org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator クラス

org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator 連携図

公開メンバ関数
	KerberosUsernamePasswordAuthenticator (CommonKerberosConfig config)
boolean	isUserAvailable (String username)
boolean	validUser (String username, String password)
Subject	authenticateSubject (String username, String password) throws LoginException
void	logoutSubject ()

限定公開メンバ関数
void	checkKerberosServerAvailable (LoginException le)
String	getKerberosPrincipal (String username) throws LoginException
CallbackHandler	createJaasCallbackHandler (final String principal, final String password)
Configuration	createJaasConfiguration ()

限定公開変数類
final CommonKerberosConfig	config

非公開変数類
LoginContext	loginContext

静的非公開変数類
static final Logger	logger = Logger.getLogger(KerberosUsernamePasswordAuthenticator.class)

詳解

著者

Marek Posolda

構築子と解体子

KerberosUsernamePasswordAuthenticator()

org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.KerberosUsernamePasswordAuthenticator ( CommonKerberosConfig  config )

inline

                                                                              {
        this.config = config;
    }

関数詳解

authenticateSubject()

Subject org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.authenticateSubject ( String  username, String  password  ) throws LoginException

inline

Returns true if user was successfully authenticated against Kerberos

引数

username	username without Kerberos realm attached
password	kerberos password

戻り値

true if user was successfully authenticated

                                                                                               {
        String principal = getKerberosPrincipal(username);

        logger.debug("Validating password of principal: " + principal);
        loginContext = new LoginContext("does-not-matter", null,
                createJaasCallbackHandler(principal, password),
                createJaasConfiguration());

        loginContext.login();
        logger.debug("Principal " + principal + " authenticated succesfully");
        return loginContext.getSubject();
    }

checkKerberosServerAvailable()

void org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable ( LoginException  le )

inlineprotected

                                                                   {
        String message = le.getMessage().toUpperCase();
        if (message.contains("PORT UNREACHABLE") ||
            message.contains("CANNOT LOCATE") ||
            message.contains("CANNOT CONTACT") ||
            message.contains("CANNOT FIND") ||
            message.contains("UNKNOWN ERROR")) {
            throw new ModelException("Kerberos unreachable", le);
        }
    }

createJaasCallbackHandler()

CallbackHandler org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.createJaasCallbackHandler ( final String  principal, final String  password  )

inlineprotected

                                                                                                       {
        return new CallbackHandler() {

            @Override
            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbacks) {
                    if (callback instanceof NameCallback) {
                        NameCallback nameCallback = (NameCallback) callback;
                        nameCallback.setName(principal);
                    } else if (callback instanceof PasswordCallback) {
                        PasswordCallback passwordCallback = (PasswordCallback) callback;
                        passwordCallback.setPassword(password.toCharArray());
                    } else {
                        throw new UnsupportedCallbackException(callback, "Unsupported callback: " + callback.getClass().getCanonicalName());
                    }
                }
            }
        };
    }

createJaasConfiguration()

Configuration org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.createJaasConfiguration ( )

inlineprotected

                                                      {
        return KerberosJdkProvider.getProvider().createJaasConfigurationForUsernamePasswordLogin(config.isDebug());
    }

getKerberosPrincipal()

String org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.getKerberosPrincipal ( String  username ) throws LoginException

inlineprotected

                                                                                 {
        if (username.contains("@")) {
            String[] tokens = username.split("@");

            String kerberosRealm = tokens[1];
            if (!kerberosRealm.toUpperCase().equals(config.getKerberosRealm())) {
                logger.warn("Invalid kerberos realm. Expected realm: " + config.getKerberosRealm() + ", username: " + username);
                throw new LoginException("Client not found");
            }

            username = tokens[0];
        }

        return username + "@" + config.getKerberosRealm();
    }

isUserAvailable()

boolean org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.isUserAvailable ( String  username )

inline

Returns true if user with given username exists in kerberos database

引数

username

username without Kerberos realm attached or with correct realm attached

戻り値

true if user available

                                                    {
        logger.debugf("Checking existence of user: %s", username);
        try {
            String principal = getKerberosPrincipal(username);
            loginContext = new LoginContext("does-not-matter", null,
                    createJaasCallbackHandler(principal, "fake-password-which-nobody-has"),
                    createJaasConfiguration());

            loginContext.login();

            throw new IllegalStateException("Didn't expect to end here");
        } catch (LoginException le) {
            String message = le.getMessage();
            logger.debugf("Message from kerberos: %s", message);

            checkKerberosServerAvailable(le);

            // Bit cumbersome, but seems to work with tested kerberos servers
            boolean exists = (!message.contains("Client not found"));
            return exists;
        }
    }

logoutSubject()

void org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.logoutSubject ( )

inline

                                {
        if (loginContext != null) {
            try {
                loginContext.logout();
            } catch (LoginException le) {
                logger.error("Failed to logout kerberos subject", le);
            }
        }
    }

validUser()

boolean org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser ( String  username, String  password  )

inline

Returns true if user was successfully authenticated against Kerberos

引数

username	username without Kerberos realm attached or with correct realm attached
password	kerberos password

戻り値

true if user was successfully authenticated

                                                               {
        try {
            authenticateSubject(username, password);
            logoutSubject();
            return true;
        } catch (LoginException le) {
            checkKerberosServerAvailable(le);

            logger.debug("Failed to authenticate user " + username, le);
            return false;
        }
    }

メンバ詳解

config

final CommonKerberosConfig org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.config

protected

logger

final Logger org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.logger = Logger.getLogger(KerberosUsernamePasswordAuthenticator.class)

staticprivate

loginContext

LoginContext org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.loginContext

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java