cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] cxf-fediz git commit: Adding a new systests module for kerberos testing using an Apache DS KDC
Date Mon, 09 Mar 2015 15:06:14 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 31101469a -> e3931b19e


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosTest.java
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosTest.java
b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosTest.java
deleted file mode 100644
index 46e2149..0000000
--- a/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosTest.java
+++ /dev/null
@@ -1,344 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.integrationtests;
-
-
-import java.io.File;
-
-
-
-
-
-
-
-import java.security.PrivilegedExceptionAction;
-
-import javax.security.auth.Subject;
-import javax.security.auth.login.LoginContext;
-
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.html.HtmlForm;
-import com.gargoylesoftware.htmlunit.html.HtmlPage;
-import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
-
-import org.apache.catalina.Context;
-import org.apache.catalina.LifecycleState;
-import org.apache.catalina.connector.Connector;
-import org.apache.catalina.startup.Tomcat;
-import org.apache.cxf.fediz.core.ClaimTypes;
-import org.apache.cxf.fediz.tomcat.FederationAuthenticator;
-import org.apache.xml.security.utils.Base64;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSManager;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-
-/**
- * A test that sends a Kerberos ticket to the IdP for authentication. The IdP must be configured
- * to validate the Kerberos ticket, and in turn get a delegation token to authenticate to
the
- * STS + retrieve claims etc.
- */
-@org.junit.Ignore
-public class KerberosTest {
-
-    static String idpHttpsPort;
-    static String rpHttpsPort;
-    
-    private static Tomcat idpServer;
-    private static Tomcat rpServer;
-    
-    @BeforeClass
-    public static void init() {
-        System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
-        System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
-        System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
 
-        
-        idpHttpsPort = System.getProperty("idp.https.port");
-        Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
-        rpHttpsPort = System.getProperty("rp.https.port");
-        Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
-
-        initIdp();
-        initRp();
-    }
-    
-    private static void initIdp() {
-        try {
-            idpServer = new Tomcat();
-            idpServer.setPort(0);
-            String currentDir = new File(".").getCanonicalPath();
-            idpServer.setBaseDir(currentDir + File.separator + "target");
-            
-            idpServer.getHost().setAppBase("tomcat/idp/webapps");
-            idpServer.getHost().setAutoDeploy(true);
-            idpServer.getHost().setDeployOnStartup(true);
-            
-            Connector httpsConnector = new Connector();
-            httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
-            httpsConnector.setSecure(true);
-            httpsConnector.setScheme("https");
-            //httpsConnector.setAttribute("keyAlias", keyAlias);
-            httpsConnector.setAttribute("keystorePass", "tompass");
-            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("truststorePass", "tompass");
-            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("clientAuth", "want");
-            // httpsConnector.setAttribute("clientAuth", "false");
-            httpsConnector.setAttribute("sslProtocol", "TLS");
-            httpsConnector.setAttribute("SSLEnabled", true);
-
-            idpServer.getService().addConnector(httpsConnector);
-            
-            idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
-            idpServer.addWebapp("/fediz-idp", "fediz-idp");
-            
-            idpServer.start();
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-    
-    private static void initRp() {
-        try {
-            rpServer = new Tomcat();
-            rpServer.setPort(0);
-            String currentDir = new File(".").getCanonicalPath();
-            rpServer.setBaseDir(currentDir + File.separator + "target");
-            
-            rpServer.getHost().setAppBase("tomcat/rp/webapps");
-            rpServer.getHost().setAutoDeploy(true);
-            rpServer.getHost().setDeployOnStartup(true);
-            
-            Connector httpsConnector = new Connector();
-            httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
-            httpsConnector.setSecure(true);
-            httpsConnector.setScheme("https");
-            //httpsConnector.setAttribute("keyAlias", keyAlias);
-            httpsConnector.setAttribute("keystorePass", "tompass");
-            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("truststorePass", "tompass");
-            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
-            // httpsConnector.setAttribute("clientAuth", "false");
-            httpsConnector.setAttribute("clientAuth", "want");
-            httpsConnector.setAttribute("sslProtocol", "TLS");
-            httpsConnector.setAttribute("SSLEnabled", true);
-
-            rpServer.getService().addConnector(httpsConnector);
-            
-            //Context ctx =
-            Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
-            FederationAuthenticator fa = new FederationAuthenticator();
-            fa.setConfigFile(currentDir + File.separator + "target" + File.separator
-                             + "test-classes" + File.separator + "fediz_config.xml");
-            cxt.getPipeline().addValve(fa);
-            
-            
-            rpServer.start();
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-    
-    @AfterClass
-    public static void cleanup() {
-        try {
-            if (idpServer.getServer() != null
-                && idpServer.getServer().getState() != LifecycleState.DESTROYED)
{
-                if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
-                    idpServer.stop();
-                }
-                idpServer.destroy();
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-
-        try {
-            if (rpServer.getServer() != null
-                && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
-                if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
-                    rpServer.stop();
-                }
-                rpServer.destroy();
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-
-    public String getIdpHttpsPort() {
-        return idpHttpsPort;
-    }
-
-    public String getRpHttpsPort() {
-        return rpHttpsPort;
-    }
-    
-    public String getServletContextName() {
-        return "fedizhelloworld";
-    }
-    
-    @org.junit.Test
-    public void testKerberos() throws Exception {
-        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
-        // Get a Kerberos Ticket +  Base64 encode it
-        String ticket = getEncodedKerberosTicket(false);
-        
-        final WebClient webClient = new WebClient();
-        webClient.getOptions().setUseInsecureSSL(true);
-        webClient.getOptions().setSSLClientCertificate(
-            this.getClass().getClassLoader().getResource("client.jks"), "clientpass", "jks");
-        
-        webClient.getOptions().setJavaScriptEnabled(false);
-        webClient.addRequestHeader("Authorization", "Negotiate " + ticket);
-        final HtmlPage idpPage = webClient.getPage(url);
-        webClient.getOptions().setJavaScriptEnabled(true);
-        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
-        final HtmlForm form = idpPage.getFormByName("signinresponseform");
-        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
-
-        final HtmlPage rpPage = button.click();
-        Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
-
-        final String bodyTextContent = rpPage.getBody().getTextContent();
-        String user = "alice";
-        Assert.assertTrue("Principal not " + user,
-                          bodyTextContent.contains("userPrincipal=" + user));
-        Assert.assertTrue("User " + user + " does not have role Admin",
-                          bodyTextContent.contains("role:Admin=false"));
-        Assert.assertTrue("User " + user + " does not have role Manager",
-                          bodyTextContent.contains("role:Manager=false"));
-        Assert.assertTrue("User " + user + " must have role User",
-                          bodyTextContent.contains("role:User=true"));
-        
-        String claim = ClaimTypes.FIRSTNAME.toString();
-        Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
-                          bodyTextContent.contains(claim + "=Alice"));
-        claim = ClaimTypes.LASTNAME.toString();
-        Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
-                          bodyTextContent.contains(claim + "=Smith"));
-        claim = ClaimTypes.EMAILADDRESS.toString();
-        Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
-                          bodyTextContent.contains(claim + "=alice@realma.org"));
-    }
-    
-    @org.junit.Test
-    @org.junit.Ignore
-    public void testSpnego() throws Exception {
-        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
-        // Get a Kerberos Ticket +  Base64 encode it
-        String ticket = getEncodedKerberosTicket(true);
-        
-        final WebClient webClient = new WebClient();
-        webClient.getOptions().setUseInsecureSSL(true);
-        webClient.getOptions().setSSLClientCertificate(
-            this.getClass().getClassLoader().getResource("client.jks"), "clientpass", "jks");
-        
-        webClient.getOptions().setJavaScriptEnabled(false);
-        webClient.addRequestHeader("Authorization", "Negotiate " + ticket);
-        final HtmlPage idpPage = webClient.getPage(url);
-        webClient.getOptions().setJavaScriptEnabled(true);
-        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
-        final HtmlForm form = idpPage.getFormByName("signinresponseform");
-        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
-
-        final HtmlPage rpPage = button.click();
-        Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
-
-        final String bodyTextContent = rpPage.getBody().getTextContent();
-        String user = "alice";
-        Assert.assertTrue("Principal not " + user,
-                          bodyTextContent.contains("userPrincipal=" + user));
-        Assert.assertTrue("User " + user + " does not have role Admin",
-                          bodyTextContent.contains("role:Admin=false"));
-        Assert.assertTrue("User " + user + " does not have role Manager",
-                          bodyTextContent.contains("role:Manager=false"));
-        Assert.assertTrue("User " + user + " must have role User",
-                          bodyTextContent.contains("role:User=true"));
-        
-        String claim = ClaimTypes.FIRSTNAME.toString();
-        Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
-                          bodyTextContent.contains(claim + "=Alice"));
-        claim = ClaimTypes.LASTNAME.toString();
-        Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
-                          bodyTextContent.contains(claim + "=Smith"));
-        claim = ClaimTypes.EMAILADDRESS.toString();
-        Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
-                          bodyTextContent.contains(claim + "=alice@realma.org"));
-    }
-    
-    private String getEncodedKerberosTicket(boolean spnego) throws Exception {
-        
-        System.setProperty("java.security.auth.login.config", "src/test/resources/kerberos.jaas");
-        System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true");
-        
-        Oid kerberos5Oid = null;
-        if (spnego) {
-            kerberos5Oid = new Oid("1.3.6.1.5.5.2");
-        } else {
-            kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
-        }
-        
-        GSSManager manager = GSSManager.getInstance();
-        GSSName serverName = manager.createName("bob@service.ws.apache.org", 
-                                                GSSName.NT_HOSTBASED_SERVICE);
-
-        GSSContext context = manager
-                .createContext(serverName.canonicalize(kerberos5Oid), kerberos5Oid, 
-                               null, GSSContext.DEFAULT_LIFETIME);
-        
-        context.requestCredDeleg(true);
-        
-        final byte[] token = new byte[0];
-
-        String contextName = "alice";
-        LoginContext lc = new LoginContext(contextName);
-        lc.login();
-        
-        byte[] ticket = (byte[])Subject.doAs(lc.getSubject(), new CreateServiceTicketAction(context,
token));
-        return Base64.encode(ticket);
-    }
-    
-    private final class CreateServiceTicketAction implements PrivilegedExceptionAction<byte[]>
{
-        private final GSSContext context;
-        private final byte[] token;
-
-        private CreateServiceTicketAction(GSSContext context, byte[] token) {
-            this.context = context;
-            this.token = token;
-        }
-
-        public byte[] run() throws GSSException {
-            return context.initSecContext(token, 0, token.length);
-        }
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/tomcat7/src/test/resources/kerberos.jaas
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/kerberos.jaas b/systests/tomcat7/src/test/resources/kerberos.jaas
deleted file mode 100644
index b773cf6..0000000
--- a/systests/tomcat7/src/test/resources/kerberos.jaas
+++ /dev/null
@@ -1,8 +0,0 @@
-
-alice {
-    com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true
keyTab="/etc/alice.keytab" principal="alice";
-};
-
-bob {
-    com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true
storeKey=true keyTab="/etc/bob.keytab" principal="bob/service.ws.apache.org";
-};


Mime
View raw message