More tests for PR #4

This commit is contained in:
Janne Valkealahti
2015-03-02 09:18:57 +00:00
parent 6777601072
commit 19f6f70aeb
2 changed files with 157 additions and 0 deletions

View File

@@ -19,6 +19,7 @@ import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertThat;
import java.io.File;
import java.io.IOException;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
@@ -46,12 +47,16 @@ import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.security.extensions.kerberos.test.KerberosSecurityTestcase;
import org.springframework.security.extensions.kerberos.test.MiniKdc;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.client.DefaultResponseErrorHandler;
import org.springframework.web.client.RestTemplate;
public class KerberosRestTemplateTests extends KerberosSecurityTestcase {
@@ -96,6 +101,42 @@ public class KerberosRestTemplateTests extends KerberosSecurityTestcase {
assertThat(response, is("home"));
}
@Test
public void testSpnegoWithForward() throws Exception {
MiniKdc kdc = getKdc();
File workDir = getWorkDir();
String host = InetAddress.getLocalHost().getCanonicalHostName();
String serverPrincipal = "HTTP/" + host;
File serverKeytab = new File(workDir, "server.keytab");
kdc.createPrincipal(serverKeytab, serverPrincipal);
context = SpringApplication.run(new Object[] { WebSecurityConfigSpnegoForward.class, VanillaWebConfiguration.class,
WebConfiguration.class }, new String[] { "--security.basic.enabled=true",
"--security.user.name=username", "--security.user.password=password",
"--serverPrincipal=" + serverPrincipal, "--serverKeytab=" + serverKeytab.getAbsolutePath() });
PortInitListener portInitListener = context.getBean(PortInitListener.class);
assertThat(portInitListener.latch.await(10, TimeUnit.SECONDS), is(true));
int port = portInitListener.port;
// TODO: should tweak minikdc so that we can use kerberos principals
// which are not valid, for now just use plain RestTemplate
// just checking that we get 401 which we skip and
// get login page content
RestTemplate restTemplate = new RestTemplate(new HttpComponentsClientHttpRequestFactory());
restTemplate.setErrorHandler(new DefaultResponseErrorHandler() {
@Override
public void handleError(ClientHttpResponse response) throws IOException {
}
});
String response = restTemplate.getForObject("http://" + host + ":" + port + "/hello", String.class);
assertThat(response, is("login"));
}
protected static class PortInitListener implements ApplicationListener<EmbeddedServletContainerInitializedEvent> {
public int port;
@@ -136,6 +177,12 @@ public class KerberosRestTemplateTests extends KerberosSecurityTestcase {
return "home";
}
@RequestMapping(method = RequestMethod.GET, value = "/login")
@ResponseBody
public String login() {
return "login";
}
}
@Configuration

View File

@@ -0,0 +1,110 @@
/*
* Copyright 2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.extensions.kerberos.client;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.FileSystemResource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider;
import org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator;
import org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter;
import org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfigSpnegoForward extends WebSecurityConfigurerAdapter {
@Value("${serverPrincipal}")
private String serverPrincipal;
@Value("${serverKeytab}")
private String serverKeytab;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling().authenticationEntryPoint(spnegoEntryPoint()).and()
.authorizeRequests()
.antMatchers("/", "/home", "/login").permitAll()
.antMatchers("/hello").access("hasRole('ROLE_USER')")
.anyRequest().authenticated()
.and()
.addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()), BasicAuthenticationFilter.class);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(kerberosServiceAuthenticationProvider());
}
@Bean
public SpnegoEntryPoint spnegoEntryPoint() {
return new SpnegoEntryPoint("/login");
}
@Bean
public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
AuthenticationManager authenticationManager) {
SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
filter.setAuthenticationManager(authenticationManager);
return filter;
}
@Bean
public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
provider.setTicketValidator(sunJaasKerberosTicketValidator());
provider.setUserDetailsService(dummyUserDetailsService());
return provider;
}
@Bean
public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
ticketValidator.setServicePrincipal(serverPrincipal);
ticketValidator.setKeyTabLocation(new FileSystemResource(serverKeytab));
ticketValidator.setDebug(true);
return ticketValidator;
}
@Bean
public DummyUserDetailsService dummyUserDetailsService() {
return new DummyUserDetailsService();
}
static class DummyUserDetailsService implements UserDetailsService {
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new User(username, "notUsed", true, true, true, true,
AuthorityUtils.createAuthorityList("ROLE_USER"));
}
}
}