# Should credentials be delegated to webservers when using

# SPNEGO authentication

#kerberos.spnego.delegate_cred=false

/*

 * Licensed to the Apache Software Foundation (ASF) under one or more

 * contributor license agreements.  See the NOTICE file distributed with

 * this work for additional information regarding copyright ownership.

 * The ASF licenses this file to You under the Apache License, Version 2.0

 * (the "License"); you may not use this file except in compliance with

 * the License.  You may obtain a copy of the License at

 *

 *   http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 */

package org.apache.jmeter.protocol.http.control;

import org.apache.http.auth.Credentials;

import org.apache.http.auth.KerberosCredentials;

import org.apache.http.impl.auth.KerberosScheme;

import org.ietf.jgss.GSSContext;

import org.ietf.jgss.GSSCredential;

import org.ietf.jgss.GSSException;

import org.ietf.jgss.GSSManager;

import org.ietf.jgss.GSSName;

import org.ietf.jgss.Oid;

public class DelegatingKerberosScheme extends KerberosScheme {

    public DelegatingKerberosScheme(final boolean stripPort, final boolean useCanonicalHostName) {

        super(stripPort, useCanonicalHostName);

    }

    @Override

    protected byte[] generateGSSToken(

            final byte[] input, final Oid oid, final String authServer,

            final Credentials credentials) throws GSSException {

        final GSSManager manager = getManager();

        final GSSName serverName = manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);

        final GSSCredential gssCredential;

        if (credentials instanceof KerberosCredentials) {

            gssCredential = ((KerberosCredentials) credentials).getGSSCredential();

        } else {

            gssCredential = null;

        }

        final GSSContext gssContext = createDelegatingGSSContext(manager, oid, serverName, gssCredential);

        if (input != null) {

            return gssContext.initSecContext(input, 0, input.length);

        } else {

            return gssContext.initSecContext(new byte[] {}, 0, 0);

        }

    }

    GSSContext createDelegatingGSSContext(final GSSManager manager, final Oid oid, final GSSName serverName,

            final GSSCredential gssCredential) throws GSSException {

        final GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, gssCredential,

                GSSContext.DEFAULT_LIFETIME);

        gssContext.requestMutualAuth(true);

        gssContext.requestCredDeleg(true);

        return gssContext;

    }

}

/*

 * Licensed to the Apache Software Foundation (ASF) under one or more

 * contributor license agreements.  See the NOTICE file distributed with

 * this work for additional information regarding copyright ownership.

 * The ASF licenses this file to You under the Apache License, Version 2.0

 * (the "License"); you may not use this file except in compliance with

 * the License.  You may obtain a copy of the License at

 *

 *   http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 */

package org.apache.jmeter.protocol.http.control;

import org.apache.http.auth.Credentials;

import org.apache.http.auth.KerberosCredentials;

import org.apache.http.impl.auth.SPNegoScheme;

import org.ietf.jgss.GSSContext;

import org.ietf.jgss.GSSCredential;

import org.ietf.jgss.GSSException;

import org.ietf.jgss.GSSManager;

import org.ietf.jgss.GSSName;

import org.ietf.jgss.Oid;

public class DelegatingSPNegoScheme extends SPNegoScheme {

    public DelegatingSPNegoScheme(final boolean stripPort, final boolean useCanonicalHostName) {

        super(stripPort, useCanonicalHostName);

    }

    @Override

    protected byte[] generateGSSToken(

            final byte[] input, final Oid oid, final String authServer,

            final Credentials credentials) throws GSSException {

        final GSSManager manager = getManager();

        final GSSName serverName = manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);

        final GSSCredential gssCredential;

        if (credentials instanceof KerberosCredentials) {

            gssCredential = ((KerberosCredentials) credentials).getGSSCredential();

        } else {

            gssCredential = null;

        }

        final GSSContext gssContext = createDelegatingGSSContext(manager, oid, serverName, gssCredential);

        if (input != null) {

            return gssContext.initSecContext(input, 0, input.length);

        } else {

            return gssContext.initSecContext(new byte[] {}, 0, 0);

        }

    }

    GSSContext createDelegatingGSSContext(final GSSManager manager, final Oid oid, final GSSName serverName,

            final GSSCredential gssCredential) throws GSSException {

        final GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, gssCredential,

                GSSContext.DEFAULT_LIFETIME);

        gssContext.requestMutualAuth(true);

        gssContext.requestCredDeleg(true);

        return gssContext;

    }

}

import org.apache.jmeter.util.JMeterUtils;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

    static final String CONTEXT_ATTRIBUTE_DELEGATE_CRED = "__jmeter.K_DT__";

    static final boolean DELEGATE_CRED = JMeterUtils.getPropDefault("kerberos.spnego.delegate_cred", false);

    private static final Logger log = LoggerFactory.getLogger(DynamicKerberosSchemeFactory.class);

    private boolean isEnabled(Object contextAttribute, boolean defaultValue) {

        if (contextAttribute instanceof Boolean) {

            return ((Boolean) contextAttribute).booleanValue();

        }

        return defaultValue;

    }

/*

 * Licensed to the Apache Software Foundation (ASF) under one or more

 * contributor license agreements.  See the NOTICE file distributed with

 * this work for additional information regarding copyright ownership.

 * The ASF licenses this file to You under the Apache License, Version 2.0

 * (the "License"); you may not use this file except in compliance with

 * the License.  You may obtain a copy of the License at

 *

 *   http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 */

package org.apache.jmeter.protocol.http.control;

import org.apache.http.auth.AuthScheme;

import org.apache.http.impl.auth.SPNegoScheme;

import org.apache.http.impl.auth.SPNegoSchemeFactory;

import org.apache.http.protocol.HttpContext;

import org.apache.jmeter.util.JMeterUtils;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

/**

 * Extends {@link SPNegoSchemeFactory} to provide ability to customize stripPort

 * setting in {@link SPNegoScheme} based on {@link HttpContext}

 * @since 4.1

 */

public class DynamicSPNegoSchemeFactory extends SPNegoSchemeFactory {

    static final String CONTEXT_ATTRIBUTE_STRIP_PORT = "__jmeter.K_SP__";

    static final String CONTEXT_ATTRIBUTE_DELEGATE_CRED = "__jmeter.K_DT__";

    static final boolean DELEGATE_CRED = JMeterUtils.getPropDefault("kerberos.spnego.delegate_cred", false);

    private static final Logger log = LoggerFactory.getLogger(DynamicSPNegoSchemeFactory.class);

    /**

     * Constructor for DynamicSPNegoSchemeFactory

     * @param stripPort flag, whether port should be stripped from SPN

     * @param useCanonicalHostname flag, whether SPN should use the canonical hostname

     * @since 4.0

     */

    public DynamicSPNegoSchemeFactory(final boolean stripPort, final boolean useCanonicalHostname) {

        super(stripPort, useCanonicalHostname);

    }

    @Override

    public AuthScheme create(final HttpContext context) {

        boolean stripPort = isEnabled(context.getAttribute(CONTEXT_ATTRIBUTE_STRIP_PORT), isStripPort());

        if (isEnabled(context.getAttribute(CONTEXT_ATTRIBUTE_DELEGATE_CRED), DELEGATE_CRED)) {

            log.debug("Use DelegatingSPNegoScheme");

            return new DelegatingSPNegoScheme(stripPort, isStripPort());

        }

        log.debug("Use SPNegoScheme");

        return new SPNegoScheme(stripPort, isUseCanonicalHostname());

    }

    private boolean isEnabled(Object contextAttribute, boolean defaultValue) {

        if (contextAttribute instanceof Boolean) {

            return ((Boolean) contextAttribute).booleanValue();

        }

        return defaultValue;

    }

}

import org.apache.jmeter.protocol.http.control.DynamicSPNegoSchemeFactory;

Delegation of credentials is disabled by default for SPNEGO. If you want to enable it, you can do so by setting the property <code>kerberos.spnego.delegate_cred</code> to <code>true</code>.

</p>

<p>

<property name="kerberos.spnego.delegate_cred">

    Should SPNEGO authentication should use delegation of credentials.

    Defaults to: <code>false</code>

</property>