Class SpnegoHelper

java.lang.Object
com.ibm.websphere.security.s4u2proxy.SpnegoHelper

public class SpnegoHelper extends Object
SpnegoHelper - utilities to help create a SPNEGO Token as Authorization header for outbound authentication purposes using the Kerberos S4U2self and/or S4U2proxy.
Since:
1.0
  • Constructor Details

    • SpnegoHelper

      public SpnegoHelper()
  • Method Details

    • buildS4U2ProxyAuthorizationUsingS4U2Self

      public static String buildS4U2ProxyAuthorizationUsingS4U2Self(String upn, String targetServiceSpn, int lifetime, boolean delegate, String delegateServiceSpn, String jaasLoginContextEntry, String krb5Keytab) throws GSSException, PrivilegedActionException, LoginException
      Build a SPNEGO Authorization string using a Kerberos credential from the delegate service that impersonates the user (S4U2self). The method will use that credential to request a SPNEGO token for a targetServiceSpn (SPN) for the target service system. If the system property java.security.krb5.conf has not been set by the run time, you need to set the java.security.krb5.conf that point to your Kerberos configuration file.
      Parameters:
      upn - - UserPrincipalName of the user for which the SPNEGO token will be generated.
      targetServiceSpn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
      lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
      delegate - - Whether the token includes delegatable GSSCredential credentials.
      delegateServiceSpn - - Delegate servicePrincipalName of system for which the user already authenticated.
      jaasLoginContextEntry - - JAAS login context entry to use.
      krb5Keytab - - Kerberos keytab that contained the firstServiceSpn and its keys.
      Returns:
      - String "Negotiate " + Base64 encoded version of SPNEGO Token
      Throws:
      GSSException - - thrown when SPNEGO token generation fails, when delegate service's subject is null, when the delegate serivce's subject does not contain Kerberos credentials, when firstServiceSpn or targetServiceSpn is invalid.
      PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.
      LoginException - - thrown when the Login fails with the delegate service SPN
    • buildS4U2proxyAuthorization

      public static String buildS4U2proxyAuthorization(String spn, Subject subject, int lifetime, boolean delegate) throws GSSException, PrivilegedActionException
      Build a SPNEGO Authorization string using a Kerberos credential within the supplied Java Subject. The method will use that credential to request a SPNEGO token for a ServicePrincipalName (SPN) for the target service system.
      Parameters:
      spn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
      subject - - Subject containing Kerberos credentials
      lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
      delegate - - Whether the token includes delegatable GSSCredentials.
      Returns:
      - String "Negotiate " + Base64 encoded version of SPNEGO Token
      Throws:
      GSSException - - thrown when SPNEGO token generation fails, when Subject is null, when the Subject does not contain Kerberos credentials, or when SPN is invalid.
      PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.
      LoginException - - thrown when the Login fails with the delegate service SPN
    • setSystemProperty

      public static void setSystemProperty(String propName, String propValue)