com.ibm.websphere.security.s4u2proxy

Class SpnegoHelper

  • java.lang.Object
    • com.ibm.websphere.security.s4u2proxy.SpnegoHelper


  • public class SpnegoHelper
    extends java.lang.Object
    SpnegoHelper - utilities to help create a SPNEGO Token as Authorization header for outbound authentication purposes using the Kerberos S4U2self and/or S4U2proxy.
    Since:
    1.0
    • Constructor Summary

      Constructors 
      Constructor and Description
      SpnegoHelper() 
    • Method Summary

      Methods 
      Modifier and Type Method and Description
      static java.lang.String buildS4U2proxyAuthorization(java.lang.String spn, javax.security.auth.Subject subject, int lifetime, boolean delegate)
      Build a SPNEGO Authorization string using a Kerberos credential within the supplied Java Subject.
      static java.lang.String buildS4U2ProxyAuthorizationUsingS4U2Self(java.lang.String upn, java.lang.String targetServiceSpn, int lifetime, boolean delegate, java.lang.String delegateServiceSpn, java.lang.String jaasLoginContextEntry, java.lang.String krb5Keytab)
      Build a SPNEGO Authorization string using a Kerberos credential from the delegate service that impersonates the user (S4U2self).
      • Methods inherited from class java.lang.Object

        equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • SpnegoHelper

        public SpnegoHelper()
    • Method Detail

      • buildS4U2ProxyAuthorizationUsingS4U2Self

        public static java.lang.String buildS4U2ProxyAuthorizationUsingS4U2Self(java.lang.String upn,
                                                                java.lang.String targetServiceSpn,
                                                                int lifetime,
                                                                boolean delegate,
                                                                java.lang.String delegateServiceSpn,
                                                                java.lang.String jaasLoginContextEntry,
                                                                java.lang.String krb5Keytab)
                                                                         throws org.ietf.jgss.GSSException,
                                                                                java.security.PrivilegedActionException,
                                                                                javax.security.auth.login.LoginException
        Build a SPNEGO Authorization string using a Kerberos credential from the delegate service that impersonates the user (S4U2self). The method will use that credential to request a SPNEGO token for a targetServiceSpn (SPN) for the target service system. If the system property java.security.krb5.conf has not been set by the run time, you need to set the java.security.krb5.conf that point to your Kerberos configuration file.
        Parameters:
        upn - - UserPrincipalName of the user for which the SPNEGO token will be generated.
        targetServiceSpn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
        lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
        delegate - - Whether the token includes delegatable GSSCredential credentials.
        delegateServiceSpn - - Delegate servicePrincipalName of system for which the user already authenticated.
        jaasLoginContextEntry - - JAAS login context entry to use.
        krb5Keytab - - Kerberos keytab that contained the firstServiceSpn and its keys.
        Returns:
        - String "Negotiate " + Base64 encoded version of SPNEGO Token
        Throws:
        org.ietf.jgss.GSSException - - thrown when SPNEGO token generation fails, when delegate service's subject is null, when the delegate serivce's subject does not contain Kerberos credentials, when firstServiceSpn or targetServiceSpn is invalid.
        java.security.PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.
        javax.security.auth.login.LoginException - - thrown when the Login fails with the delegate service SPN
      • buildS4U2proxyAuthorization

        public static java.lang.String buildS4U2proxyAuthorization(java.lang.String spn,
                                                   javax.security.auth.Subject subject,
                                                   int lifetime,
                                                   boolean delegate)
                                                            throws org.ietf.jgss.GSSException,
                                                                   java.security.PrivilegedActionException
        Build a SPNEGO Authorization string using a Kerberos credential within the supplied Java Subject. The method will use that credential to request a SPNEGO token for a ServicePrincipalName (SPN) for the target service system.
        Parameters:
        spn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
        subject - - Subject containing Kerberos credentials
        lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
        delegate - - Whether the token includes delegatable GSSCredentials.
        Returns:
        - String "Negotiate " + Base64 encoded version of SPNEGO Token
        Throws:
        org.ietf.jgss.GSSException - - thrown when SPNEGO token generation fails, when Subject is null, when the Subject does not contain Kerberos credentials, or when SPN is invalid.
        java.security.PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.
        javax.security.auth.login.LoginException - - thrown when the Login fails with the delegate service SPN