You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2015/04/30 12:46:08 UTC
directory-kerby git commit: [DIRKRB-232] - Adding in service
validation
Repository: directory-kerby
Updated Branches:
refs/heads/master 916591dc9 -> 588153ebd
[DIRKRB-232] - Adding in service validation
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/588153eb
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/588153eb
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/588153eb
Branch: refs/heads/master
Commit: 588153ebd7bdc894d13edca8f65889c575734bf0
Parents: 916591d
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Apr 30 11:45:49 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Apr 30 11:45:49 2015 +0100
----------------------------------------------------------------------
.../kerberos/kerb/server/GSSInteropTest.java | 69 ++++++++++++++++++++
.../src/test/resources/kerberos.jaas | 3 +
2 files changed, 72 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/588153eb/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GSSInteropTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GSSInteropTest.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GSSInteropTest.java
index 8071cfe..47a5368 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GSSInteropTest.java
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GSSInteropTest.java
@@ -66,6 +66,13 @@ public class GSSInteropTest extends KdcTest {
serverPrincipal = "test-service/localhost@" + kdcRealm;
}
+ @Override
+ protected void createPrincipals() {
+ kdcServer.createTgsPrincipal();
+ kdcServer.createPrincipal(serverPrincipal, TEST_PASSWORD);
+ kdcServer.createPrincipal(clientPrincipal, TEST_PASSWORD);
+ }
+
@Before
@Override
public void setUp() throws Exception {
@@ -126,6 +133,28 @@ public class GSSInteropTest extends KdcTest {
byte[] kerberosToken = (byte[]) Subject.doAs(clientSubject, action);
Assert.assertNotNull(kerberosToken);
+
+ loginContext.logout();
+
+ validateServiceTicket(kerberosToken);
+
+ kdcServer.stop();
+ }
+
+ private void validateServiceTicket(byte[] ticket) throws Exception {
+ // Get the TGT for the service
+ LoginContext loginContext = new LoginContext("test-service", new KerberosCallbackHandler());
+ loginContext.login();
+
+ Subject serviceSubject = loginContext.getSubject();
+ Set<Principal> servicePrincipals = serviceSubject.getPrincipals();
+ Assert.assertFalse(servicePrincipals.isEmpty());
+
+ // Handle the service ticket
+ KerberosServiceExceptionAction serviceAction =
+ new KerberosServiceExceptionAction(ticket, "test-service@TEST.COM");
+
+ Subject.doAs(serviceSubject, serviceAction);
}
private static class KerberosCallbackHandler implements CallbackHandler {
@@ -138,6 +167,9 @@ public class GSSInteropTest extends KdcTest {
if (pc.getPrompt().contains("drankye")) {
pc.setPassword(TEST_PASSWORD.toCharArray());
break;
+ } else if (pc.getPrompt().contains("test-service")) {
+ pc.setPassword(TEST_PASSWORD.toCharArray());
+ break;
}
}
}
@@ -189,4 +221,41 @@ public class GSSInteropTest extends KdcTest {
}
}
}
+
+ private static class KerberosServiceExceptionAction implements PrivilegedExceptionAction<byte[]> {
+
+ private static final String JGSS_KERBEROS_TICKET_OID = "1.2.840.113554.1.2.2";
+
+ private byte[] ticket;
+ private String serviceName;
+
+ public KerberosServiceExceptionAction(byte[] ticket, String serviceName) {
+ this.ticket = ticket;
+ this.serviceName = serviceName;
+ }
+
+ public byte[] run() throws GSSException {
+
+ GSSManager gssManager = GSSManager.getInstance();
+
+ GSSContext secContext = null;
+ GSSName gssService = gssManager.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE);
+
+ Oid oid = new Oid(JGSS_KERBEROS_TICKET_OID);
+ GSSCredential credentials =
+ gssManager.createCredential(
+ gssService, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.ACCEPT_ONLY
+ );
+ secContext = gssManager.createContext(credentials);
+
+ try {
+ return secContext.acceptSecContext(ticket, 0, ticket.length);
+ } finally {
+ if (null != secContext) {
+ secContext.dispose();
+ }
+ }
+ }
+
+ }
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/588153eb/kerby-kerb/kerb-kdc-test/src/test/resources/kerberos.jaas
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/resources/kerberos.jaas b/kerby-kerb/kerb-kdc-test/src/test/resources/kerberos.jaas
index e7ebb83..9bcdd0c 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/resources/kerberos.jaas
+++ b/kerby-kerb/kerb-kdc-test/src/test/resources/kerberos.jaas
@@ -3,3 +3,6 @@ drankye {
com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=false principal="drankye";
};
+test-service {
+ com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=false storeKey=true principal="test-service/localhost";
+};