Package com.ibm.wsspi.security.token
Class SpnegoTokenHelper
java.lang.Object
com.ibm.wsspi.security.token.SpnegoTokenHelper
SpnegoTokenHelper
- utilities to help create a SPNEGO Token as Authorization header for outbound authentication purposes
- Since:
- 1.0
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic String
buildSpnegoAuthorizationFromCallerSubject
(String spn, int lifetime, boolean delegate) Build a SPNEGO Authorization string using a Kerberos credential within the current caller Java Subject.static String
buildSpnegoAuthorizationFromNativeCreds
(String spn, int lifetime, boolean delegate) Build a SPNEGO Authorization string using the Native Kerberos credentials of the Operating System account that the Java process is running as.static String
buildSpnegoAuthorizationFromSubject
(String spn, Subject subject, int lifetime, boolean delegate) Build a SPNEGO Authorization string using a Kerberos credential within the supplied Java Subject.static String
buildSpnegoAuthorizationFromUpn
(String spn, String upn, String jaasLoginContextEntry, int lifetime, boolean delegate) Build a SPNEGO Authorization string using a key for a UserPrincipalName from the Kerberos cache or from a key in the Kerberos keytab file used by the process.static String
buildSpnegoAuthorizationFromUseridPassword
(String spn, String userid, String password, int lifetime, boolean delegate) Build a SPNEGO Authorization string using Kerberos credentials for a user based on userid and password provided.static String
buildSpnegoAuthorizationFromUseridPassword
(String spn, String userid, String password, String jaasLoginContextEntry, int lifetime, boolean delegate) Build a SPNEGO Authorization string using Kerberos credentials for a user based on userid and password provided.
-
Constructor Details
-
SpnegoTokenHelper
public SpnegoTokenHelper()
-
-
Method Details
-
buildSpnegoAuthorizationFromCallerSubject
public static String buildSpnegoAuthorizationFromCallerSubject(String spn, int lifetime, boolean delegate) throws com.ibm.websphere.security.WSSecurityException, GSSException, PrivilegedActionException Build a SPNEGO Authorization string using a Kerberos credential within the current caller Java Subject. The method will use that credential to request a SPNEGO token for a ServicePrincipalName (SPN) for the target service system.- Parameters:
spn
- - ServicePrincipalName of system for which SPNEGO token will be targeted.lifetime
- - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIMEdelegate
- - Whether the token includes delegatable GSSCredentials.- Returns:
- - String "Negotiate " + Base64 encoded version of SPNEGO Token
- Throws:
com.ibm.websphere.security.WSSecurityException
- - thrown when no caller Subject exists.GSSException
- - thrown when SPNEGO token generation fails, when Subject is null, when the Subject does not contain Kerberos credentials, or when SPN is invalid.PrivilegedActionException
- - unexpected - thrown when Java 2 security is misconfigured.
-
buildSpnegoAuthorizationFromSubject
public static String buildSpnegoAuthorizationFromSubject(String spn, Subject subject, int lifetime, boolean delegate) throws GSSException, PrivilegedActionException Build a SPNEGO Authorization string using a Kerberos credential within the supplied Java Subject. The method will use that credential to request a SPNEGO token for a ServicePrincipalName (SPN) for the target service system.- Parameters:
spn
- - ServicePrincipalName of system for which SPNEGO token will be targeted.subject
- - Subject containing Kerberos credentialslifetime
- - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIMEdelegate
- - whether the token includes delegatable GSSCredentials.- Returns:
- - String "Negotiate " + Base64 encoded version of SPNEGO Token
- Throws:
GSSException
- - thrown when SPNEGO token generation fails, when Subject is null, when the Subject does not contain Kerberos credentials, or when SPN is invalid.PrivilegedActionException
- - unexpected - thrown when Java 2 security is misconfigured.LoginException
- - thrown when the Login fails with the supplied SPN.
-
buildSpnegoAuthorizationFromNativeCreds
public static String buildSpnegoAuthorizationFromNativeCreds(String spn, int lifetime, boolean delegate) throws GSSException, PrivilegedActionException Build a SPNEGO Authorization string using the Native Kerberos credentials of the Operating System account that the Java process is running as. When the WebSphere java process is running on a Windows system under a userid which has Kerberos credentials, the Windows OS maintains a Kerberos Ticket Granting Ticket (TGT) for that user and will use that TGT to request a SPNEGO token can be requested for a ServicePrincipalName (SPN) for the target service system.- Parameters:
spn
- - ServicePrincipalName of system for which SPNEGO token will be targeted.lifetime
- - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIMEdelegate
- - Whether the token includes delegatable GSSCredential credentials.- Returns:
- - String "Negotiate " + Base64 encoded version of SPNEGO Token
- Throws:
GSSException
- - thrown when SPNEGO token generation fails, or when SPN is invalid.PrivilegedActionException
- - unexpected - thrown when Java 2 security is misconfigured.
-
buildSpnegoAuthorizationFromUpn
public static String buildSpnegoAuthorizationFromUpn(String spn, String upn, String jaasLoginContextEntry, int lifetime, boolean delegate) throws GSSException, LoginException, PrivilegedActionException Build a SPNEGO Authorization string using a key for a UserPrincipalName from the Kerberos cache or from a key in the Kerberos keytab file used by the process. On a system where a user has logged in, typically using tools such as Java kinit tool, the user's Kerberos credentials are stored in a cache file named krb5cc_userid. Alternatively, a keytab file containing a user's key can be created using a number of tools such as Microsoft's ktpass tool, or the Java ktab tool. These files contain a copy of the user's Kerberos key which can be used to get a Ticket Granting Ticket (TGT) for that userid. The method will use that TGT to request a SPNEGO token can be requested for a ServicePrincipalName (SPN) for the target service system.- Parameters:
spn
- - ServicePrincipalName of system for which SPNEGO token will be targeted.upn
- - UserPrincipalName of the user for which the SPNEGO token will be generated.jaasLoginContextEntry
- - JAAS login context entry to use.lifetime
- - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIMEdelegate
- - whether the token includes delegatable GSSCredential credentials.- Returns:
- - String "Negotiate " + Base64 encoded version of SPNEGO Token
- Throws:
GSSException
- - thrown when SPNEGO token generation fails, when UPN is invalid, or when SPN is invalid.LoginException
- - thrown when the Login fails with the supplied UPN.PrivilegedActionException
- - unexpected - thrown when Java 2 security is misconfigured.
-
buildSpnegoAuthorizationFromUseridPassword
public static String buildSpnegoAuthorizationFromUseridPassword(String spn, String userid, String password, int lifetime, boolean delegate) throws GSSException, LoginException, PrivilegedActionException Build a SPNEGO Authorization string using Kerberos credentials for a user based on userid and password provided. The method will login to the Kerberos Key Distribution (KDC) with the supplied userid and password to get a Ticket Granting Ticket (TGT) then will request the SPNEGO token with that TGT for the specified ServicePrincipalName.- Parameters:
spn
- - ServicePrincipalName of system for which SPNEGO token will be targeted.userid
- - Userid for the Loginpassword
- - Password for the Loginlifetime
- - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIMEdelegate
- - whether the token includes delegatable GSScredentials.- Returns:
- - String "Negotiate " + Base64 encoded version of SPNEGO Token
- Throws:
GSSException
- - thrown when SPNEGO token generation fails, when userid or password is null, or when SPN is invalid.LoginException
- - thrown when the Login fails with the supplied userid and password.PrivilegedActionException
-
buildSpnegoAuthorizationFromUseridPassword
public static String buildSpnegoAuthorizationFromUseridPassword(String spn, String userid, String password, String jaasLoginContextEntry, int lifetime, boolean delegate) throws GSSException, LoginException, PrivilegedActionException Build a SPNEGO Authorization string using Kerberos credentials for a user based on userid and password provided. The method will login to the Kerberos Key Distribution (KDC) with the supplied userid and password to get a Ticket Granting Ticket (TGT) then will request the SPNEGO token with that TGT for the specified ServicePrincipalName.- Parameters:
spn
- - ServicePrincipalName of system for which SPNEGO token will be targeted.userid
- - Userid for the Loginpassword
- - Password for the LoginjaasLoginContextEntry
- - JAAS login context entry to use.lifetime
- - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIMEdelegate
- - whether the token includes delegatable GSSCredentials.- Returns:
- - String "Negotiate " + Base64 encoded version of SPNEGO Token
- Throws:
GSSException
- - thrown when SPNEGO token generation fails, when userid or password is null, or when SPN is invalid.LoginException
- - thrown when the Login fails with the supplied userid and password.PrivilegedActionException
- - unexpected - thrown when Java 2 security is misconfigured.
-