com.ibm.websphere.security.s4u2proxy
Class SpnegoHelper
- java.lang.Object
-
- com.ibm.websphere.security.s4u2proxy.SpnegoHelper
-
public class SpnegoHelper extends java.lang.Object
SpnegoHelper - utilities to help create a SPNEGO Token as Authorization header for outbound authentication purposes using the Kerberos S4U2self and/or S4U2proxy.- Since:
- 1.0
- Version:
- 1.0
-
-
Constructor Summary
Constructors Constructor and Description SpnegoHelper()
-
Method Summary
Methods Modifier and Type Method and Description static java.lang.String
buildS4U2proxyAuthorization(java.lang.String spn, javax.security.auth.Subject subject, int lifetime, boolean delegate)
Build a SPNEGO Authorization string using a Kerberos credential within the supplied Java Subject.static java.lang.String
buildS4U2ProxyAuthorizationUsingS4U2Self(java.lang.String upn, java.lang.String targetServiceSpn, int lifetime, boolean delegate, java.lang.String delegateServiceSpn, java.lang.String jaasLoginContextEntry, java.lang.String krb5Keytab)
Build a SPNEGO Authorization string using a Kerberos credential from the delegate service that impersonates the user (S4U2self).
-
-
-
Method Detail
-
buildS4U2ProxyAuthorizationUsingS4U2Self
public static java.lang.String buildS4U2ProxyAuthorizationUsingS4U2Self(java.lang.String upn, java.lang.String targetServiceSpn, int lifetime, boolean delegate, java.lang.String delegateServiceSpn, java.lang.String jaasLoginContextEntry, java.lang.String krb5Keytab) throws org.ietf.jgss.GSSException, java.security.PrivilegedActionException, javax.security.auth.login.LoginException
Build a SPNEGO Authorization string using a Kerberos credential from the delegate service that impersonates the user (S4U2self). The method will use that credential to request a SPNEGO token for a target service principal name for the target service system. If the system property java.security.krb5.conf has not been set by the run time, you need to set the java.security.krb5.conf that point to your Kerberos configuration file.- Parameters:
upn
- ??? User principal name of the user for which the SPNEGO token will be generated.targetServiceSpn
- ??? Service principal name of a system for which SPNEGO token will be targeted.lifetime
- ??? Life time for the context, for example GSSCredential.INDEFINITE_LIFETIME.delegate
- - Whether the token includes delegatable GSSCredential credentials.delegateServiceSpn
- - Delegate service principal name of system for which the user already authenticated.jaasLoginContextEntry
- - JAAS login context entry to use. This parameter is currently not used.krb5Keytab
- - Kerberos keytab file that contained the delegate service principal name and its keys.- Returns:
- - String "Negotiate " + Base64 encoded version of SPNEGO Token.
- Throws:
org.ietf.jgss.GSSException
- - thrown when SPNEGO token generation fails, when delegate service principal is null, when the delegate service principal's subject does not contain Kerberos credentials, when the target service principal is invalid.java.security.PrivilegedActionException
- - unexpected - thrown when Java 2 security is misconfigured.javax.security.auth.login.LoginException
- - thrown when the Login fails with the delegate service SPN
-
buildS4U2proxyAuthorization
public static java.lang.String buildS4U2proxyAuthorization(java.lang.String spn, javax.security.auth.Subject subject, int lifetime, boolean delegate) throws org.ietf.jgss.GSSException, java.security.PrivilegedActionException
Build a SPNEGO Authorization string using a Kerberos credential within the supplied Java Subject. The method will use that credential to request a SPNEGO token for a ServicePrincipalName (SPN) for the target service system.- Parameters:
spn
- - ServicePrincipalName of system for which SPNEGO token will be targeted.subject
- - Subject containing Kerberos credentialslifetime
- - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIMEdelegate
- - Whether the token includes delegatable GSSCredentials.- Returns:
- - String "Negotiate " + Base64 encoded version of SPNEGO Token
- Throws:
org.ietf.jgss.GSSException
- - thrown when SPNEGO token generation fails, when Subject is null, when the Subject does not contain Kerberos credentials, or when SPN is invalid.java.security.PrivilegedActionException
- - unexpected - thrown when Java 2 security is misconfigured.javax.security.auth.login.LoginException
- - thrown when the Login fails with the delegate service SPN
-
-