You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/11/25 16:18:40 UTC
svn commit: r1206208 - in /webservices/wss4j/trunk/src:
main/java/org/apache/ws/security/spnego/
main/resources/org/apache/ws/security/
test/java/org/apache/ws/security/message/token/
Author: coheigea
Date: Fri Nov 25 15:18:39 2011
New Revision: 1206208
URL: http://svn.apache.org/viewvc?rev=1206208&view=rev
Log:
Added initial support for SPNEGO
Added:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoClientAction.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoToken.java
Modified:
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoClientAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoClientAction.java?rev=1206208&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoClientAction.java (added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoClientAction.java Fri Nov 25 15:18:39 2011
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.spnego;
+
+import java.security.PrivilegedAction;
+
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+
+/**
+ * This class represents a PrivilegedAction implementation to obtain a (SPNEGO) service ticket from a
+ * Kerberos Key Distribution Center.
+ */
+public class SpnegoClientAction implements PrivilegedAction<byte[]> {
+ private static org.apache.commons.logging.Log log =
+ org.apache.commons.logging.LogFactory.getLog(SpnegoClientAction.class);
+
+ private String serviceName;
+ private GSSContext secContext;
+
+ public SpnegoClientAction(String serviceName) {
+ this.serviceName = serviceName;
+ }
+
+ public byte[] run() {
+ try {
+ if (secContext == null) {
+ GSSManager gssManager = GSSManager.getInstance();
+ Oid oid = new Oid("1.3.6.1.5.5.2");
+
+ GSSName gssService = gssManager.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE);
+ secContext = gssManager.createContext(gssService, oid, null, GSSContext.DEFAULT_LIFETIME);
+
+ secContext.requestMutualAuth(Boolean.FALSE);
+ secContext.requestCredDeleg(Boolean.FALSE);
+ }
+
+ byte[] token = new byte[0];
+ return secContext.initSecContext(token, 0, token.length);
+ } catch (GSSException e) {
+ if (log.isDebugEnabled()) {
+ log.debug("Error in obtaining a Kerberos token", e);
+ }
+ }
+
+ return null;
+ }
+
+ public GSSContext getContext() {
+ return secContext;
+ }
+
+}
Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoToken.java?rev=1206208&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoToken.java (added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/spnego/SpnegoToken.java Fri Nov 25 15:18:39 2011
@@ -0,0 +1,143 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.spnego;
+
+import java.security.Principal;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.apache.ws.security.WSSecurityException;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+/**
+ * SPNEGO Token.
+ */
+public class SpnegoToken {
+
+ private static final org.apache.commons.logging.Log LOG =
+ org.apache.commons.logging.LogFactory.getLog(SpnegoToken.class);
+
+ private GSSContext secContext;
+ private byte[] token;
+
+ /**
+ * Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
+ * BinarySecurityToken.
+ * @param jaasLoginModuleName the JAAS Login Module name to use
+ * @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
+ * @param serviceName the desired Kerberized service
+ * @throws WSSecurityException
+ */
+ public void retrieveServiceTicket(
+ String jaasLoginModuleName,
+ CallbackHandler callbackHandler,
+ String serviceName
+ ) throws WSSecurityException {
+ // Get a TGT from the KDC using JAAS
+ LoginContext loginContext = null;
+ try {
+ if (callbackHandler == null) {
+ loginContext = new LoginContext(jaasLoginModuleName);
+ } else {
+ loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
+ }
+ loginContext.login();
+ } catch (LoginException ex) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(ex.getMessage(), ex);
+ }
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "kerberosLoginError",
+ new Object[] {ex.getMessage()}
+ );
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Successfully authenticated to the TGT");
+ }
+
+ Subject clientSubject = loginContext.getSubject();
+ Set<Principal> clientPrincipals = clientSubject.getPrincipals();
+ if (clientPrincipals.isEmpty()) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "kerberosLoginError",
+ new Object[] {"No Client principals found after login"}
+ );
+ }
+
+ // Get the service ticket
+ SpnegoClientAction action = new SpnegoClientAction(serviceName);
+ token = (byte[])Subject.doAs(clientSubject, action);
+ if (token == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "kerberosServiceTicketError"
+ );
+ }
+
+ secContext = action.getContext();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Successfully retrieved a service ticket");
+ }
+
+ }
+
+ /**
+ * Get the SPNEGO token that was created in retrieveServiceTicket().
+ */
+ public byte[] getToken() {
+ return token;
+ }
+
+ /**
+ * Unwrap a key
+ */
+ public byte[] unwrapKey(byte[] secret) throws WSSecurityException {
+ MessageProp mProp = new MessageProp(0, true);
+ try {
+ return secContext.unwrap(secret, 0, secret.length, mProp);
+ } catch (GSSException e) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Error in cleaning up a GSS context", e);
+ }
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "spnegoKeyError"
+ );
+ }
+ }
+
+ public void clear() {
+ token = null;
+ try {
+ secContext.dispose();
+ } catch (GSSException e) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Error in cleaning up a GSS context", e);
+ }
+ }
+ }
+
+}
Modified: webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties?rev=1206208&r1=1206207&r2=1206208&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties (original)
+++ webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties Fri Nov 25 15:18:39 2011
@@ -102,4 +102,5 @@ invalidKeySize=Invalid keysize
kerberosLoginError=An error occurred in trying to obtain a TGT: {0}
kerberosServiceTicketError=An error occurred in trying to obtain a service ticket
-kerberosTicketValidationError=An error occured in trying to validate a ticket
\ No newline at end of file
+kerberosTicketValidationError=An error occurred in trying to validate a ticket
+spnegoKeyError=An error occurred in trying to unwrap a SPNEGO key
\ No newline at end of file
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java?rev=1206208&r1=1206207&r2=1206208&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java Fri Nov 25 15:18:39 2011
@@ -28,6 +28,7 @@ import org.apache.ws.security.common.SOA
import org.apache.ws.security.message.WSSecEncrypt;
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.WSSecSignature;
+import org.apache.ws.security.spnego.SpnegoToken;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
// import org.apache.ws.security.validate.KerberosTokenDecoderImpl;
@@ -106,6 +107,22 @@ public class KerberosTest extends org.ju
}
/**
+ * Get a SPNEGO token.
+ */
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testSpnego() throws Exception {
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ SpnegoToken spnegoToken = new SpnegoToken();
+ spnegoToken.retrieveServiceTicket("alice", null, "bob@service.ws.apache.org");
+ assertNotNull(spnegoToken.getToken());
+ }
+
+ /**
* Various unit tests for a kerberos client
*/
@org.junit.Test