com.ibm.websphere.security.s4u2proxy

Class SpnegoHelper

  • java.lang.Object
    • com.ibm.websphere.security.s4u2proxy.SpnegoHelper

  • public class SpnegoHelper
extends java.lang.Object
    SpnegoHelper - utilities to help create a SPNEGO Token as Authorization header for outbound authentication purposes using the Kerberos S4U2self and/or S4U2proxy.
    Since:
    1.0
    Version:
    1.0

    • Constructor Summary

      Constructors 
      Constructor and Description
      SpnegoHelper() 

    • Method Summary

      Methods 
      Modifier and Type Method and Description
      static java.lang.String buildS4U2proxyAuthorization(java.lang.String spn, javax.security.auth.Subject subject, int lifetime, boolean delegate)
      Build a SPNEGO Authorization string using a Kerberos credential within the supplied Java Subject.
      static java.lang.String buildS4U2ProxyAuthorizationUsingS4U2Self(java.lang.String upn, java.lang.String targetServiceSpn, int lifetime, boolean delegate, java.lang.String delegateServiceSpn, java.lang.String jaasLoginContextEntry, java.lang.String krb5Keytab)
      Build a SPNEGO Authorization string using a Kerberos credential from the delegate service that impersonates the user (S4U2self).

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • SpnegoHelper

        public SpnegoHelper()

    • Method Detail

      • buildS4U2ProxyAuthorizationUsingS4U2Self

        public static java.lang.String buildS4U2ProxyAuthorizationUsingS4U2Self(java.lang.String upn,
                                                        java.lang.String targetServiceSpn,
                                                        int lifetime,
                                                        boolean delegate,
                                                        java.lang.String delegateServiceSpn,
                                                        java.lang.String jaasLoginContextEntry,
                                                        java.lang.String krb5Keytab)
                                                                 throws org.ietf.jgss.GSSException,
                                                                        java.security.PrivilegedActionException,
                                                                        javax.security.auth.login.LoginException
        Build a SPNEGO Authorization string using a Kerberos credential from the delegate service that impersonates the user (S4U2self). The method will use that credential to request a SPNEGO token for a target service principal name for the target service system. If the system property java.security.krb5.conf has not been set by the run time, you need to set the java.security.krb5.conf that point to your Kerberos configuration file.
        Parameters:
        upn - ??? User principal name of the user for which the SPNEGO token will be generated.
        targetServiceSpn - ??? Service principal name of a system for which SPNEGO token will be targeted.
        lifetime - ??? Life time for the context, for example GSSCredential.INDEFINITE_LIFETIME.
        delegate - - Whether the token includes delegatable GSSCredential credentials.
        delegateServiceSpn - - Delegate service principal name of system for which the user already authenticated.
        jaasLoginContextEntry - - JAAS login context entry to use. This parameter is currently not used.
        krb5Keytab - - Kerberos keytab file that contained the delegate service principal name and its keys.
        Returns:
        - String "Negotiate " + Base64 encoded version of SPNEGO Token.
        Throws:
        org.ietf.jgss.GSSException - - thrown when SPNEGO token generation fails, when delegate service principal is null, when the delegate service principal's subject does not contain Kerberos credentials, when the target service principal is invalid.
        java.security.PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.
        javax.security.auth.login.LoginException - - thrown when the Login fails with the delegate service SPN

      • buildS4U2proxyAuthorization

        public static java.lang.String buildS4U2proxyAuthorization(java.lang.String spn,
                                           javax.security.auth.Subject subject,
                                           int lifetime,
                                           boolean delegate)
                                                    throws org.ietf.jgss.GSSException,
                                                           java.security.PrivilegedActionException
        Build a SPNEGO Authorization string using a Kerberos credential within the supplied Java Subject. The method will use that credential to request a SPNEGO token for a ServicePrincipalName (SPN) for the target service system.
        Parameters:
        spn - - ServicePrincipalName of system for which SPNEGO token will be targeted.
        subject - - Subject containing Kerberos credentials
        lifetime - - Lifetime for the context, for example GSSCredential.INDEFINITE_LIFETIME
        delegate - - Whether the token includes delegatable GSSCredentials.
        Returns:
        - String "Negotiate " + Base64 encoded version of SPNEGO Token
        Throws:
        org.ietf.jgss.GSSException - - thrown when SPNEGO token generation fails, when Subject is null, when the Subject does not contain Kerberos credentials, or when SPN is invalid.
        java.security.PrivilegedActionException - - unexpected - thrown when Java 2 security is misconfigured.
        javax.security.auth.login.LoginException - - thrown when the Login fails with the delegate service SPN
IBM WebSphere Application ServerTM
Release 9.0
  • Prev Class
  • Next Class