Adding a JAX-RS kerberos credential delegation test
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c8eef714 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c8eef714 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c8eef714 Branch: refs/heads/2.7.x-fixes Commit: c8eef714b4b949f64ab79e34233920fab5a513fc Parents: d4cba8c Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Aug 7 11:55:33 2014 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Aug 7 12:20:18 2014 +0100 ---------------------------------------------------------------------- .../kerberos/JAXRSIntermediaryPortTypeImpl.java | 77 ++++++++++++++++++++ .../kerberos/KerberosDelegationTokenTest.java | 27 +++++++ .../kerberos/cxf-intermediary-jaxrs-client.xml | 43 +++++++++++ .../systest/sts/kerberos/cxf-intermediary.xml | 12 ++- .../apache/cxf/systest/sts/kerberos/jaxrs.xml | 26 +++++++ 5 files changed, 184 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/c8eef714/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/JAXRSIntermediaryPortTypeImpl.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/JAXRSIntermediaryPortTypeImpl.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/JAXRSIntermediaryPortTypeImpl.java new file mode 100644 index 0000000..639e8c7 --- /dev/null +++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/JAXRSIntermediaryPortTypeImpl.java @@ -0,0 +1,77 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.sts.kerberos; + +import java.net.URL; +import java.util.Map; + +import javax.jws.WebService; +import javax.xml.namespace.QName; +import javax.xml.ws.BindingProvider; +import javax.xml.ws.Service; + +import org.apache.cxf.feature.Features; +import org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext; +import org.apache.cxf.phase.PhaseInterceptorChain; +import org.apache.cxf.security.SecurityContext; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.ws.security.SecurityConstants; +import org.example.contract.doubleit.DoubleItPortType; +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSException; + +@WebService(targetNamespace = "http://www.example.org/contract/DoubleIt";, + serviceName = "DoubleItService", + endpointInterface = "org.example.contract.doubleit.DoubleItPortType") +@Features(features = "org.apache.cxf.feature.LoggingFeature") +public class JAXRSIntermediaryPortTypeImpl extends AbstractBusClientServerTestBase implements DoubleItPortType { + + private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";; + private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); + + public int doubleIt(int numberToDouble) { + URL wsdl = JAXRSIntermediaryPortTypeImpl.class.getResource("DoubleIt.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port"); + DoubleItPortType transportPort = + service.getPort(portQName, DoubleItPortType.class); + try { + updateAddressPort(transportPort, KerberosDelegationTokenTest.PORT); + } catch (Exception ex) { + ex.printStackTrace(); + } + + // Retrieve delegated credential + set it on the outbound message + SecurityContext securityContext = + PhaseInterceptorChain.getCurrentMessage().get(SecurityContext.class); + if (securityContext instanceof KerberosSecurityContext) { + KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext; + try { + GSSCredential delegatedCredential = ksc.getGSSContext().getDelegCred(); + Map<String, Object> context = ((BindingProvider)transportPort).getRequestContext(); + context.put(SecurityConstants.DELEGATED_CREDENTIAL, delegatedCredential); + } catch (GSSException e) { + e.printStackTrace(); + } + } + + return transportPort.doubleIt(numberToDouble); + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/c8eef714/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java index ac6428f..aa495ab 100644 --- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java +++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java @@ -19,16 +19,20 @@ package org.apache.cxf.systest.sts.kerberos; import java.net.URL; +import java.util.Map; import javax.xml.namespace.QName; import javax.xml.ws.Service; import org.apache.cxf.Bus; import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.jaxrs.client.WebClient; import org.apache.cxf.systest.sts.common.SecurityTestUtil; import org.apache.cxf.systest.sts.deployment.STSServer; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.transport.http.auth.SpnegoAuthSupplier; import org.example.contract.doubleit.DoubleItPortType; +import org.ietf.jgss.GSSName; import org.junit.BeforeClass; /** @@ -102,6 +106,29 @@ public class KerberosDelegationTokenTest extends AbstractBusClientServerTestBase bus.shutdown(true); } + @org.junit.Test + public void testKerberosTokenJAXRS() throws Exception { + + final String configLocation = "org/apache/cxf/systest/sts/kerberos/cxf-intermediary-jaxrs-client.xml"; + final String address = "https://localhost:"; + INTERMEDIARY_PORT + "/doubleit/services/doubleit-rs"; + final int numToDouble = 35; + + WebClient client = WebClient.create(address, configLocation); + client.type("text/plain").accept("text/plain"); + + Map<String, Object> requestContext = WebClient.getConfig(client).getRequestContext(); + requestContext.put("auth.spnego.useKerberosOid", "true"); + requestContext.put("auth.spnego.requireCredDelegation", "true"); + + SpnegoAuthSupplier authSupplier = new SpnegoAuthSupplier(); + authSupplier.setServicePrincipalName("[email protected]"); + authSupplier.setServiceNameType(GSSName.NT_HOSTBASED_SERVICE); + WebClient.getConfig(client).getHttpConduit().setAuthSupplier(authSupplier); + + int resp = client.post(numToDouble, Integer.class); + org.junit.Assert.assertEquals(2 * numToDouble, resp); + } + private static void doubleIt(DoubleItPortType port, int numToDouble) { int resp = port.doubleIt(numToDouble); assertEquals(numToDouble * 2 , resp); http://git-wip-us.apache.org/repos/asf/cxf/blob/c8eef714/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-jaxrs-client.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-jaxrs-client.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-jaxrs-client.xml new file mode 100644 index 0000000..f992249 --- /dev/null +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-jaxrs-client.xml @@ -0,0 +1,43 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xmlns:cxf="http://cxf.apache.org/core"; xmlns:http="http://cxf.apache.org/transports/http/configuration"; xmlns:sec="http://cxf.apache.org/configuration/security"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd";> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <http:conduit name="https://localhost:.*";> + <http:tlsClientParameters disableCNCheck="true"> + <sec:trustManagers> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:trustManagers> + <sec:keyManagers keyPassword="skpass"> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:keyManagers> + </http:tlsClientParameters> + <http:authorization> + <sec:AuthorizationType>Negotiate</sec:AuthorizationType> + <sec:Authorization>alice</sec:Authorization> + </http:authorization> + </http:conduit> + +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/c8eef714/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml index fbfc7b8..fa48d8b 100644 --- a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml @@ -17,7 +17,7 @@ specific language governing permissions and limitations under the License. --> -<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:cxf="http://cxf.apache.org/core"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:sec="http://cxf.apache.org/configuration/security"; xmlns:http="http://cxf.apache.org/transports/http/configuration"; xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd";> +<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:cxf="http://cxf.apache.org/core"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:sec="http://cxf.apache.org/configuration/security"; xmlns:http="http://cxf.apache.org/transports/http/configuration"; xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xmlns:jaxrs="http://cxf.apache.org/jaxrs"; xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.ap ache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd";> <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> <cxf:bus> <cxf:features> @@ -36,6 +36,16 @@ </jaxws:properties> </jaxws:endpoint> + <bean id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"> + <property name="loginContextName" value="bob"/> + </bean> + + <jaxrs:server modelRef="classpath:org/apache/cxf/systest/sts/kerberos/jaxrs.xml" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Intermediary}/doubleit/services/doubleit-rs";> + <jaxrs:providers> + <ref bean="kerberosFilter" /> + </jaxrs:providers> + </jaxrs:server> + <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient" id="kerberosClient"> <constructor-arg ref="cxf"/> <property name="contextName" value="bob"/> http://git-wip-us.apache.org/repos/asf/cxf/blob/c8eef714/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/jaxrs.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/jaxrs.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/jaxrs.xml new file mode 100644 index 0000000..fbc256d --- /dev/null +++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/jaxrs.xml @@ -0,0 +1,26 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<model xmlns="http://cxf.apache.org/jaxrs";> + <resource name="org.apache.cxf.systest.sts.kerberos.JAXRSIntermediaryPortTypeImpl" path="/"> + <operation name="doubleIt" verb="POST" path="/" consumes="text/plain" produces="text/plain"> + <param name="numberToDouble" type="REQUEST_BODY"/> + </operation> + </resource> +</model>
