Package net.shibboleth.idp.authn.impl

Class KerberosCredentialValidator

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent
net.shibboleth.idp.authn.AbstractCredentialValidator
net.shibboleth.idp.authn.AbstractUsernamePasswordCredentialValidator
net.shibboleth.idp.authn.impl.KerberosCredentialValidator
All Implemented Interfaces:
CredentialValidator, PrincipalSupportingComponent, Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent
@ThreadSafeAfterInit public class KerberosCredentialValidator extends AbstractUsernamePasswordCredentialValidator
A password validator that authenticates against Kerberos natively, with optional service ticket verification.
Since:
4.0.0

  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • loginModuleClassName

      @NonnullAfterInit @NotEmpty private String loginModuleClassName
      Class name of JAAS LoginModule to acquire Kerberos credentials.

    • refreshKrb5Config

      private boolean refreshKrb5Config
      Refresh the Kerberos config before running?

    • preserveTicket

      private boolean preserveTicket
      Save the TGT in the resulting Subject?

    • servicePrincipal

      private String servicePrincipal
      Service principal to acquire a ticket for to verify KDC.

    • keytabPath

      private String keytabPath
      Path to keytab for service principal.

    • clientOptions

      @NonnullAfterInit private Map<String,String> clientOptions
      JAAS options for client login.

    • serverOptions

      @NonnullAfterInit private Map<String,String> serverOptions
      JAAS options for server login.

  • Constructor Details

    • KerberosCredentialValidator

      public KerberosCredentialValidator()
      Constructor.

  • Method Details

    • setLoginModuleClassName

      public void setLoginModuleClassName(@Nonnull String name)
      Set the name of the JAAS LoginModule to use to acquire Kerberos credentials.
      Parameters:
      name - name of login module class

    • setRefreshKrb5Config

      public void setRefreshKrb5Config(boolean flag)
      Set whether to refresh the Kerberos configuration before running.
      Parameters:
      flag - flag to set

    • setPreserveTicket

      public void setPreserveTicket(boolean flag)
      Set whether to save the TGT in the Subject.
      Parameters:
      flag - flag to set

    • setServicePrincipal

      public void setServicePrincipal(@Nullable String name)
      Set the name of a service principal to use to verify the KDC.

      If non-null, a keytab resource must also be set.

      Parameters:
      name - name of service principal

    • setKeytabPath

      public void setKeytabPath(@Nullable String path)
      Provides a keytab for the service principal to use to verify the KDC.
      Parameters:
      path - path to file containing a keytab

    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractIdentifiedInitializableComponent
      Throws:
      ComponentInitializationException

    • doValidate

      protected Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull UsernamePasswordContext usernamePasswordContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception
      Override method for subclasses to use to perform the actual validation.

      Any configured transforms will have been applied to populate the context with a transformed username prior to this method call.

      Specified by:
      doValidate in class AbstractUsernamePasswordCredentialValidator
      Parameters:
      profileRequestContext - profile request context
      authenticationContext - authentication context
      usernamePasswordContext - the username/password to validate
      warningHandler - optional warning handler interface
      errorHandler - optional error handler interface
      Returns:
      the validated result, or null if inapplicable
      Throws:
      Exception - if an error occurs

    • populateSubject

      @Nonnull protected Subject populateSubject(@Nonnull Subject subject, @Nonnull UsernamePasswordContext usernamePasswordContext)
      Decorate the subject with "standard" content from the validation and clean up as instructed.
      Overrides:
      populateSubject in class AbstractUsernamePasswordCredentialValidator
      Parameters:
      subject - the subject being returned
      usernamePasswordContext - the username/password validated
      Returns:
      the decorated subject

    • verifyKDC

      private void verifyKDC(@Nonnull Subject subject) throws Exception
      Use credentials to acquire and verify a service ticket.
      Parameters:
      subject - client identity
      Throws:
      Exception - if an error occurs