You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/07/22 17:36:34 UTC
svn commit: r1149634 - in /webservices/wss4j/trunk/src:
main/java/org/apache/ws/security/
main/java/org/apache/ws/security/message/token/
main/java/org/apache/ws/security/validate/
main/resources/org/apache/ws/security/ test/java/org/apache/ws/security...
Author: coheigea
Date: Fri Jul 22 15:36:33 2011
New Revision: 1149634
URL: http://svn.apache.org/viewvc?rev=1149634&view=rev
Log:
[WSS-251] - Added support to create and authenticate Kerberos tickets to WSS4J. Added a @Ignore'd test, with some instructions how to set up a KDC to run the test.
Added:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/KerberosTokenPrincipal.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosClientAction.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosServiceAction.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
webservices/wss4j/trunk/src/test/resources/kerberos.jaas
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java
Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/KerberosTokenPrincipal.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/KerberosTokenPrincipal.java?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/KerberosTokenPrincipal.java (added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/KerberosTokenPrincipal.java Fri Jul 22 15:36:33 2011
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security;
+
+import java.io.Serializable;
+import java.security.Principal;
+
+/**
+ * A principal representing an authenticated Kerberos Token.
+ *
+ */
+public class KerberosTokenPrincipal implements Principal, Serializable {
+
+ private String name;
+
+ public KerberosTokenPrincipal(String name) {
+ this.name = name;
+ }
+
+ public String getName() {
+ return this.name;
+ }
+
+}
Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosClientAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosClientAction.java?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosClientAction.java (added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosClientAction.java Fri Jul 22 15:36:33 2011
@@ -0,0 +1,79 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message.token;
+
+import java.security.Principal;
+import java.security.PrivilegedAction;
+
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+
+/**
+ * This class represents a PrivilegedAction implementation to obtain a service ticket from a Kerberos
+ * Key Distribution Center.
+ */
+public class KerberosClientAction implements PrivilegedAction<byte[]> {
+ private static org.apache.commons.logging.Log log =
+ org.apache.commons.logging.LogFactory.getLog(KerberosClientAction.class);
+
+ private Principal clientPrincipal;
+ private String serviceName;
+
+ public KerberosClientAction(Principal clientPrincipal, String serviceName) {
+ this.clientPrincipal = clientPrincipal;
+ this.serviceName = serviceName;
+ }
+
+ public byte[] run() {
+ try {
+ GSSManager gssManager = GSSManager.getInstance();
+
+ Oid kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
+ GSSName gssClient = gssManager.createName(clientPrincipal.getName(), GSSName.NT_USER_NAME);
+ GSSCredential credentials =
+ gssManager.createCredential(
+ gssClient, GSSCredential.DEFAULT_LIFETIME, kerberos5Oid, GSSCredential.INITIATE_ONLY
+ );
+
+ GSSName gssService = gssManager.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE);
+ GSSContext secContext =
+ gssManager.createContext(
+ gssService, kerberos5Oid, credentials, GSSContext.DEFAULT_LIFETIME
+ );
+
+ byte[] token = new byte[0];
+ byte[] returnedToken = secContext.initSecContext(token, 0, token.length);
+ secContext.dispose();
+ return returnedToken;
+ } catch (GSSException e) {
+ if (log.isDebugEnabled()) {
+ log.debug("Error in obtaining a Kerberos token", e);
+ }
+ }
+
+ return null;
+
+ }
+
+}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java?rev=1149634&r1=1149633&r2=1149634&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java Fri Jul 22 15:36:33 2011
@@ -19,6 +19,14 @@
package org.apache.ws.security.message.token;
+import java.security.Principal;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityException;
import org.w3c.dom.Document;
@@ -29,6 +37,9 @@ import org.w3c.dom.Element;
*/
public class KerberosSecurity extends BinarySecurity {
+ private static org.apache.commons.logging.Log log =
+ org.apache.commons.logging.LogFactory.getLog(KerberosSecurity.class);
+
/**
* This constructor creates a new Kerberos token object and initializes
* it from the data contained in the element.
@@ -87,4 +98,71 @@ public class KerberosSecurity extends Bi
return false;
}
+ /**
+ * Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
+ * BinarySecurityToken.
+ * @param jaasLoginModuleName the JAAS Login Module name to use
+ * @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
+ * @param serviceName the desired Kerberized service
+ * @throws WSSecurityException
+ */
+ public void retrieveServiceTicket(
+ String jaasLoginModuleName,
+ CallbackHandler callbackHandler,
+ String serviceName
+ ) throws WSSecurityException {
+ // Get a TGT from the KDC using JAAS
+ LoginContext loginContext = null;
+ try {
+ if (callbackHandler == null) {
+ loginContext = new LoginContext(jaasLoginModuleName);
+ } else {
+ loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
+ }
+ loginContext.login();
+ } catch (LoginException ex) {
+ if (log.isDebugEnabled()) {
+ log.debug(ex.getMessage(), ex);
+ }
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "kerberosLoginError",
+ new Object[] {ex.getMessage()}
+ );
+ }
+ if (log.isDebugEnabled()) {
+ log.debug("Successfully authenticated to the TGT");
+ }
+
+ Subject clientSubject = loginContext.getSubject();
+ Set<Principal> clientPrincipals = clientSubject.getPrincipals();
+ if (clientPrincipals.isEmpty()) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "kerberosLoginError",
+ new Object[] {"No Client principals found after login"}
+ );
+ }
+
+ // Get the service ticket
+ KerberosClientAction action =
+ new KerberosClientAction(clientPrincipals.iterator().next(), serviceName);
+ byte[] ticket = Subject.doAs(clientSubject, action);
+ if (ticket == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "kerberosServiceTicketError"
+ );
+ }
+ if (log.isDebugEnabled()) {
+ log.debug("Successfully retrieved a service ticket");
+ }
+
+ setToken(ticket);
+
+ if ("".equals(getValueType())) {
+ setValueType(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
+ }
+ }
+
+
}
Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosServiceAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosServiceAction.java?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosServiceAction.java (added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosServiceAction.java Fri Jul 22 15:36:33 2011
@@ -0,0 +1,77 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message.token;
+
+import java.security.Principal;
+import java.security.PrivilegedAction;
+
+import org.apache.ws.security.KerberosTokenPrincipal;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+
+/**
+ * This class represents a PrivilegedAction implementation to validate a received ticket to a KDC.
+ */
+public class KerberosServiceAction implements PrivilegedAction<Principal> {
+ private static org.apache.commons.logging.Log log =
+ org.apache.commons.logging.LogFactory.getLog(KerberosServiceAction.class);
+
+ private byte[] ticket;
+ private String serviceName;
+
+ public KerberosServiceAction(byte[] ticket, String serviceName) {
+ this.ticket = ticket;
+ this.serviceName = serviceName;
+ }
+
+ public Principal run() {
+ try {
+ GSSManager gssManager = GSSManager.getInstance();
+
+ Oid kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
+ GSSName gssService = gssManager.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE);
+ GSSCredential credentials =
+ gssManager.createCredential(
+ gssService, GSSCredential.DEFAULT_LIFETIME, kerberos5Oid, GSSCredential.ACCEPT_ONLY
+ );
+
+ GSSContext secContext =
+ gssManager.createContext(credentials);
+ secContext.acceptSecContext(ticket, 0, ticket.length);
+
+ GSSName clientName = secContext.getSrcName();
+ Principal principal = new KerberosTokenPrincipal(clientName.toString());
+ secContext.dispose();
+ return principal;
+ } catch (GSSException e) {
+ if (log.isDebugEnabled()) {
+ log.debug("Error in validating a Kerberos token", e);
+ }
+ }
+
+ return null;
+
+ }
+
+}
Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java (added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java Fri Jul 22 15:36:33 2011
@@ -0,0 +1,166 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.validate;
+
+import java.security.Principal;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.message.token.KerberosServiceAction;
+
+/**
+ */
+public class KerberosTokenValidator implements Validator {
+
+ private static org.apache.commons.logging.Log log =
+ org.apache.commons.logging.LogFactory.getLog(KerberosTokenValidator.class);
+
+ private String serviceName;
+ private CallbackHandler callbackHandler;
+ private String jaasLoginModuleName;
+
+ /**
+ * Get the JAAS Login module name to use.
+ * @return the JAAS Login module name to use
+ */
+ public String getJaasLoginModuleName() {
+ return jaasLoginModuleName;
+ }
+
+ /**
+ * Set the JAAS Login module name to use.
+ * @param jaasLoginModuleName the JAAS Login module name to use
+ */
+ public void setJaasLoginModuleName(String jaasLoginModuleName) {
+ this.jaasLoginModuleName = jaasLoginModuleName;
+ }
+
+ /**
+ * Get the CallbackHandler to use with the LoginContext
+ * @return the CallbackHandler to use with the LoginContext
+ */
+ public CallbackHandler getCallbackHandler() {
+ return callbackHandler;
+ }
+
+ /**
+ * Set the CallbackHandler to use with the LoginContext. It can be null.
+ * @param callbackHandler the CallbackHandler to use with the LoginContext
+ */
+ public void setCallbackHandler(CallbackHandler callbackHandler) {
+ this.callbackHandler = callbackHandler;
+ }
+
+ /**
+ * The name of the service to use when contacting the KDC. This value can be null, in which
+ * case it defaults to the current principal name.
+ * @param serviceName the name of the service to use when contacting the KDC
+ */
+ public void setServiceName(String serviceName) {
+ this.serviceName = serviceName;
+ }
+
+ /**
+ * Get the name of the service to use when contacting the KDC. This value can be null, in which
+ * case it defaults to the current principal name.
+ * @return the name of the service to use when contacting the KDC
+ */
+ public String getServiceName() {
+ return serviceName;
+ }
+
+ /**
+ * Validate the credential argument. It must contain a non-null BinarySecurityToken.
+ *
+ * @param credential the Credential to be validated
+ * @param data the RequestData associated with the request
+ * @throws WSSecurityException on a failed validation
+ */
+ public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
+ if (credential == null || credential.getBinarySecurityToken() == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE, "noCredential");
+ }
+
+ // Get a TGT from the KDC using JAAS
+ LoginContext loginContext = null;
+ try {
+ if (callbackHandler == null) {
+ loginContext = new LoginContext(jaasLoginModuleName);
+ } else {
+ loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
+ }
+ loginContext.login();
+ } catch (LoginException ex) {
+ if (log.isDebugEnabled()) {
+ log.debug(ex.getMessage(), ex);
+ }
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "kerberosLoginError",
+ new Object[] {ex.getMessage()}
+ );
+ }
+ if (log.isDebugEnabled()) {
+ log.debug("Successfully authenticated to the TGT");
+ }
+
+ BinarySecurity binarySecurity = credential.getBinarySecurityToken();
+ byte[] token = binarySecurity.getToken();
+
+ // Get the service name to use - fall back on the principal
+ Subject subject = loginContext.getSubject();
+ String service = serviceName;
+ if (service == null) {
+ Set<Principal> principals = subject.getPrincipals();
+ if (principals.isEmpty()) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "kerberosLoginError",
+ new Object[] {"No Client principals found after login"}
+ );
+ }
+ service = principals.iterator().next().getName();
+ }
+
+ // Validate the ticket
+ KerberosServiceAction action = new KerberosServiceAction(token, service);
+ Principal principal = Subject.doAs(subject, action);
+ if (principal == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "kerberosTicketValidationError"
+ );
+ }
+ credential.setPrincipal(principal);
+
+ if (log.isDebugEnabled()) {
+ log.debug("Successfully validated a ticket");
+ }
+
+ return credential;
+ }
+
+}
Modified: webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties?rev=1149634&r1=1149633&r2=1149634&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties (original)
+++ webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties Fri Jul 22 15:36:33 2011
@@ -98,4 +98,8 @@ noSignResult=No SIGN result in WSS4J res
requiredElementNotSigned=Element {0} is not included in the signature
requiredElementNotProtected=Element {0} is not protected
-invalidKeySize=Invalid keysize
\ No newline at end of file
+invalidKeySize=Invalid keysize
+
+kerberosLoginError=An error occurred in trying to obtain a TGT: {0}
+kerberosServiceTicketError=An error occurred in trying to obtain a service ticket
+kerberosTicketValidationError=An error occured in trying to validate a ticket
\ No newline at end of file
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java?rev=1149634&r1=1149633&r2=1149634&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java Fri Jul 22 15:36:33 2011
@@ -196,7 +196,7 @@ public class BSTKerberosTest extends org
WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
BinarySecurity token =
(BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- assert token != null;
+ assertTrue(token != null);
assertTrue(AP_REQ.equals(token.getValueType()));
assertTrue(BASE64_NS.equals(token.getEncodingType()));
Added: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java (added)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java Fri Jul 22 15:36:33 2011
@@ -0,0 +1,128 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message.token;
+
+import org.apache.ws.security.KerberosTokenPrincipal;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.common.SOAPUtil;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.ws.security.validate.KerberosTokenValidator;
+import org.w3c.dom.Document;
+
+import java.security.Principal;
+import java.util.List;
+
+/**
+ * This is a test for a WSS4J client retrieving a service ticket from a KDC, and inserting
+ * it into the security header of a request, to be processed by WSS4J. The tests are @Ignored by
+ * default, as a KDC is needed. To replicate the test scenario, set up a KDC with user principal
+ * "alice" (keytab in "/etc/alice.keytab"), and host service "bob@service" (keytab in "/etc/bob.keytab").
+ * The test can be run with:
+ *
+ * mvn -Djava.security.auth.login.config=src/test/resources/kerberos.jaas -Dtest=KerberosTest
+ *
+ * To see the Kerberos stuff add "-Dsun.security.krb5.debug=true".
+ */
+public class KerberosTest extends org.junit.Assert {
+ private static final org.apache.commons.logging.Log LOG =
+ org.apache.commons.logging.LogFactory.getLog(KerberosTest.class);
+
+ public KerberosTest() throws Exception {
+ WSSConfig.init();
+ }
+
+ /**
+ * Test using the KerberosSecurity class to retrieve a service ticket from a KDC, wrap it
+ * in a BinarySecurityToken, and process it.
+ */
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testKerberosCreationAndProcessing() throws Exception {
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ bst.retrieveServiceTicket("alice", null, "bob@service");
+ WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+
+ // Configure the Validator
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ KerberosTokenValidator validator = new KerberosTokenValidator();
+ validator.setJaasLoginModuleName("bob");
+ validator.setServiceName("bob@service");
+ wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ secEngine.setWssConfig(wssConfig);
+
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(doc, null, null, null);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+ BinarySecurity token =
+ (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ assertTrue(token != null);
+
+ Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ assertTrue(principal instanceof KerberosTokenPrincipal);
+ assertTrue(principal.getName().contains("alice"));
+ }
+
+ /**
+ * Various unit tests for a kerberos client
+ */
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testKerberosClient() throws Exception {
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ try {
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ bst.retrieveServiceTicket("alice2", null, "bob@service");
+ fail("Failure expected on an unknown user");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+
+
+ try {
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ bst.retrieveServiceTicket("alice", null, "bob2@service");
+ fail("Failure expected on an unknown user");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+
+ }
+
+
+}
Added: webservices/wss4j/trunk/src/test/resources/kerberos.jaas
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/kerberos.jaas?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/kerberos.jaas (added)
+++ webservices/wss4j/trunk/src/test/resources/kerberos.jaas Fri Jul 22 15:36:33 2011
@@ -0,0 +1,8 @@
+
+alice {
+ com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true keyTab="/etc/alice.keytab" principal="alice";
+};
+
+bob {
+ com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true storeKey=true keyTab="/etc/bob.keytab" principal="bob/service";
+};