Package com.ibm.wsspi.security.token

Class SpnegoTokenHelper

java.lang.Object
com.ibm.wsspi.security.token.SpnegoTokenHelper
public class SpnegoTokenHelper extends Object
SpnegoTokenHelper - utilities to help create a SPNEGO Token as Authorization header for outbound authentication purposes
Since:
1.0

  • Constructor Details

    • SpnegoTokenHelper

      public SpnegoTokenHelper()

  • Method Details

    • buildSpnegoAuthorizationFromCallerSubject

      public static String buildSpnegoAuthorizationFromCallerSubject(String spn, int lifetime, boolean delegate) throws com.ibm.websphere.security.WSSecurityException, GSSException, PrivilegedActionException
      Build a SPNEGO Authorization string using a Kerberos credential within the current caller Java Subject. The method will use that credential to request a SPNEGO token for a ServicePrincipalName (SPN) for the target service system.
      Parameters:
      spn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
      lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
      delegate - - Whether the token includes delegatable GSSCredentials.
      Returns:
      - String "Negotiate " + Base64 encoded version of SPNEGO Token
      Throws:
      com.ibm.websphere.security.WSSecurityException - - thrown when no caller Subject exists.
      GSSException - - thrown when SPNEGO token generation fails, when Subject is null, when the Subject does not contain Kerberos credentials, or when SPN is invalid.
      PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.

    • buildSpnegoAuthorizationFromSubject

      public static String buildSpnegoAuthorizationFromSubject(String spn, Subject subject, int lifetime, boolean delegate) throws GSSException, PrivilegedActionException
      Build a SPNEGO Authorization string using a Kerberos credential within the supplied Java Subject. The method will use that credential to request a SPNEGO token for a ServicePrincipalName (SPN) for the target service system.
      Parameters:
      spn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
      subject - - Subject containing Kerberos credentials
      lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
      delegate - - whether the token includes delegatable GSSCredentials.
      Returns:
      - String "Negotiate " + Base64 encoded version of SPNEGO Token
      Throws:
      GSSException - - thrown when SPNEGO token generation fails, when Subject is null, when the Subject does not contain Kerberos credentials, or when SPN is invalid.
      PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.
      LoginException - - thrown when the Login fails with the supplied SPN.

    • buildSpnegoAuthorizationFromNativeCreds

      public static String buildSpnegoAuthorizationFromNativeCreds(String spn, int lifetime, boolean delegate) throws GSSException, PrivilegedActionException
      Build a SPNEGO Authorization string using the Native Kerberos credentials of the Operating System account that the Java process is running as. When the WebSphere java process is running on a Windows system under a userid which has Kerberos credentials, the Windows OS maintains a Kerberos Ticket Granting Ticket (TGT) for that user and will use that TGT to request a SPNEGO token can be requested for a ServicePrincipalName (SPN) for the target service system.
      Parameters:
      spn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
      lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
      delegate - - Whether the token includes delegatable GSSCredential credentials.
      Returns:
      - String "Negotiate " + Base64 encoded version of SPNEGO Token
      Throws:
      GSSException - - thrown when SPNEGO token generation fails, or when SPN is invalid.
      PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.

    • buildSpnegoAuthorizationFromUpn

      public static String buildSpnegoAuthorizationFromUpn(String spn, String upn, String jaasLoginContextEntry, int lifetime, boolean delegate) throws GSSException, LoginException, PrivilegedActionException
      Build a SPNEGO Authorization string using a key for a UserPrincipalName from the Kerberos cache or from a key in the Kerberos keytab file used by the process. On a system where a user has logged in, typically using tools such as Java kinit tool, the user's Kerberos credentials are stored in a cache file named krb5cc_userid. Alternatively, a keytab file containing a user's key can be created using a number of tools such as Microsoft's ktpass tool, or the Java ktab tool. These files contain a copy of the user's Kerberos key which can be used to get a Ticket Granting Ticket (TGT) for that userid. The method will use that TGT to request a SPNEGO token can be requested for a ServicePrincipalName (SPN) for the target service system.
      Parameters:
      spn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
      upn - - UserPrincipalName of the user for which the SPNEGO token will be generated.
      jaasLoginContextEntry - - JAAS login context entry to use.
      lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
      delegate - - whether the token includes delegatable GSSCredential credentials.
      Returns:
      - String "Negotiate " + Base64 encoded version of SPNEGO Token
      Throws:
      GSSException - - thrown when SPNEGO token generation fails, when UPN is invalid, or when SPN is invalid.
      LoginException - - thrown when the Login fails with the supplied UPN.
      PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.

    • buildSpnegoAuthorizationFromUseridPassword

      public static String buildSpnegoAuthorizationFromUseridPassword(String spn, String userid, String password, int lifetime, boolean delegate) throws GSSException, LoginException, PrivilegedActionException
      Build a SPNEGO Authorization string using Kerberos credentials for a user based on userid and password provided. The method will login to the Kerberos Key Distribution (KDC) with the supplied userid and password to get a Ticket Granting Ticket (TGT) then will request the SPNEGO token with that TGT for the specified ServicePrincipalName.
      Parameters:
      spn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
      userid - - Userid for the Login
      password - - Password for the Login
      lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
      delegate - - whether the token includes delegatable GSScredentials.
      Returns:
      - String "Negotiate " + Base64 encoded version of SPNEGO Token
      Throws:
      GSSException - - thrown when SPNEGO token generation fails, when userid or password is null, or when SPN is invalid.
      LoginException - - thrown when the Login fails with the supplied userid and password.
      PrivilegedActionException

    • buildSpnegoAuthorizationFromUseridPassword

      public static String buildSpnegoAuthorizationFromUseridPassword(String spn, String userid, String password, String jaasLoginContextEntry, int lifetime, boolean delegate) throws GSSException, LoginException, PrivilegedActionException
      Build a SPNEGO Authorization string using Kerberos credentials for a user based on userid and password provided. The method will login to the Kerberos Key Distribution (KDC) with the supplied userid and password to get a Ticket Granting Ticket (TGT) then will request the SPNEGO token with that TGT for the specified ServicePrincipalName.
      Parameters:
      spn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
      userid - - Userid for the Login
      password - - Password for the Login
      jaasLoginContextEntry - - JAAS login context entry to use.
      lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
      delegate - - whether the token includes delegatable GSSCredentials.
      Returns:
      - String "Negotiate " + Base64 encoded version of SPNEGO Token
      Throws:
      GSSException - - thrown when SPNEGO token generation fails, when userid or password is null, or when SPN is invalid.
      LoginException - - thrown when the Login fails with the supplied userid and password.
      PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.