

  784. 	    /*

  785. 	     * Add the Principal (authenticated identity)

  786. 	     * to the Subject's principal set and

  787. 	     * add the credentials (TGT or Service key) to the

  788. 	     * Subject's private credentials

  789. 	     */

  790. 

  791. 	    Set privCredSet =  subject.getPrivateCredentials();

  792. 	    Set princSet  = subject.getPrincipals();

  793. 	    kerbClientPrinc = new KerberosPrincipal(principal.getName());

  794. 	    

  795. 	    if (cred == null) {

  796. 		succeeded = false;

  797. 		throw new LoginException("Null Client Credential");

  798. 	    }

  799. 	    EncryptionKey sessionKey = cred.getSessionKey();

  800. 	    kerbTicket  = new KerberosTicket

  801. 		(cred.getEncoded(),

  802. 		 new KerberosPrincipal(cred.getClient().getName()),

  803. 		 new KerberosPrincipal(cred.getServer().getName()),

  804. 		 sessionKey.getBytes(), 

  805. 		 sessionKey.getEType(), 

  806. 		 cred.getFlags(), 

  807. 		 cred.getAuthTime(), 

  808. 		 cred.getStartTime(), 

  809. 		 cred.getEndTime(), 

  810. 		 cred.getRenewTill(), 

  811. 		 cred.getClientAddresses());

  812. 	    

  813. 	    if (storeKey) {

  814. 		if (encKey == null) {

  815. 		    succeeded = false;

  816. 		    throw new LoginException("Null Server Key ");

  817. 		}		

  818. 		Integer temp = encKey.getKeyVersionNumber();

  819. 		kerbKey = new KerberosKey(kerbClientPrinc,

  820. 					  encKey.getBytes(),

  821. 					  encKey.getEType(),

  822. 					  (temp == null?

  823. 					  0: temp.intValue()));

  824. 		

  825. 	    }

  826. 	    // Let us add the kerbClientPrinc,kerbTicket and kerbKey (if

  827. 	    // storeKey is true)

  828. 	    if (!princSet.contains(princSet))

  829. 		princSet.add(kerbClientPrinc);

  830. 	    if (!privCredSet.contains(kerbTicket)) 	

  831. 		privCredSet.add(kerbTicket);

  832. 	    if (storeKey) {

  833. 		if (!privCredSet.contains(kerbKey)) {	

  834. 		    privCredSet.add(kerbKey);

  835. 		}

  836. 		encKey.destroy();

  837. 		encKey = null;

  838. 		if (debug) {

  839. 		    System.out.println("Added server's key"

  840. 					+ kerbKey);		    

  841. 		    System.out.println("\t\t[Krb5LoginModule] " +

  842. 				       "added Krb5Principal  " + 

  843. 				       kerbClientPrinc.toString()

  844. 				       + " to Subject");

  845. 		}			

  846. 	    }

  847. 	}

  848. 	commitSucceeded = true;

  849. 	if (debug)

  850. 	    System.out.println("Commit Succeeded \n");

  851. 	return true;

  852.     }

  853.     

  854.     /**

  855.      * <p> This method is called if the LoginContext's

  856.      * overall authentication failed.

  857.      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL 

  858.      * LoginModules did not succeed).

  859.      *

  860.      * <p> If this LoginModule's own authentication attempt

  861.      * succeeded (checked by retrieving the private state saved by the

  862.      * <code>login</code> and <code>commit</code> methods),

  863.      * then this method cleans up any state that was originally saved.

  864.      *

  865.      * <p>

  866.      *

  867.      * @exception LoginException if the abort fails.

  868.      *

  869.      * @return false if this LoginModule's own login and/or commit attempts

  870.      *		failed, and true otherwise.

  871.      */

  872. 

  873.     public boolean abort() throws LoginException {

  874. 	if (succeeded == false) {

  875. 	    return false;

  876. 	} else if (succeeded == true && commitSucceeded == false) {

  877. 	    // login succeeded but overall authentication failed

  878. 	    succeeded = false;

  879. 	    username = null;

  880. 	    try {

  881. 		if (kerbTicket != null)

  882. 		    kerbTicket.destroy();

  883. 		if (kerbKey != null)

  884. 		    kerbKey.destroy();

  885. 	    } catch (DestroyFailedException e) {

  886. 		throw new LoginException

  887. 		    ("Destroy Failed on Kerberos Private Credentials");

  888. 	    }

  889. 	    kerbTicket = null;

  890. 	    kerbKey = null;

  891. 	    kerbClientPrinc = null;

  892. 	} else {

  893. 	    // overall authentication succeeded and commit succeeded,

  894. 	    // but someone else's commit failed

  895. 	    logout();

  896. 	}

  897. 	return true;

  898.     }

  899.     

  900.     /**

  901.      * Logout the user.

  902.      *

  903.      * <p> This method removes the <code>Krb5Principal</code>

  904.      * that was added by the <code>commit</code> method.

  905.      *

  906.      * <p>

  907.      *

  908.      * @exception LoginException if the logout fails.

  909.      *

  910.      * @return true in all cases since this <code>LoginModule</code>

  911.      *          should not be ignored.

  912.      */

  913.     public boolean logout() throws LoginException {

  914. 	

  915. 	subject.getPrincipals().remove(kerbClientPrinc);

  916. 	   // Let us remove all Kerberos credentials stored in the Subject 

  917. 	Iterator it = subject.getPrivateCredentials().iterator();

  918. 	while (it.hasNext()) {

  919. 	   Object o = it.next();

  920. 	   if (o instanceof KerberosTicket ||

  921. 	       o instanceof KerberosKey) {

  922. 	       it.remove();

  923. 	   }

  924. 	}

  925. 	// Clean the slate

  926. 	try {

  927. 	    if (kerbTicket != null)

  928. 		kerbTicket.destroy();

  929. 	    if (kerbKey != null)

  930. 		kerbKey.destroy();

  931. 	} catch (DestroyFailedException e) {

  932. 	    throw new LoginException

  933. 		("Destroy Failed on Kerberos Private Credentials");

  934. 	}

  935. 	kerbTicket = null;

  936. 	kerbKey = null;

  937. 	kerbClientPrinc = null;

  938. 	succeeded = false;

  939. 	commitSucceeded = false;

  940. 	username = null;

  941. 	if (debug) {

  942.             System.out.println("\t\t[Krb5LoginModule]: " +

  943. 			       "logged out Subject");

  944.         }

  945. 	return true;

  946.     }

  947. 

  948.     /**

  949.      * Clean out the state 

  950.      */

  951.     private void cleanState() {

  952.        

  953. 	// save input as shared state only if

  954. 	// authentication succeeded

  955. 	if (succeeded) {

  956. 	    if (storePass &&

  957. 		!sharedState.containsKey(NAME) &&

  958. 		!sharedState.containsKey(PWD)) {

  959. 		sharedState.put(NAME, username);

  960. 		sharedState.put(PWD, password);

  961. 	    }

  962. 	}

  963. 	username = null;

  964. 	password = null;

  965. 	if (krb5PrincName != null && krb5PrincName.length() != 0)

  966. 	    krb5PrincName.delete(0, krb5PrincName.length());

  967. 	krb5PrincName = null;

  968. 	if (clearPass) {

  969. 	    sharedState.remove(NAME);

  970. 	    sharedState.remove(PWD);

  971. 	}

  972.     }

  973. }