AW: Transferring a secure context

Olfmatic olfmatic at web.de
Thu Sep 7 09:26:11 EDT 2006


Problem solved. Sorry for being that stupid. ;-)
SUN's Kerberos implementation doesn't support exporting GSSContexts.
The call of context.isTransferrable() always returns false and the
call context.export() always returns null.


-----Ursprüngliche Nachricht-----
Von: Olfmatic [mailto:olfmatic at web.de]
Gesendet: Dienstag, 5. September 2006 18:58
An: kerberos at mit.edu
Betreff: Transferring a secure context


Hello,

I am trying to transfer a secure GSSContext after I established it so I can use it later to encrypt a session ID. But when I want to do this with the recreated GSSContext, I get an exception that says, that the mechanism context wasn't set yet. What am I doing wrong?

This is how I do it:

Method 1 establishes the context and saves it as byte array into a HashMap:

	LoginContext tLoginContext = new LoginContext("Krb5Login");
  	tLoginContext.login();
  	Subject tSubject = tLoginContext.getSubject();

  	Object tObject = Subject.doAs(tSubject, new PrivilegedExceptionAction()
		{
			public Object run() throws Exception
			{
		  	try
				{
					GSSManager tGSSManager = GSSManager.getInstance();
					GSSName tServerName = tGSSManager.createName(tServiceUrl, GSSName.NT_USER_NAME);
					GSSCredential tServerCredential = tGSSManager.createCredential(tServerName,
							GSSCredential.INDEFINITE_LIFETIME, new Krb5MechFactory().getMechanismOid(),
							GSSCredential.ACCEPT_ONLY);
					GSSContext tSecureContext = tGSSManager.createContext(tServerCredential);
					byte [] tInToken = aToken;
					byte [] tOutToken = tSecureContext.acceptSecContext(tInToken, 0, tInToken.length);
					byte [] tSerializedSecureContext = tSecureContext.export();					
					String tUserName = StringHelper.getBeforeDivider(tSecureContext.getSrcName().toString(), "@");
					
					AISessionManager.getInstance().addSecureContext(tUserName, tSerializedSecureContext);

					return tOutToken;
				}
				catch (GSSException aException)
				{
					String tMessage = aException.getMessage();
					cCat.error(tMessage);
					cCat.debug(tMessage, aException);
					throw aException;
				}
			}
		});

Method 2 tries to get it from the Map:

			String tSessionID = OIDFactory.getInstance().createOID("ClientUserSessionID");
			byte [] tContextToken = AISessionManager.getInstance().getAndRemoveSecureContext(aUserKey);
			GSSContext tSecureContext = GSSManager.getInstance().createContext(tContextToken);
			byte [] tSessionIDBytes = tSessionID.getBytes();
			byte[] tEncryptedSessionID = tSecureContext.wrap(tSessionIDBytes, 0, tSessionIDBytes.length,
					new MessageProp(0, true));
			tSecureContext.dispose();

But as soon as I call wrap() I get following exception:

GSSException: No mechanism context yet!
        at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:344)
        at de.sepp.workserver.user.SessionFacadeBean.requestEncryptedSessionID(SessionFacadeBean.java:825)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:629)
        at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:186)

        at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:72)

        at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:84)
        at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:273)
        at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:104)
        at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:117)
        at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:191)
        at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
        at org.jboss.ejb.plugins.AbstractInterceptor.invoke(AbstractInterceptor.java:94)

Do I have to perform another Kerberos-Login in method 2 and execute the code seen above in a Subject.doAs()?

Thank you for any help.

Florian




More information about the Kerberos mailing list