ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1149634 - in /webservices/wss4j/trunk/src: main/java/org/apache/ws/security/ main/java/org/apache/ws/security/message/token/ main/java/org/apache/ws/security/validate/ main/resources/org/apache/ws/security/ test/java/org/apache/ws/security...
Date Fri, 22 Jul 2011 15:36:34 GMT
Author: coheigea
Date: Fri Jul 22 15:36:33 2011
New Revision: 1149634

URL: http://svn.apache.org/viewvc?rev=1149634&view=rev
Log:
[WSS-251] - Added support to create and authenticate Kerberos tickets to WSS4J. Added a @Ignore'd
test, with some instructions how to set up a KDC to run the test.

Added:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/KerberosTokenPrincipal.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosClientAction.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosServiceAction.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
    webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
    webservices/wss4j/trunk/src/test/resources/kerberos.jaas
Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
    webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
    webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java

Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/KerberosTokenPrincipal.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/KerberosTokenPrincipal.java?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/KerberosTokenPrincipal.java
(added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/KerberosTokenPrincipal.java
Fri Jul 22 15:36:33 2011
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security;
+
+import java.io.Serializable;
+import java.security.Principal;
+
+/**
+ * A principal representing an authenticated Kerberos Token.
+ *
+ */
+public class KerberosTokenPrincipal implements Principal, Serializable {
+
+    private String name;
+    
+    public KerberosTokenPrincipal(String name) {
+        this.name = name;
+    }
+    
+    public String getName() {
+        return this.name;
+    }
+
+}

Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosClientAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosClientAction.java?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosClientAction.java
(added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosClientAction.java
Fri Jul 22 15:36:33 2011
@@ -0,0 +1,79 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message.token;
+
+import java.security.Principal;
+import java.security.PrivilegedAction;
+
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+
+/**
+ * This class represents a PrivilegedAction implementation to obtain a service ticket from
a Kerberos
+ * Key Distribution Center.
+ */
+public class KerberosClientAction implements PrivilegedAction<byte[]> {
+    private static org.apache.commons.logging.Log log =
+        org.apache.commons.logging.LogFactory.getLog(KerberosClientAction.class);
+    
+    private Principal clientPrincipal;
+    private String serviceName;
+    
+    public KerberosClientAction(Principal clientPrincipal, String serviceName) {
+        this.clientPrincipal = clientPrincipal;
+        this.serviceName = serviceName;
+    }
+
+    public byte[] run() {
+        try {
+            GSSManager gssManager = GSSManager.getInstance();
+        
+            Oid kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
+            GSSName gssClient = gssManager.createName(clientPrincipal.getName(), GSSName.NT_USER_NAME);
+            GSSCredential credentials = 
+                gssManager.createCredential(
+                    gssClient, GSSCredential.DEFAULT_LIFETIME, kerberos5Oid, GSSCredential.INITIATE_ONLY
+                );
+            
+            GSSName gssService = gssManager.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE);
+            GSSContext secContext =
+                gssManager.createContext(
+                    gssService, kerberos5Oid, credentials, GSSContext.DEFAULT_LIFETIME
+                );
+ 
+            byte[] token = new byte[0];
+            byte[] returnedToken = secContext.initSecContext(token, 0, token.length);
+            secContext.dispose();
+            return returnedToken;
+        } catch (GSSException e) {
+            if (log.isDebugEnabled()) {
+                log.debug("Error in obtaining a Kerberos token", e);
+            }
+        }
+
+        return null;
+        
+    }
+    
+}

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java?rev=1149634&r1=1149633&r2=1149634&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
Fri Jul 22 15:36:33 2011
@@ -19,6 +19,14 @@
 
 package org.apache.ws.security.message.token;
 
+import java.security.Principal;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityException;
 import org.w3c.dom.Document;
@@ -29,6 +37,9 @@ import org.w3c.dom.Element;
  */
 public class KerberosSecurity extends BinarySecurity {
     
+    private static org.apache.commons.logging.Log log =
+        org.apache.commons.logging.LogFactory.getLog(KerberosSecurity.class);
+    
     /**
      * This constructor creates a new Kerberos token object and initializes
      * it from the data contained in the element.
@@ -87,4 +98,71 @@ public class KerberosSecurity extends Bi
         return false;
     }
 
+    /**
+     * Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in
this
+     * BinarySecurityToken.
+     * @param jaasLoginModuleName the JAAS Login Module name to use
+     * @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
+     * @param serviceName the desired Kerberized service
+     * @throws WSSecurityException
+     */
+    public void retrieveServiceTicket(
+        String jaasLoginModuleName, 
+        CallbackHandler callbackHandler,
+        String serviceName
+    ) throws WSSecurityException {
+        // Get a TGT from the KDC using JAAS
+        LoginContext loginContext = null;
+        try {
+            if (callbackHandler == null) {
+                loginContext = new LoginContext(jaasLoginModuleName);
+            } else {
+                loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
+            }
+            loginContext.login();
+        } catch (LoginException ex) {
+            if (log.isDebugEnabled()) {
+                log.debug(ex.getMessage(), ex);
+            }
+            throw new WSSecurityException(
+                WSSecurityException.FAILURE,
+                "kerberosLoginError", 
+                new Object[] {ex.getMessage()}
+            );
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("Successfully authenticated to the TGT");
+        }
+        
+        Subject clientSubject = loginContext.getSubject();
+        Set<Principal> clientPrincipals = clientSubject.getPrincipals();
+        if (clientPrincipals.isEmpty()) {
+            throw new WSSecurityException(
+                WSSecurityException.FAILURE, 
+                "kerberosLoginError", 
+                new Object[] {"No Client principals found after login"}
+            );
+        }
+        
+        // Get the service ticket
+        KerberosClientAction action = 
+            new KerberosClientAction(clientPrincipals.iterator().next(), serviceName);
+        byte[] ticket = Subject.doAs(clientSubject, action);
+        if (ticket == null) {
+            throw new WSSecurityException(
+                WSSecurityException.FAILURE, "kerberosServiceTicketError"
+            );
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("Successfully retrieved a service ticket");
+        }
+        
+        setToken(ticket);
+        
+        if ("".equals(getValueType())) {
+            setValueType(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
+        }
+    }
+    
+    
 }

Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosServiceAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosServiceAction.java?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosServiceAction.java
(added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosServiceAction.java
Fri Jul 22 15:36:33 2011
@@ -0,0 +1,77 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message.token;
+
+import java.security.Principal;
+import java.security.PrivilegedAction;
+
+import org.apache.ws.security.KerberosTokenPrincipal;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+
+/**
+ * This class represents a PrivilegedAction implementation to validate a received ticket
to a KDC.
+ */
+public class KerberosServiceAction implements PrivilegedAction<Principal> {
+    private static org.apache.commons.logging.Log log =
+        org.apache.commons.logging.LogFactory.getLog(KerberosServiceAction.class);
+    
+    private byte[] ticket;
+    private String serviceName;
+    
+    public KerberosServiceAction(byte[] ticket, String serviceName) {
+        this.ticket = ticket;
+        this.serviceName = serviceName;
+    }
+
+    public Principal run() {
+        try {
+            GSSManager gssManager = GSSManager.getInstance();
+        
+            Oid kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
+            GSSName gssService = gssManager.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE);
+            GSSCredential credentials = 
+                gssManager.createCredential(
+                    gssService, GSSCredential.DEFAULT_LIFETIME, kerberos5Oid, GSSCredential.ACCEPT_ONLY
+                );
+            
+            GSSContext secContext =
+                gssManager.createContext(credentials);
+            secContext.acceptSecContext(ticket, 0, ticket.length);
+ 
+            GSSName clientName = secContext.getSrcName();
+            Principal principal = new KerberosTokenPrincipal(clientName.toString());
+            secContext.dispose();
+            return principal;
+        } catch (GSSException e) {
+            if (log.isDebugEnabled()) {
+                log.debug("Error in validating a Kerberos token", e);
+            }
+        }
+
+        return null;
+        
+    }
+    
+}

Added: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
(added)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
Fri Jul 22 15:36:33 2011
@@ -0,0 +1,166 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.validate;
+
+import java.security.Principal;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.message.token.KerberosServiceAction;
+
+/**
+ */
+public class KerberosTokenValidator implements Validator {
+    
+    private static org.apache.commons.logging.Log log =
+        org.apache.commons.logging.LogFactory.getLog(KerberosTokenValidator.class);
+    
+    private String serviceName;
+    private CallbackHandler callbackHandler;
+    private String jaasLoginModuleName;
+    
+    /**
+     * Get the JAAS Login module name to use.
+     * @return the JAAS Login module name to use
+     */
+    public String getJaasLoginModuleName() {
+        return jaasLoginModuleName;
+    }
+
+    /**
+     * Set the JAAS Login module name to use.
+     * @param jaasLoginModuleName the JAAS Login module name to use
+     */
+    public void setJaasLoginModuleName(String jaasLoginModuleName) {
+        this.jaasLoginModuleName = jaasLoginModuleName;
+    }
+
+    /**
+     * Get the CallbackHandler to use with the LoginContext
+     * @return the CallbackHandler to use with the LoginContext
+     */
+    public CallbackHandler getCallbackHandler() {
+        return callbackHandler;
+    }
+
+    /**
+     * Set the CallbackHandler to use with the LoginContext. It can be null.
+     * @param callbackHandler the CallbackHandler to use with the LoginContext
+     */
+    public void setCallbackHandler(CallbackHandler callbackHandler) {
+        this.callbackHandler = callbackHandler;
+    }
+
+    /**
+     * The name of the service to use when contacting the KDC. This value can be null, in
which
+     * case it defaults to the current principal name.
+     * @param serviceName the name of the service to use when contacting the KDC
+     */
+    public void setServiceName(String serviceName) {
+        this.serviceName = serviceName;
+    }
+    
+    /**
+     * Get the name of the service to use when contacting the KDC. This value can be null,
in which
+     * case it defaults to the current principal name.
+     * @return the name of the service to use when contacting the KDC
+     */
+    public String getServiceName() {
+        return serviceName;
+    }
+    
+    /**
+     * Validate the credential argument. It must contain a non-null BinarySecurityToken.

+     * 
+     * @param credential the Credential to be validated
+     * @param data the RequestData associated with the request
+     * @throws WSSecurityException on a failed validation
+     */
+    public Credential validate(Credential credential, RequestData data) throws WSSecurityException
{
+        if (credential == null || credential.getBinarySecurityToken() == null) {
+            throw new WSSecurityException(WSSecurityException.FAILURE, "noCredential");
+        }
+        
+        // Get a TGT from the KDC using JAAS
+        LoginContext loginContext = null;
+        try {
+            if (callbackHandler == null) {
+                loginContext = new LoginContext(jaasLoginModuleName);
+            } else {
+                loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
+            }
+            loginContext.login();
+        } catch (LoginException ex) {
+            if (log.isDebugEnabled()) {
+                log.debug(ex.getMessage(), ex);
+            }
+            throw new WSSecurityException(
+                WSSecurityException.FAILURE,
+                "kerberosLoginError", 
+                new Object[] {ex.getMessage()}
+            );
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("Successfully authenticated to the TGT");
+        }
+        
+        BinarySecurity binarySecurity = credential.getBinarySecurityToken();
+        byte[] token = binarySecurity.getToken();
+        
+        // Get the service name to use - fall back on the principal
+        Subject subject = loginContext.getSubject();
+        String service = serviceName;
+        if (service == null) {
+            Set<Principal> principals = subject.getPrincipals();
+            if (principals.isEmpty()) {
+                throw new WSSecurityException(
+                    WSSecurityException.FAILURE, 
+                    "kerberosLoginError", 
+                    new Object[] {"No Client principals found after login"}
+                );
+            }
+            service = principals.iterator().next().getName();
+        }
+        
+        // Validate the ticket
+        KerberosServiceAction action = new KerberosServiceAction(token, service);
+        Principal principal = Subject.doAs(subject, action);
+        if (principal == null) {
+            throw new WSSecurityException(
+                WSSecurityException.FAILURE, "kerberosTicketValidationError"
+            );
+        }
+        credential.setPrincipal(principal);
+        
+        if (log.isDebugEnabled()) {
+            log.debug("Successfully validated a ticket");
+        }
+        
+        return credential;
+    }
+    
+}

Modified: webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties?rev=1149634&r1=1149633&r2=1149634&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties (original)
+++ webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties Fri
Jul 22 15:36:33 2011
@@ -98,4 +98,8 @@ noSignResult=No SIGN result in WSS4J res
 requiredElementNotSigned=Element {0} is not included in the signature
 requiredElementNotProtected=Element {0} is not protected
 
-invalidKeySize=Invalid keysize
\ No newline at end of file
+invalidKeySize=Invalid keysize
+
+kerberosLoginError=An error occurred in trying to obtain a TGT: {0}
+kerberosServiceTicketError=An error occurred in trying to obtain a service ticket
+kerberosTicketValidationError=An error occured in trying to validate a ticket
\ No newline at end of file

Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java?rev=1149634&r1=1149633&r2=1149634&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java
(original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java
Fri Jul 22 15:36:33 2011
@@ -196,7 +196,7 @@ public class BSTKerberosTest extends org
             WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
         BinarySecurity token =
             (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-        assert token != null;
+        assertTrue(token != null);
         
         assertTrue(AP_REQ.equals(token.getValueType()));
         assertTrue(BASE64_NS.equals(token.getEncodingType()));

Added: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
(added)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/KerberosTest.java
Fri Jul 22 15:36:33 2011
@@ -0,0 +1,128 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message.token;
+
+import org.apache.ws.security.KerberosTokenPrincipal;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.common.SOAPUtil;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.ws.security.validate.KerberosTokenValidator;
+import org.w3c.dom.Document;
+
+import java.security.Principal;
+import java.util.List;
+
+/**
+ * This is a test for a WSS4J client retrieving a service ticket from a KDC, and inserting
+ * it into the security header of a request, to be processed by WSS4J. The tests are @Ignored
by
+ * default, as a KDC is needed. To replicate the test scenario, set up a KDC with user principal
+ * "alice" (keytab in "/etc/alice.keytab"), and host service "bob@service" (keytab in "/etc/bob.keytab").
+ * The test can be run with:
+ * 
+ * mvn -Djava.security.auth.login.config=src/test/resources/kerberos.jaas -Dtest=KerberosTest
+ * 
+ * To see the Kerberos stuff add "-Dsun.security.krb5.debug=true".
+ */
+public class KerberosTest extends org.junit.Assert {
+    private static final org.apache.commons.logging.Log LOG = 
+        org.apache.commons.logging.LogFactory.getLog(KerberosTest.class);
+    
+    public KerberosTest() throws Exception {
+        WSSConfig.init();
+    }
+
+    /**
+     * Test using the KerberosSecurity class to retrieve a service ticket from a KDC, wrap
it
+     * in a BinarySecurityToken, and process it.
+     */
+    @org.junit.Test
+    @org.junit.Ignore
+    public void testKerberosCreationAndProcessing() throws Exception {
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        KerberosSecurity bst = new KerberosSecurity(doc);
+        bst.retrieveServiceTicket("alice", null, "bob@service");
+        WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+            LOG.debug(outputString);
+        }
+        
+        // Configure the Validator
+        WSSConfig wssConfig = WSSConfig.getNewInstance();
+        KerberosTokenValidator validator = new KerberosTokenValidator();
+        validator.setJaasLoginModuleName("bob");
+        validator.setServiceName("bob@service");
+        wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        secEngine.setWssConfig(wssConfig);
+        
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(doc, null, null, null);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+        BinarySecurity token =
+            (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+        assertTrue(token != null);
+        
+        Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        assertTrue(principal instanceof KerberosTokenPrincipal);
+        assertTrue(principal.getName().contains("alice"));
+    }
+    
+    /**
+     * Various unit tests for a kerberos client
+     */
+    @org.junit.Test
+    @org.junit.Ignore
+    public void testKerberosClient() throws Exception {
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        
+        try {
+            KerberosSecurity bst = new KerberosSecurity(doc);
+            bst.retrieveServiceTicket("alice2", null, "bob@service");
+            fail("Failure expected on an unknown user");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+        
+        
+        try {
+            KerberosSecurity bst = new KerberosSecurity(doc);
+            bst.retrieveServiceTicket("alice", null, "bob2@service");
+            fail("Failure expected on an unknown user");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+        
+    }
+    
+    
+}

Added: webservices/wss4j/trunk/src/test/resources/kerberos.jaas
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/kerberos.jaas?rev=1149634&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/kerberos.jaas (added)
+++ webservices/wss4j/trunk/src/test/resources/kerberos.jaas Fri Jul 22 15:36:33 2011
@@ -0,0 +1,8 @@
+
+alice {
+    com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true
keyTab="/etc/alice.keytab" principal="alice";
+};
+
+bob {
+    com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true
storeKey=true keyTab="/etc/bob.keytab" principal="bob/service";
+};



Mime
View raw message