Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Other Security APIs, Tools, and Issues

SPNego Tokens...

Hi all,

i have two simple questions.....it seems really that GSS-API is not able to handle SPNego tokens, due to this i have decided to parse Kerberos token from it, via my own utility.

1) Please what is the best way of the finding the begin of the Kerberos Token which is being wrapped inside of the SPNego token?

In my opinion best way is looking for 0x60 tag and verifing Kerberos V5 Oid ..

Kerberos V5 Oid [0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02]

2) Via the previous rule, im able to extract Kerberos token without any problems....Kerberos token seems to be valid...

0x60 0x82 0x6 0x10 0x6 0x9 0x2a 0x86 0x48 0x86 0xf7 0x12 0x1 0x2 0x2 0x1

0x0 0x6e 0x82 0x5 0xff 0x30 0x82 0x5 0xfb 0xa0 0x3 0x2 0x1 0x5 0xa1 0x3

0x2 0x1 0xe 0xa2 0x7 0x3 0x5 0x0 0x20 0x0 0x0 0x0 0xa3 0x82 0x5 0x29

0x61 0x82 0x5 0x25 0x30 0x82 0x5 0x21 0xa0 0x3 0x2 0x1 0x5 0xa1 0xa 0x1b

0x8 0x42 0x45 0x52 0x49 0x54 0x2e 0x43 0x5a 0xa2 0x24 0x30 0x22 0xa0 0x3 0x2

0x1 0x2 0xa1 0x1b 0x30 0x19 0x1b 0x4 0x48 0x54 0x54 0x50 0x1b 0x11 0x73 0x72

0x76 0x2d 0x70 0x32 0x38 0x36 0x2e 0x62 0x65 0x72 0x69 0x74 0x2e 0x63 0x7a 0xa3

problem is when i pass this token to acceptSecContext method im receiving this error message

GSSException: Failure unspecified at GSS-API level (Mechanism level: Identifier

doesn't match expected value (906))

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:

734)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java

:300)

at GSSServer.run(GSSServer.java:126)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAs(Subject.java:320)

at GSSServer.startServer(GSSServer.java:88)

at GSSServer.main(GSSServer.java:60)

My GSSServer is

import org.ietf.jgss.*;

import java.io.*;

import java.net.Socket;

import java.net.ServerSocket;

import java.util.*;

import java.security.*;

import javax.security.auth.callback.*;

import javax.security.auth.login.*;

import javax.security.auth.Subject;

import com.sun.security.auth.callback.TextCallbackHandler;

publicclass GSSServerimplements java.security.PrivilegedAction{

//Handles callback from the JAAS framework.

BeanCallbackHandler beanCallbackHandler =null;

//The main object that handles all JAAS login.

LoginContext serverLC =null;

//The context for secure communication with client.

GSSContext serverGSSContext =null;

//Socket and streams used for communication.

ServerSocket serverSocket =null;

DataInputStream inStream =null;

DataOutputStream outStream =null;

//Name and port of server.

String serverName =null;

int serverPort;

//Configuration file and the name of the client configuration.

String confFile =null;

String confName =null;

publicstaticvoid main(String[] args)

throws IOException, GSSException

{

GSSContext context =null;

GSSServer server =new GSSServer (args[0]/*serverName*/,

args[1]/*password*/,

Integer.parseInt(args[2])/*port*/,

args[3]/*kerberos realm name*/,

args[4]/*kdc address*/,

args[5]/*confFile*/,

args[6]/*confName*/,

args[7]/*KRB5.conf*/);

//Starting the server.

server.startServer();

}//main

//GSSServer constructor

public GSSServer (String serverName, String password,

int serverPort, String kerberosRealm,

String kdcAddress, String confFile, String confName, String krb5)

{

beanCallbackHandler =new BeanCallbackHandler(serverName, password);

this.serverName = serverName;

this.serverPort = serverPort;

this.confName = confName;

System.setProperty("java.security.krb5.realm", kerberosRealm);

System.setProperty("java.security.krb5.kdc", kdcAddress);

System.setProperty("java.security.auth.login.config", confFile);

System.setProperty("java.security.krb5.conf", krb5);

}//GSSServer

publicboolean startServer()

{

try{

serverLC =new LoginContext(confName, beanCallbackHandler);

serverLC.login();

Subject.doAs(serverLC.getSubject(),this);

returntrue;

}catch (Exception e){

System.out.println(">>> GSSServer... Secure Context not established..");

System.out.println(e.getMessage());

returnfalse;

}//catch

}//start

public Object run()

{

try

{

serverSocket =new ServerSocket(serverPort);

GSSManager manager = GSSManager.getInstance();

Oid kerberos =new Oid("1.2.840.113554.1.2.2");

System.out.println(">>> GSSServer starts... Waiting for incoming connection");

GSSName serverGSSName = manager.createName(serverName,null);

GSSCredential serverGSSCreds = manager.createCredential(serverGSSName,

GSSCredential.INDEFINITE_LIFETIME,

kerberos,

//The server accepts secure context request.

GSSCredential.ACCEPT_ONLY);

serverGSSContext = manager.createContext(serverGSSCreds);

Socket clientSocket = serverSocket.accept();

inStream =new DataInputStream(clientSocket.getInputStream());

outStream =new DataOutputStream(clientSocket.getOutputStream());

byte[] byteToken =null;

while (!serverGSSContext.isEstablished())

{

serverGSSContext.acceptSecContext(inStream, outStream);

}//while (!context.isEstablished())

String clientName = serverGSSContext.getTargName().toString();

String serverName = serverGSSContext.getSrcName().toString();

//Wrapping the response message.

String message =new String(">>> GSSServer Secure Context establish between"

+"["+clientName+"] and ["+serverName+"]");

System.out.println(message);

//Disposeing and closing client and server sockets.

serverGSSContext.dispose();

clientSocket.close();

serverSocket.close();

System.out.println(">>> GSSServer shutdown.... ");

}//try

catch(java.lang.Exception e){

e.printStackTrace();

}

returnnull;

}//run

}//GSSServer

jaas.conf file is

jaas {

com.sun.security.auth.module.Krb5LoginModule required storeKey=true;

};

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

debug=true

storeKey=true;

};

Please could someone explain me this error message?

[10252 byte] By [JCDentona] at [2007-10-2 23:34:26]
«« Background of row in a JTable
»» instanceof into a c:test?
# 1

Please can this be the reason of the above posted message? My kerberos client which is completelly written in C# .NET connects to the servlet via this URL:

http://host:8080/servlet/SSO

An acceptation of the credentials sended by this client is being done by the privilege action which is launched by the userPrincipal John.Murphy@REALM.COM for example. As i understood all kerberos clients makes from the input URL string, which represents userPrincipal which has to be authorized at server side....is it true?

Please im going to be really desperate from the Exception (Identifier doesnt match expected value (906)) Because what is worse, i dont even know what does it mean....:-(((( What kind of value is being expected...? Where?

JCDentona at 2007-7-14 16:16:20 > top of Java-index,Security,Other Security APIs, Tools, and Issues...
# 2
JavaSE 6 has new support for SPNEGOLink: http://download.java.net/jdk6/docs/technotes/guides/security/jgss/jgss-features.htmlAlso, JCIFS 1.2.9 has SPNEGO classes:jcifs.spnego.SpnegoTokenjcifs.spnego.SpnegoConstantsLink: http://jcifs.samba.org/
scsulliva at 2007-7-14 16:16:20 > top of Java-index,Security,Other Security APIs, Tools, and Issues...
Security
Other Security APIs, Tools, and Issues

Security New Topic

Security Hot Topic

Security

All Classified