You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2012/07/22 23:42:11 UTC
svn commit: r1364437 - in /cxf/trunk:
rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/
rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/
systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/
Author: sergeyb
Date: Sun Jul 22 21:42:11 2012
New Revision: 1364437
URL: http://svn.apache.org/viewvc?rev=1364437&view=rev
Log:
Minor to updates for Kerberos filters to work with keytabs
Modified:
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg
Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java?rev=1364437&r1=1364436&r2=1364437&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java (original)
+++ cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java Sun Jul 22 21:42:11 2012
@@ -144,16 +144,13 @@ public class KerberosAuthenticationFilte
// The login without a callback can work if
// - Kerberos keytabs are used with a principal name set in the JAAS config
- // - TGT cache is available and either a principalName is set in the JAAS config
- // or Kerberos is integrated into the OS logon process
+ // - Kerberos is integrated into the OS logon process
// meaning that a process which runs this code has the
// user identity
LoginContext lc = null;
- if (callbackHandler != null || loginConfig != null) {
+ if (!StringUtils.isEmpty(loginContextName) || loginConfig != null) {
lc = new LoginContext(loginContextName, null, callbackHandler, loginConfig);
- } else if (!StringUtils.isEmpty(loginContextName)) {
- lc = new LoginContext(loginContextName);
} else {
LOG.fine("LoginContext can not be initialized");
throw new LoginException();
Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java?rev=1364437&r1=1364436&r2=1364437&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java (original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java Sun Jul 22 21:42:11 2012
@@ -96,15 +96,20 @@ public abstract class AbstractSpnegoAuth
private byte[] getToken(AuthorizationPolicy authPolicy,
final GSSContext context) throws GSSException,
LoginException {
- final byte[] token = new byte[0];
-
- if (authPolicy == null || StringUtils.isEmpty(authPolicy.getUserName())) {
- return context.initSecContext(token, 0, token.length);
- }
+
String contextName = authPolicy.getAuthorization();
if (contextName == null) {
contextName = "";
}
+
+ final byte[] token = new byte[0];
+
+ if (authPolicy == null
+ || (StringUtils.isEmpty(authPolicy.getUserName())
+ && StringUtils.isEmpty(contextName) && loginConfig == null)) {
+ return context.initSecContext(token, 0, token.length);
+ }
+
CallbackHandler callbackHandler = getUsernamePasswordHandler(
authPolicy.getUserName(), authPolicy.getPassword());
LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig);
@@ -193,7 +198,11 @@ public abstract class AbstractSpnegoAuth
}
public CallbackHandler getUsernamePasswordHandler(final String username, final String password) {
- return new NamePasswordCallbackHandler(username, password);
+ if (StringUtils.isEmpty(username)) {
+ return null;
+ } else {
+ return new NamePasswordCallbackHandler(username, password);
+ }
}
public void setCredDelegation(boolean delegation) {
Modified: cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java?rev=1364437&r1=1364436&r2=1364437&view=diff
==============================================================================
--- cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java (original)
+++ cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java Sun Jul 22 21:42:11 2012
@@ -42,6 +42,8 @@ public class BookKerberosServer extends
KerberosAuthenticationFilter filter = new KerberosAuthenticationFilter();
filter.setLoginContextName("KerberosServer");
filter.setCallbackHandler(getCallbackHandler("HTTP/localhost", "http"));
+ //filter.setLoginContextName("KerberosServerKeyTab");
+ //filter.setServicePrincipalName("HTTP/ktab");
sf.setProvider(filter);
sf.setAddress("http://localhost:" + PORT + "/");
Modified: cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java?rev=1364437&r1=1364436&r2=1364437&view=diff
==============================================================================
--- cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java (original)
+++ cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java Sun Jul 22 21:42:11 2012
@@ -90,4 +90,48 @@ public class JAXRSKerberosBookTest exten
Book b = wc.get(Book.class);
assertEquals(b.getId(), 123);
}
+
+ @Test
+ @Ignore
+ public void testGetBookWithInterceptorAndKeyTab() throws Exception {
+ WebClient wc = WebClient.create("http://localhost:" + PORT + "/bookstore/books/123");
+
+ KerberosAuthOutInterceptor kbInterceptor = new KerberosAuthOutInterceptor();
+
+ AuthorizationPolicy policy = new AuthorizationPolicy();
+ policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
+ policy.setAuthorization("KerberosClientKeyTab");
+
+ kbInterceptor.setPolicy(policy);
+ kbInterceptor.setCredDelegation(true);
+
+ WebClient.getConfig(wc).getOutInterceptors().add(new LoggingOutInterceptor());
+ WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
+
+ Book b = wc.get(Book.class);
+ assertEquals(b.getId(), 123);
+ }
+
+ @Test
+ @Ignore
+ public void testGetBookWithInterceptorServiceKeyTab() throws Exception {
+ WebClient wc = WebClient.create("http://localhost:" + PORT + "/bookstore/books/123");
+
+ KerberosAuthOutInterceptor kbInterceptor = new KerberosAuthOutInterceptor();
+
+ AuthorizationPolicy policy = new AuthorizationPolicy();
+ policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
+ policy.setAuthorization("KerberosClient");
+ policy.setUserName("alice");
+ policy.setPassword("alice");
+
+ kbInterceptor.setPolicy(policy);
+ kbInterceptor.setServicePrincipalName("HTTP/ktab");
+
+ WebClient.getConfig(wc).getOutInterceptors().add(new LoggingOutInterceptor());
+ WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
+
+ Book b = wc.get(Book.class);
+ assertEquals(b.getId(), 123);
+ }
}
Modified: cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg?rev=1364437&r1=1364436&r2=1364437&view=diff
==============================================================================
--- cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg (original)
+++ cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg Sun Jul 22 21:42:11 2012
@@ -1,6 +1,22 @@
KerberosClient {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
};
+KerberosClientKeyTab {
+ com.sun.security.auth.module.Krb5LoginModule required
+ client=TRUE
+ refreshKrb5Config=true
+ useKeyTab=true
+ keyTab="/etc/bob.keytab"
+ principal="bob";
+};
KerberosServer {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
};
+KerberosServerKeyTab {
+ com.sun.security.auth.module.Krb5LoginModule required
+ storeKey=true
+ refreshKrb5Config=true
+ useKeyTab=true
+ keyTab="/etc/http.keytab"
+ principal="HTTP/ktab";
+};