cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1364437 - in /cxf/trunk: rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/ rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/ systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/
Date Sun, 22 Jul 2012 21:42:11 GMT
Author: sergeyb
Date: Sun Jul 22 21:42:11 2012
New Revision: 1364437

URL: http://svn.apache.org/viewvc?rev=1364437&view=rev
Log:
Minor to updates for Kerberos filters to work with keytabs

Modified:
    cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
    cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java
    cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java
    cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg

Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java?rev=1364437&r1=1364436&r2=1364437&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
(original)
+++ cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.java
Sun Jul 22 21:42:11 2012
@@ -144,16 +144,13 @@ public class KerberosAuthenticationFilte
         
         // The login without a callback can work if
         // - Kerberos keytabs are used with a principal name set in the JAAS config
-        // - TGT cache is available and either a principalName is set in the JAAS config
-        //   or Kerberos is integrated into the OS logon process
+        // - Kerberos is integrated into the OS logon process
         //   meaning that a process which runs this code has the
         //   user identity  
         
         LoginContext lc = null;
-        if (callbackHandler != null || loginConfig != null) {
+        if (!StringUtils.isEmpty(loginContextName) || loginConfig != null) {
             lc = new LoginContext(loginContextName, null, callbackHandler, loginConfig);
-        } else if (!StringUtils.isEmpty(loginContextName)) {
-            lc = new LoginContext(loginContextName);
         } else {
             LOG.fine("LoginContext can not be initialized");
             throw new LoginException();

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java?rev=1364437&r1=1364436&r2=1364437&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
(original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/http/auth/AbstractSpnegoAuthSupplier.java
Sun Jul 22 21:42:11 2012
@@ -96,15 +96,20 @@ public abstract class AbstractSpnegoAuth
     private byte[] getToken(AuthorizationPolicy authPolicy,
                             final GSSContext context) throws GSSException,
         LoginException {
-        final byte[] token = new byte[0];
-
-        if (authPolicy == null || StringUtils.isEmpty(authPolicy.getUserName())) {
-            return context.initSecContext(token, 0, token.length);
-        }
+        
         String contextName = authPolicy.getAuthorization();
         if (contextName == null) {
             contextName = "";
         }
+        
+        final byte[] token = new byte[0];
+
+        if (authPolicy == null 
+            || (StringUtils.isEmpty(authPolicy.getUserName())
+                && StringUtils.isEmpty(contextName) && loginConfig == null))
{
+            return context.initSecContext(token, 0, token.length);
+        }
+        
         CallbackHandler callbackHandler = getUsernamePasswordHandler(
             authPolicy.getUserName(), authPolicy.getPassword());
         LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig);
@@ -193,7 +198,11 @@ public abstract class AbstractSpnegoAuth
     }
     
     public CallbackHandler getUsernamePasswordHandler(final String username, final String
password) {
-        return new NamePasswordCallbackHandler(username, password);
+        if (StringUtils.isEmpty(username)) {
+            return null;
+        } else {
+            return new NamePasswordCallbackHandler(username, password);
+        }
     }
 
     public void setCredDelegation(boolean delegation) {

Modified: cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java?rev=1364437&r1=1364436&r2=1364437&view=diff
==============================================================================
--- cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java
(original)
+++ cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/BookKerberosServer.java
Sun Jul 22 21:42:11 2012
@@ -42,6 +42,8 @@ public class BookKerberosServer extends 
         KerberosAuthenticationFilter filter = new KerberosAuthenticationFilter();
         filter.setLoginContextName("KerberosServer");
         filter.setCallbackHandler(getCallbackHandler("HTTP/localhost", "http"));
+        //filter.setLoginContextName("KerberosServerKeyTab");
+        //filter.setServicePrincipalName("HTTP/ktab");
         sf.setProvider(filter);
         sf.setAddress("http://localhost:" + PORT + "/");
       

Modified: cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java?rev=1364437&r1=1364436&r2=1364437&view=diff
==============================================================================
--- cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java
(original)
+++ cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java
Sun Jul 22 21:42:11 2012
@@ -90,4 +90,48 @@ public class JAXRSKerberosBookTest exten
         Book b = wc.get(Book.class);
         assertEquals(b.getId(), 123);
     }
+    
+    @Test
+    @Ignore
+    public void testGetBookWithInterceptorAndKeyTab() throws Exception {
+        WebClient wc = WebClient.create("http://localhost:" + PORT + "/bookstore/books/123");
+        
+        KerberosAuthOutInterceptor kbInterceptor = new KerberosAuthOutInterceptor();
+        
+        AuthorizationPolicy policy = new AuthorizationPolicy();
+        policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
+        policy.setAuthorization("KerberosClientKeyTab");
+        
+        kbInterceptor.setPolicy(policy);
+        kbInterceptor.setCredDelegation(true);
+        
+        WebClient.getConfig(wc).getOutInterceptors().add(new LoggingOutInterceptor());
+        WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
+        
+        Book b = wc.get(Book.class);
+        assertEquals(b.getId(), 123);
+    }
+    
+    @Test
+    @Ignore
+    public void testGetBookWithInterceptorServiceKeyTab() throws Exception {
+        WebClient wc = WebClient.create("http://localhost:" + PORT + "/bookstore/books/123");
+        
+        KerberosAuthOutInterceptor kbInterceptor = new KerberosAuthOutInterceptor();
+        
+        AuthorizationPolicy policy = new AuthorizationPolicy();
+        policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
+        policy.setAuthorization("KerberosClient");
+        policy.setUserName("alice");
+        policy.setPassword("alice");
+        
+        kbInterceptor.setPolicy(policy);
+        kbInterceptor.setServicePrincipalName("HTTP/ktab");
+        
+        WebClient.getConfig(wc).getOutInterceptors().add(new LoggingOutInterceptor());
+        WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
+        
+        Book b = wc.get(Book.class);
+        assertEquals(b.getId(), 123);
+    }
 }

Modified: cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg?rev=1364437&r1=1364436&r2=1364437&view=diff
==============================================================================
--- cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg
(original)
+++ cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg
Sun Jul 22 21:42:11 2012
@@ -1,6 +1,22 @@
 KerberosClient {
     com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
 };
+KerberosClientKeyTab {
+    com.sun.security.auth.module.Krb5LoginModule required
+    client=TRUE
+    refreshKrb5Config=true
+    useKeyTab=true
+    keyTab="/etc/bob.keytab"
+    principal="bob";
+};
 KerberosServer {
     com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
 };
+KerberosServerKeyTab {
+    com.sun.security.auth.module.Krb5LoginModule required
+    storeKey=true
+    refreshKrb5Config=true
+    useKeyTab=true
+    keyTab="/etc/http.keytab"
+    principal="HTTP/ktab";
+};



Mime
View raw message