org.exoplatform.services.security.sso.spnego.SpnegoHandler
|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||
java.lang.Object
public class SpnegoHandler
Thin Spnego wrapping mechanism for org.ietf.jgss GSS-API.
Spnego is not supported by Java 5, but is in Java 6, however Spnego in itself is very simple and is just a thin wrapper over GSS-API, and this class provides support for Spnego in Java 5.
The implementation is a generic implementation, which means that it works with more than Kerberos as the underlying GSS-API mechanism (however Kerberos is the only one that Java 5 JAAS supports anyway).
This class needs two things to work:
javax.security.auth.useSubjectCredsOnly
set to false.
java.security.auth.login.config to point
to a file with JAAS login configuration. The login configuration needs to
contain this:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/etc/krb5.keytab"
doNotPrompt=true
useKeyTab=true
realm="SALAD.TAGLAB.COM"
principal="HTTP/banana.salad.taglab.com@SALAD.TAGLAB.COM"
debug=true;
};
/etc/krb5.keytab to point to a
keytab containing the principal pointed out by principal=. Please note that
the service principal must be named HTTP/servername@REALM.
Where servername MUST be the name you are typing into the URL-bar of the
browser AND is the reverse lookup name for the IP that corresponds to what
was typed in.
XXX The class should be updated to use Java 6 Spnego once generally in use.
This implementation was made following: http://msdn2.microsoft.com/en-us/library/ms995330.aspx
| Nested Class Summary | |
|---|---|
static class |
SpnegoHandler.State
State of the SpnegoHandler. |
| Constructor Summary | |
|---|---|
SpnegoHandler()
Creates a new SpnegoHandler . |
|
| Method Summary | |
|---|---|
byte[] |
authenticate(byte[] token)
Performs the actual authentication against the GSS-API. |
protected byte[] |
constructResponse(boolean isKerberosMicrosoft,
byte[] gssApiToken)
Constructs the response byte array from the give input. |
GSSContext |
getGSSContext()
|
SpnegoHandler.State |
getState()
|
boolean |
isComplete()
Tells if negotiation is complete or if more roundtrips to authenticate() is expected. |
boolean |
isEstablished()
|
boolean |
isFailed()
|
void |
setUnauthorized()
Sets the state to UNAUTHORIZED. |
| Methods inherited from class java.lang.Object |
|---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Constructor Detail |
|---|
public SpnegoHandler()
throws GSSSpnegoException
GSSSpnegoException - If we failed to establish the GSS-API context.| Method Detail |
|---|
public byte[] authenticate(byte[] token)
throws SpnegoException
The method unwraps the nested GSS-API token from the Spnego token and
passes that into the GSSContext that was established in the
constructor.
token - the spnego message.
SpnegoException - if an exception is encountered whilst doing the
authentication.
protected byte[] constructResponse(boolean isKerberosMicrosoft,
byte[] gssApiToken)
isKerberosMicrosoft - is Kerberos Microsoft.gssApiToken - input tokens.
public boolean isComplete()
public SpnegoHandler.State getState()
public void setUnauthorized()
public GSSContext getGSSContext()
public boolean isEstablished()
public boolean isFailed()
|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||