Author: coheigea
Date: Mon Dec 9 16:26:11 2013
New Revision: 1549607
URL: http://svn.apache.org/r1549607
Log:
Run Kerberos DOM + StAX tests together to avoid the penalty of starting the KDC
twice
Added:
webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/
webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/KerberosTest.java
- copied, changed from r1549603,
webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java
Removed:
webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/dom/KerberosTest.java
webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java
Copied:
webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/KerberosTest.java
(from r1549603,
webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java)
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/KerberosTest.java?p2=webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/KerberosTest.java&p1=webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java&r1=1549603&r2=1549607&rev=1549607&view=diff
==============================================================================
---
webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java
(original)
+++
webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/KerberosTest.java
Mon Dec 9 16:26:11 2013
@@ -16,9 +16,12 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.wss4j.integration.test.stax;
+package org.apache.wss4j.integration.test.kerberos;
+import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.kerberos.KerberosContextAndServiceNameCallback;
+import org.apache.wss4j.common.spnego.SpnegoTokenContext;
+import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.WSSecurityEngine;
@@ -71,6 +74,9 @@ import java.util.ArrayList;
import java.util.List;
public class KerberosTest extends AbstractTestBase {
+
+ private static final org.slf4j.Logger LOG =
+ org.slf4j.LoggerFactory.getLogger(KerberosTest.class);
private static boolean kerberosServerStarted = false;
@@ -101,6 +107,525 @@ public class KerberosTest extends Abstra
}
SecurityTestUtil.cleanup();
}
+
+ //
+ // DOM tests
+ //
+
+ /**
+ * Test using the KerberosSecurity class to retrieve a service ticket from
a KDC, wrap it
+ * in a BinarySecurityToken, and process it.
+ */
+ @Test
+ public void testKerberosCreationAndProcessing() throws Exception {
+ if (!kerberosServerStarted) {
+ System.out.println("Skipping test because kerberos server could
not be started");
+ return;
+ }
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ CallbackHandler callbackHandler = new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ PasswordCallback passwordCallback =
(PasswordCallback)callbacks[0];
+ if (passwordCallback.getPrompt().contains("alice")) {
+ passwordCallback.setPassword("alice".toCharArray());
+ } else if (passwordCallback.getPrompt().contains("bob")) {
+ passwordCallback.setPassword("bob".toCharArray());
+ }
+ }
+ };
+ bst.retrieveServiceTicket("alice", callbackHandler,
"[email protected]");
+ WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(),
bst.getElement());
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+
+ // Configure the Validator
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ KerberosTokenValidator validator = new KerberosTokenValidator();
+ validator.setContextName("bob");
+ validator.setServiceName("[email protected]");
+ wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ secEngine.setWssConfig(wssConfig);
+
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(doc, null, callbackHandler, null);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+ BinarySecurity token =
+
(BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ Assert.assertTrue(token != null);
+
+ Principal principal =
(Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ Assert.assertTrue(principal instanceof KerberosPrincipal);
+ Assert.assertTrue(principal.getName().contains("alice"));
+ }
+
+ /**
+ * Get and validate a SPNEGO token.
+ */
+ @Test
+ public void testSpnego() throws Exception {
+ if (!kerberosServerStarted) {
+ System.out.println("Skipping test because kerberos server could
not be started");
+ return;
+ }
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ SpnegoTokenContext spnegoToken = new SpnegoTokenContext();
+ CallbackHandler callbackHandler = new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ PasswordCallback passwordCallback =
(PasswordCallback)callbacks[0];
+ if (passwordCallback.getPrompt().contains("alice")) {
+ passwordCallback.setPassword("alice".toCharArray());
+ } else if (passwordCallback.getPrompt().contains("bob")) {
+ passwordCallback.setPassword("bob".toCharArray());
+ }
+ }
+ };
+ spnegoToken.retrieveServiceTicket("alice", callbackHandler,
"[email protected]");
+
+ byte[] token = spnegoToken.getToken();
+ Assert.assertNotNull(token);
+
+ spnegoToken = new SpnegoTokenContext();
+ spnegoToken.validateServiceTicket("bob", callbackHandler,
"[email protected]", token);
+ Assert.assertTrue(spnegoToken.isEstablished());
+ }
+
+ /**
+ * Various unit tests for a kerberos client
+ */
+ @Test
+ public void testKerberosClient() throws Exception {
+ if (!kerberosServerStarted) {
+ System.out.println("Skipping test because kerberos server could
not be started");
+ return;
+ }
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ CallbackHandler callbackHandler = new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ PasswordCallback passwordCallback =
(PasswordCallback)callbacks[0];
+ if (passwordCallback.getPrompt().contains("alice")) {
+ passwordCallback.setPassword("alice".toCharArray());
+ } else if (passwordCallback.getPrompt().contains("bob")) {
+ passwordCallback.setPassword("bob".toCharArray());
+ }
+ }
+ };
+
+ try {
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ bst.retrieveServiceTicket("alice2", callbackHandler,
"bob@service");
+ Assert.fail("Failure expected on an unknown user");
+ } catch (WSSecurityException ex) {
+ Assert.assertEquals(ex.getMessage(), "An error occurred in trying
to obtain a TGT: No LoginModules configured for alice2");
+ }
+
+
+ try {
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ bst.retrieveServiceTicket("alice", callbackHandler,
"bob2@service");
+ Assert.fail("Failure expected on an unknown user");
+ } catch (WSSecurityException ex) {
+ Assert.assertEquals(ex.getMessage(), "An error occurred in trying
to obtain a service ticket");
+ }
+
+ }
+
+ /**
+ * Test using the KerberosSecurity class to retrieve a service ticket from
a KDC, wrap it
+ * in a BinarySecurityToken, and use the session key to sign the SOAP Body.
+ */
+ @Test
+ public void testKerberosSignature() throws Exception {
+ if (!kerberosServerStarted) {
+ System.out.println("Skipping test because kerberos server could
not be started");
+ return;
+ }
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ CallbackHandler callbackHandler = new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ if (callbacks[0] instanceof PasswordCallback) {
+ PasswordCallback passwordCallback =
(PasswordCallback)callbacks[0];
+ if (passwordCallback.getPrompt().contains("alice")) {
+ passwordCallback.setPassword("alice".toCharArray());
+ } else if (passwordCallback.getPrompt().contains("bob")) {
+ passwordCallback.setPassword("bob".toCharArray());
+ }
+ }
+ }
+ };
+ bst.retrieveServiceTicket("alice", callbackHandler,
"[email protected]");
+ bst.setID("Id-" + bst.hashCode());
+ WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(),
bst.getElement());
+
+ WSSecSignature sign = new WSSecSignature();
+ sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ sign.setCustomTokenId(bst.getID());
+ sign.setCustomTokenValueType(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
+
+ SecretKey secretKey = bst.getSecretKey();
+ sign.setSecretKey(secretKey.getEncoded());
+
+ Document signedDoc = sign.build(doc, null, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+
+ // Configure the Validator
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ KerberosTokenValidator validator = new KerberosTokenValidator();
+ validator.setContextName("bob");
+ validator.setServiceName("[email protected]");
+ wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ secEngine.setWssConfig(wssConfig);
+
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(doc, null, callbackHandler, null);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+ BinarySecurity token =
+
(BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ Assert.assertTrue(token != null);
+
+ Principal principal =
(Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ Assert.assertTrue(principal instanceof KerberosPrincipal);
+ Assert.assertTrue(principal.getName().contains("alice"));
+ }
+
+
+ /**
+ * Test using the KerberosSecurity class to retrieve a service ticket from
a KDC, wrap it
+ * in a BinarySecurityToken, and use the session key to sign the SOAP Body.
+ */
+ @Test
+ public void testKerberosSignatureKI() throws Exception {
+ if (!kerberosServerStarted) {
+ System.out.println("Skipping test because kerberos server could
not be started");
+ return;
+ }
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ CallbackHandler callbackHandler = new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ if (callbacks[0] instanceof PasswordCallback) {
+ PasswordCallback passwordCallback =
(PasswordCallback)callbacks[0];
+ if (passwordCallback.getPrompt().contains("alice")) {
+ passwordCallback.setPassword("alice".toCharArray());
+ } else if (passwordCallback.getPrompt().contains("bob")) {
+ passwordCallback.setPassword("bob".toCharArray());
+ }
+ }
+ }
+ };
+ bst.retrieveServiceTicket("alice", callbackHandler,
"[email protected]");
+ bst.setID("Id-" + bst.hashCode());
+
+ WSSecSignature sign = new WSSecSignature();
+ sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ sign.setCustomTokenValueType(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+
+ SecretKey secretKey = bst.getSecretKey();
+ byte[] keyData = secretKey.getEncoded();
+ sign.setSecretKey(keyData);
+
+ byte[] digestBytes = WSSecurityUtil.generateDigest(bst.getToken());
+ sign.setCustomTokenId(Base64.encode(digestBytes));
+
+ Document signedDoc = sign.build(doc, null, secHeader);
+
+ WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(),
bst.getElement());
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+
+ // Configure the Validator
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ KerberosTokenValidator validator = new KerberosTokenValidator();
+ validator.setContextName("bob");
+ validator.setServiceName("[email protected]");
+ wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ secEngine.setWssConfig(wssConfig);
+
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(doc, null, callbackHandler, null);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+ BinarySecurity token =
+
(BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ Assert.assertTrue(token != null);
+
+ Principal principal =
(Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ Assert.assertTrue(principal instanceof KerberosPrincipal);
+ Assert.assertTrue(principal.getName().contains("alice"));
+ }
+
+
+ /**
+ * Test using the KerberosSecurity class to retrieve a service ticket from
a KDC, wrap it
+ * in a BinarySecurityToken, and use the session key to encrypt the SOAP
Body.
+ */
+ @Test
+ public void testKerberosEncryption() throws Exception {
+ if (!kerberosServerStarted) {
+ System.out.println("Skipping test because kerberos server could
not be started");
+ return;
+ }
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ CallbackHandler callbackHandler = new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ if (callbacks[0] instanceof PasswordCallback) {
+ PasswordCallback passwordCallback =
(PasswordCallback)callbacks[0];
+ if (passwordCallback.getPrompt().contains("alice")) {
+ passwordCallback.setPassword("alice".toCharArray());
+ } else if (passwordCallback.getPrompt().contains("bob")) {
+ passwordCallback.setPassword("bob".toCharArray());
+ }
+ }
+ }
+ };
+ bst.retrieveServiceTicket("alice", callbackHandler,
"[email protected]");
+ bst.setID("Id-" + bst.hashCode());
+ WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(),
bst.getElement());
+
+ WSSecEncrypt builder = new WSSecEncrypt();
+ builder.setSymmetricEncAlgorithm(WSConstants.AES_128);
+ SecretKey secretKey = bst.getSecretKey();
+ builder.setSymmetricKey(secretKey);
+ builder.setEncryptSymmKey(false);
+ builder.setCustomReferenceValue(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
+ builder.setEncKeyId(bst.getID());
+
+ Document encryptedDoc = builder.build(doc, null, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(encryptedDoc);
+ LOG.debug(outputString);
+ }
+
+ // Configure the Validator
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ KerberosTokenValidator validator = new KerberosTokenValidator();
+ validator.setContextName("bob");
+ validator.setServiceName("[email protected]");
+ wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ secEngine.setWssConfig(wssConfig);
+
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(encryptedDoc, null,
callbackHandler, null);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+ BinarySecurity token =
+
(BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ Assert.assertTrue(token != null);
+
+ Principal principal =
(Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ Assert.assertTrue(principal instanceof KerberosPrincipal);
+ Assert.assertTrue(principal.getName().contains("alice"));
+ }
+
+ /**
+ * Test using the KerberosSecurity class to retrieve a service ticket from
a KDC, wrap it
+ * in a BinarySecurityToken, and use the session key to encrypt the SOAP
Body.
+ */
+ @Test
+ public void testKerberosEncryptionBSTFirst() throws Exception {
+ if (!kerberosServerStarted) {
+ System.out.println("Skipping test because kerberos server could
not be started");
+ return;
+ }
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ CallbackHandler callbackHandler = new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ if (callbacks[0] instanceof PasswordCallback) {
+ PasswordCallback passwordCallback =
(PasswordCallback)callbacks[0];
+ if (passwordCallback.getPrompt().contains("alice")) {
+ passwordCallback.setPassword("alice".toCharArray());
+ } else if (passwordCallback.getPrompt().contains("bob")) {
+ passwordCallback.setPassword("bob".toCharArray());
+ }
+ }
+ }
+ };
+ bst.retrieveServiceTicket("alice", callbackHandler,
"[email protected]");
+ bst.setID("Id-" + bst.hashCode());
+
+ WSSecEncrypt builder = new WSSecEncrypt();
+ builder.setSymmetricEncAlgorithm(WSConstants.AES_128);
+ SecretKey secretKey = bst.getSecretKey();
+ builder.setSymmetricKey(secretKey);
+ builder.setEncryptSymmKey(false);
+ builder.setCustomReferenceValue(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
+ builder.setEncKeyId(bst.getID());
+
+ Document encryptedDoc = builder.build(doc, null, secHeader);
+
+ WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(),
bst.getElement());
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(encryptedDoc);
+ LOG.debug(outputString);
+ }
+
+ // Configure the Validator
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ KerberosTokenValidator validator = new KerberosTokenValidator();
+ validator.setContextName("bob");
+ validator.setServiceName("[email protected]");
+ wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ secEngine.setWssConfig(wssConfig);
+
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(encryptedDoc, null,
callbackHandler, null);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+ BinarySecurity token =
+
(BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ Assert.assertTrue(token != null);
+
+ Principal principal =
(Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ Assert.assertTrue(principal instanceof KerberosPrincipal);
+ Assert.assertTrue(principal.getName().contains("alice"));
+ }
+
+ /**
+ * Test using the KerberosSecurity class to retrieve a service ticket from
a KDC, wrap it
+ * in a BinarySecurityToken, and use the session key to encrypt the SOAP
Body.
+ */
+ @Test
+ public void testKerberosEncryptionKI() throws Exception {
+ if (!kerberosServerStarted) {
+ System.out.println("Skipping test because kerberos server could
not be started");
+ return;
+ }
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ KerberosSecurity bst = new KerberosSecurity(doc);
+ CallbackHandler callbackHandler = new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ if (callbacks[0] instanceof PasswordCallback) {
+ PasswordCallback passwordCallback =
(PasswordCallback)callbacks[0];
+ if (passwordCallback.getPrompt().contains("alice")) {
+ passwordCallback.setPassword("alice".toCharArray());
+ } else if (passwordCallback.getPrompt().contains("bob")) {
+ passwordCallback.setPassword("bob".toCharArray());
+ }
+ }
+ }
+ };
+ bst.retrieveServiceTicket("alice", callbackHandler,
"[email protected]");
+ bst.setID("Id-" + bst.hashCode());
+
+ WSSecEncrypt builder = new WSSecEncrypt();
+ builder.setSymmetricEncAlgorithm(WSConstants.AES_128);
+ SecretKey secretKey = bst.getSecretKey();
+ builder.setSymmetricKey(secretKey);
+ builder.setEncryptSymmKey(false);
+ builder.setCustomReferenceValue(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+
+ byte[] digestBytes = WSSecurityUtil.generateDigest(bst.getToken());
+ builder.setEncKeyId(Base64.encode(digestBytes));
+
+ Document encryptedDoc = builder.build(doc, null, secHeader);
+
+ WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(),
bst.getElement());
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.PrettyDocumentToString(encryptedDoc);
+ LOG.debug(outputString);
+ }
+
+ // Configure the Validator
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ KerberosTokenValidator validator = new KerberosTokenValidator();
+ validator.setContextName("bob");
+ validator.setServiceName("[email protected]");
+ wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ secEngine.setWssConfig(wssConfig);
+
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(encryptedDoc, null,
callbackHandler, null);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+ BinarySecurity token =
+
(BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ Assert.assertTrue(token != null);
+
+ Principal principal =
(Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ Assert.assertTrue(principal instanceof KerberosPrincipal);
+ Assert.assertTrue(principal.getName().contains("alice"));
+ }
+
+ //
+ // Streaming tests
+ //
@Test
public void testKerberosSignatureOutbound() throws Exception {
