server/src/main/java/org/apache/calcite/avatica/server/PropertyBasedSpnegoLoginService.java - calcite-avatica - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to you under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.calcite.avatica.server;

 import org.eclipse.jetty.security.SpnegoUserPrincipal;
 import org.eclipse.jetty.server.UserIdentity;
 import org.eclipse.jetty.util.B64Code;
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSManager;
 import org.ietf.jgss.GSSName;
 import org.ietf.jgss.Oid;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import java.lang.reflect.Field;
 import java.util.Objects;
 import javax.security.auth.Subject;
 import javax.servlet.ServletRequest;

 /**
  * A customization of {@link org.eclipse.jetty.security.SpnegoLoginService} which directly
  * specifies the server's principal instead of requiring a file to exist. Known to work with
  * Jetty-9.2.x, any other version would require testing/inspection to ensure the logic is still
  * sound.
  */
 @SuppressWarnings("deprecation")
 public class PropertyBasedSpnegoLoginService extends org.eclipse.jetty.security.SpnegoLoginService {
   private static final Logger LOG = LoggerFactory.getLogger(PropertyBasedSpnegoLoginService.class);

   private static final String TARGET_NAME_FIELD_NAME = "_targetName";
   private final String serverPrincipal;

   public PropertyBasedSpnegoLoginService(String realm, String serverPrincipal) {
     super(realm);
     this.serverPrincipal = Objects.requireNonNull(serverPrincipal);
   }

   @Override protected void doStart() throws Exception {
     // Override the parent implementation, setting _targetName to be the serverPrincipal
     // without the need for a one-line file to do the same thing.
     //
     // AbstractLifeCycle's doStart() method does nothing, so we aren't missing any extra logic.
     final Field targetNameField = org.eclipse.jetty.security.SpnegoLoginService.class
                                       .getDeclaredField(TARGET_NAME_FIELD_NAME);
     targetNameField.setAccessible(true);
     targetNameField.set(this, serverPrincipal);
   }

   @Override public UserIdentity login(String username, Object credentials,
       ServletRequest request) {
     String encodedAuthToken = (String) credentials;
     byte[] authToken = B64Code.decode(encodedAuthToken);

     GSSManager manager = GSSManager.getInstance();
     try {
       // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
       Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
       Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
       GSSName gssName = manager.createName(serverPrincipal, null);
       // CALCITE-1922 Providing both OIDs is the bug in Jetty we're working around. By specifying
       // only one, we're requiring that clients *must* provide us the SPNEGO OID to authenticate
       // via Kerberos which is wrong. Best as I can tell, the SPNEGO OID is meant as another
       // layer of indirection (essentially is equivalent to setting the Kerberos OID).
       GSSCredential serverCreds = manager.createCredential(gssName,
           GSSCredential.INDEFINITE_LIFETIME, new Oid[] {krb5Oid, spnegoOid},
           GSSCredential.ACCEPT_ONLY);
       GSSContext gContext = manager.createContext(serverCreds);

       if (gContext == null) {
         LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
       } else {
         while (!gContext.isEstablished()) {
           authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
         }
         if (gContext.isEstablished()) {
           String clientName = gContext.getSrcName().toString();
           String role = clientName.substring(clientName.indexOf('@') + 1);

           LOG.debug("SpnegoUserRealm: established a security context");
           LOG.debug("Client Principal is: {}", gContext.getSrcName());
           LOG.debug("Server Principal is: {}", gContext.getTargName());
           LOG.debug("Client Default Role: {}", role);

           SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);

           Subject subject = new Subject();
           subject.getPrincipals().add(user);

           return _identityService.newUserIdentity(subject, user, new String[]{role});
         }
       }
     } catch (GSSException gsse) {
       LOG.warn("Caught GSSException trying to authenticate the client", gsse);
     }

     return null;
   }
 }

 // End PropertyBasedSpnegoLoginService.java
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to you under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.calcite.avatica.server;

	import org.eclipse.jetty.security.SpnegoUserPrincipal;
	import org.eclipse.jetty.server.UserIdentity;
	import org.eclipse.jetty.util.B64Code;
	import org.ietf.jgss.GSSContext;
	import org.ietf.jgss.GSSCredential;
	import org.ietf.jgss.GSSException;
	import org.ietf.jgss.GSSManager;
	import org.ietf.jgss.GSSName;
	import org.ietf.jgss.Oid;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import java.lang.reflect.Field;
	import java.util.Objects;
	import javax.security.auth.Subject;
	import javax.servlet.ServletRequest;

	/**
	* A customization of {@link org.eclipse.jetty.security.SpnegoLoginService} which directly
	* specifies the server's principal instead of requiring a file to exist. Known to work with
	* Jetty-9.2.x, any other version would require testing/inspection to ensure the logic is still
	* sound.
	*/
	@SuppressWarnings("deprecation")
	public class PropertyBasedSpnegoLoginService extends org.eclipse.jetty.security.SpnegoLoginService {
	private static final Logger LOG = LoggerFactory.getLogger(PropertyBasedSpnegoLoginService.class);

	private static final String TARGET_NAME_FIELD_NAME = "_targetName";
	private final String serverPrincipal;

	public PropertyBasedSpnegoLoginService(String realm, String serverPrincipal) {
	super(realm);
	this.serverPrincipal = Objects.requireNonNull(serverPrincipal);
	}

	@Override protected void doStart() throws Exception {
	// Override the parent implementation, setting _targetName to be the serverPrincipal
	// without the need for a one-line file to do the same thing.
	//
	// AbstractLifeCycle's doStart() method does nothing, so we aren't missing any extra logic.
	final Field targetNameField = org.eclipse.jetty.security.SpnegoLoginService.class
	.getDeclaredField(TARGET_NAME_FIELD_NAME);
	targetNameField.setAccessible(true);
	targetNameField.set(this, serverPrincipal);
	}

	@Override public UserIdentity login(String username, Object credentials,
	ServletRequest request) {
	String encodedAuthToken = (String) credentials;
	byte[] authToken = B64Code.decode(encodedAuthToken);

	GSSManager manager = GSSManager.getInstance();
	try {
	// http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
	Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
	Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
	GSSName gssName = manager.createName(serverPrincipal, null);
	// CALCITE-1922 Providing both OIDs is the bug in Jetty we're working around. By specifying
	// only one, we're requiring that clients must provide us the SPNEGO OID to authenticate
	// via Kerberos which is wrong. Best as I can tell, the SPNEGO OID is meant as another
	// layer of indirection (essentially is equivalent to setting the Kerberos OID).
	GSSCredential serverCreds = manager.createCredential(gssName,
	GSSCredential.INDEFINITE_LIFETIME, new Oid[] {krb5Oid, spnegoOid},
	GSSCredential.ACCEPT_ONLY);
	GSSContext gContext = manager.createContext(serverCreds);

	if (gContext == null) {
	LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
	} else {
	while (!gContext.isEstablished()) {
	authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
	}
	if (gContext.isEstablished()) {
	String clientName = gContext.getSrcName().toString();
	String role = clientName.substring(clientName.indexOf('@') + 1);

	LOG.debug("SpnegoUserRealm: established a security context");
	LOG.debug("Client Principal is: {}", gContext.getSrcName());
	LOG.debug("Server Principal is: {}", gContext.getTargName());
	LOG.debug("Client Default Role: {}", role);

	SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);

	Subject subject = new Subject();
	subject.getPrincipals().add(user);

	return _identityService.newUserIdentity(subject, user, new String[]{role});
	}
	}
	} catch (GSSException gsse) {
	LOG.warn("Caught GSSException trying to authenticate the client", gsse);
	}

	return null;
	}
	}

	// End PropertyBasedSpnegoLoginService.java