Tabs -> Spaces
This commit is contained in:
@@ -31,18 +31,18 @@ import org.springframework.util.Assert;
|
||||
|
||||
|
||||
/**
|
||||
* <p>Authentication Provider which validates Kerberos Service Tickets
|
||||
* <p>Authentication Provider which validates Kerberos Service Tickets
|
||||
* or SPNEGO Tokens (which includes Kerberos Service Tickets).</p>
|
||||
*
|
||||
*
|
||||
* <p>It needs a <code>KerberosTicketValidator</code>, which contains the
|
||||
* code to validate the ticket, as this code is different between
|
||||
* SUN and IBM JRE.<br>
|
||||
* It also needs an <code>UserDetailsService</code> to load the user properties
|
||||
* and the <code>GrantedAuthorities</code>, as we only get back the username
|
||||
* from Kerbeos</p>
|
||||
*
|
||||
*
|
||||
* You can see an example configuration in <code>SpnegoAuthenticationProcessingFilter</code>.
|
||||
*
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
* @version $Id$
|
||||
@@ -51,76 +51,76 @@ import org.springframework.util.Assert;
|
||||
* @see SpnegoAuthenticationProcessingFilter
|
||||
*/
|
||||
public class KerberosServiceAuthenticationProvider implements
|
||||
AuthenticationProvider, InitializingBean {
|
||||
|
||||
private static final Log LOG = LogFactory.getLog(KerberosServiceAuthenticationProvider.class);
|
||||
|
||||
private KerberosTicketValidator ticketValidator;
|
||||
private UserDetailsService userDetailsService;
|
||||
private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();
|
||||
|
||||
|
||||
/** The <code>UserDetailsService</code> to use, for loading the user properties
|
||||
* and the <code>GrantedAuthorities</code>.
|
||||
*/
|
||||
public void setUserDetailsService(UserDetailsService userDetailsService) {
|
||||
this.userDetailsService = userDetailsService;
|
||||
}
|
||||
AuthenticationProvider, InitializingBean {
|
||||
|
||||
/** The <code>KerberosTicketValidator</code> to use, for validating
|
||||
* the Kerberos/SPNEGO tickets.
|
||||
*/
|
||||
public void setTicketValidator(KerberosTicketValidator ticketValidator) {
|
||||
this.ticketValidator = ticketValidator;
|
||||
}
|
||||
private static final Log LOG = LogFactory.getLog(KerberosServiceAuthenticationProvider.class);
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.authentication.AuthenticationProvider#authenticate(org.springframework.security.core.Authentication)
|
||||
*/
|
||||
@Override
|
||||
public Authentication authenticate(Authentication authentication)
|
||||
throws AuthenticationException {
|
||||
KerberosServiceRequestToken auth = (KerberosServiceRequestToken) authentication;
|
||||
byte[] token = auth.getToken();
|
||||
LOG.debug("Try to validate Kerberos Token");
|
||||
String username = this.ticketValidator.validateTicket(token);
|
||||
LOG.debug("Succesfully validated " + username);
|
||||
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
|
||||
userDetailsChecker.check(userDetails);
|
||||
additionalAuthenticationChecks(userDetails, auth);
|
||||
return new KerberosServiceRequestToken(userDetails, userDetails.getAuthorities(), token);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Allows subclasses to perform any additional checks of a returned <code>UserDetails</code>
|
||||
* for a given authentication request.
|
||||
*
|
||||
* @param userDetails as retrieved from the {@link UserDetailsService}
|
||||
* @param authentication validated {@link KerberosServiceRequestToken}
|
||||
* @throws AuthenticationException AuthenticationException if the credentials could not be validated (generally a
|
||||
* <code>BadCredentialsException</code>, an <code>AuthenticationServiceException</code>)
|
||||
*/
|
||||
protected void additionalAuthenticationChecks(UserDetails userDetails, KerberosServiceRequestToken authentication)
|
||||
throws AuthenticationException {
|
||||
|
||||
private KerberosTicketValidator ticketValidator;
|
||||
private UserDetailsService userDetailsService;
|
||||
private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();
|
||||
|
||||
|
||||
/** The <code>UserDetailsService</code> to use, for loading the user properties
|
||||
* and the <code>GrantedAuthorities</code>.
|
||||
*/
|
||||
public void setUserDetailsService(UserDetailsService userDetailsService) {
|
||||
this.userDetailsService = userDetailsService;
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.authentication.AuthenticationProvider#supports(java.lang.Class)
|
||||
*/
|
||||
@Override
|
||||
public boolean supports(Class<? extends Object> auth) {
|
||||
return KerberosServiceRequestToken.class.isAssignableFrom(auth);
|
||||
}
|
||||
/** The <code>KerberosTicketValidator</code> to use, for validating
|
||||
* the Kerberos/SPNEGO tickets.
|
||||
*/
|
||||
public void setTicketValidator(KerberosTicketValidator ticketValidator) {
|
||||
this.ticketValidator = ticketValidator;
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
|
||||
*/
|
||||
@Override
|
||||
public void afterPropertiesSet() throws Exception {
|
||||
Assert.notNull(this.ticketValidator, "ticketValidator must be specified");
|
||||
Assert.notNull(this.userDetailsService, "userDetailsService must be specified");
|
||||
}
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.authentication.AuthenticationProvider#authenticate(org.springframework.security.core.Authentication)
|
||||
*/
|
||||
@Override
|
||||
public Authentication authenticate(Authentication authentication)
|
||||
throws AuthenticationException {
|
||||
KerberosServiceRequestToken auth = (KerberosServiceRequestToken) authentication;
|
||||
byte[] token = auth.getToken();
|
||||
LOG.debug("Try to validate Kerberos Token");
|
||||
String username = this.ticketValidator.validateTicket(token);
|
||||
LOG.debug("Succesfully validated " + username);
|
||||
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
|
||||
userDetailsChecker.check(userDetails);
|
||||
additionalAuthenticationChecks(userDetails, auth);
|
||||
return new KerberosServiceRequestToken(userDetails, userDetails.getAuthorities(), token);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Allows subclasses to perform any additional checks of a returned <code>UserDetails</code>
|
||||
* for a given authentication request.
|
||||
*
|
||||
* @param userDetails as retrieved from the {@link UserDetailsService}
|
||||
* @param authentication validated {@link KerberosServiceRequestToken}
|
||||
* @throws AuthenticationException AuthenticationException if the credentials could not be validated (generally a
|
||||
* <code>BadCredentialsException</code>, an <code>AuthenticationServiceException</code>)
|
||||
*/
|
||||
protected void additionalAuthenticationChecks(UserDetails userDetails, KerberosServiceRequestToken authentication)
|
||||
throws AuthenticationException {
|
||||
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.authentication.AuthenticationProvider#supports(java.lang.Class)
|
||||
*/
|
||||
@Override
|
||||
public boolean supports(Class<? extends Object> auth) {
|
||||
return KerberosServiceRequestToken.class.isAssignableFrom(auth);
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
|
||||
*/
|
||||
@Override
|
||||
public void afterPropertiesSet() throws Exception {
|
||||
Assert.notNull(this.ticketValidator, "ticketValidator must be specified");
|
||||
Assert.notNull(this.userDetailsService, "userDetailsService must be specified");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -27,11 +27,11 @@ import org.springframework.security.extensions.kerberos.web.SpnegoAuthentication
|
||||
/**
|
||||
* Holds the Kerberos/SPNEGO token for requesting a kerberized service
|
||||
* and is also the output of <code>KerberosServiceAuthenticationProvider</code>.<br>
|
||||
* Will mostly be created in <code>SpnegoAuthenticationProcessingFilter</code>
|
||||
* Will mostly be created in <code>SpnegoAuthenticationProcessingFilter</code>
|
||||
* and authenticated in <code>KerberosServiceAuthenticationProvider</code>.
|
||||
*
|
||||
*
|
||||
* This token cannot be re-authenticated, as you will get a Kerberos Reply error.
|
||||
*
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
* @version $Id$
|
||||
@@ -41,84 +41,84 @@ import org.springframework.security.extensions.kerberos.web.SpnegoAuthentication
|
||||
|
||||
public class KerberosServiceRequestToken extends AbstractAuthenticationToken {
|
||||
|
||||
private static final long serialVersionUID = 395488921064775014L;
|
||||
private final byte[] token;
|
||||
private final Object principal;
|
||||
|
||||
/** Creates an authenticated token, normally used as an output of an authentication provider.
|
||||
* @param principal the user principal (mostly of instance <code>UserDetails</code>
|
||||
* @param authorities the authorities which are granted to the user
|
||||
* @param token the Kerberos/SPNEGO token
|
||||
* @see UserDetails
|
||||
*/
|
||||
public KerberosServiceRequestToken(Object principal, List<GrantedAuthority> authorities, byte[] token) {
|
||||
super(authorities);
|
||||
this.token = token;
|
||||
this.principal = principal;
|
||||
super.setAuthenticated(true);
|
||||
}
|
||||
private static final long serialVersionUID = 395488921064775014L;
|
||||
private final byte[] token;
|
||||
private final Object principal;
|
||||
|
||||
/**
|
||||
* Creates an unauthenticated instance which should then be authenticated by
|
||||
* <code>KerberosServiceAuthenticationProvider/code>
|
||||
*
|
||||
* @param token Kerberos/SPNEGO token
|
||||
* @see KerberosServiceAuthenticationProvider
|
||||
*/
|
||||
public KerberosServiceRequestToken(byte[] token) {
|
||||
super(null);
|
||||
this.token = token;
|
||||
this.principal = null;
|
||||
}
|
||||
/** Creates an authenticated token, normally used as an output of an authentication provider.
|
||||
* @param principal the user principal (mostly of instance <code>UserDetails</code>
|
||||
* @param authorities the authorities which are granted to the user
|
||||
* @param token the Kerberos/SPNEGO token
|
||||
* @see UserDetails
|
||||
*/
|
||||
public KerberosServiceRequestToken(Object principal, List<GrantedAuthority> authorities, byte[] token) {
|
||||
super(authorities);
|
||||
this.token = token;
|
||||
this.principal = principal;
|
||||
super.setAuthenticated(true);
|
||||
}
|
||||
|
||||
/**
|
||||
* Calculates hashcode based on the Kerberos token
|
||||
*/
|
||||
@Override
|
||||
public int hashCode() {
|
||||
final int prime = 31;
|
||||
int result = super.hashCode();
|
||||
result = prime * result + Arrays.hashCode(token);
|
||||
return result;
|
||||
}
|
||||
/**
|
||||
* Creates an unauthenticated instance which should then be authenticated by
|
||||
* <code>KerberosServiceAuthenticationProvider/code>
|
||||
*
|
||||
* @param token Kerberos/SPNEGO token
|
||||
* @see KerberosServiceAuthenticationProvider
|
||||
*/
|
||||
public KerberosServiceRequestToken(byte[] token) {
|
||||
super(null);
|
||||
this.token = token;
|
||||
this.principal = null;
|
||||
}
|
||||
|
||||
/**
|
||||
* equals() is based only on the Kerberos token
|
||||
*/
|
||||
@Override
|
||||
public boolean equals(Object obj) {
|
||||
if (this == obj)
|
||||
return true;
|
||||
if (!super.equals(obj))
|
||||
return false;
|
||||
if (getClass() != obj.getClass())
|
||||
return false;
|
||||
KerberosServiceRequestToken other = (KerberosServiceRequestToken) obj;
|
||||
if (!Arrays.equals(token, other.token))
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
/**
|
||||
* Calculates hashcode based on the Kerberos token
|
||||
*/
|
||||
@Override
|
||||
public int hashCode() {
|
||||
final int prime = 31;
|
||||
int result = super.hashCode();
|
||||
result = prime * result + Arrays.hashCode(token);
|
||||
return result;
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.core.Authentication#getCredentials()
|
||||
*/
|
||||
@Override
|
||||
public Object getCredentials() {
|
||||
return null;
|
||||
}
|
||||
/**
|
||||
* equals() is based only on the Kerberos token
|
||||
*/
|
||||
@Override
|
||||
public boolean equals(Object obj) {
|
||||
if (this == obj)
|
||||
return true;
|
||||
if (!super.equals(obj))
|
||||
return false;
|
||||
if (getClass() != obj.getClass())
|
||||
return false;
|
||||
KerberosServiceRequestToken other = (KerberosServiceRequestToken) obj;
|
||||
if (!Arrays.equals(token, other.token))
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.core.Authentication#getPrincipal()
|
||||
*/
|
||||
@Override
|
||||
public Object getPrincipal() {
|
||||
return this.principal;
|
||||
}
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.core.Authentication#getCredentials()
|
||||
*/
|
||||
@Override
|
||||
public Object getCredentials() {
|
||||
return null;
|
||||
}
|
||||
|
||||
/** Returns the Kerberos token
|
||||
*/
|
||||
public byte[] getToken() {
|
||||
return this.token;
|
||||
}
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.core.Authentication#getPrincipal()
|
||||
*/
|
||||
@Override
|
||||
public Object getPrincipal() {
|
||||
return this.principal;
|
||||
}
|
||||
|
||||
/** Returns the Kerberos token
|
||||
*/
|
||||
public byte[] getToken() {
|
||||
return this.token;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -21,7 +21,7 @@ import org.springframework.security.authentication.BadCredentialsException;
|
||||
/**
|
||||
* Implementations of this interface are used in
|
||||
* {@link KerberosServiceAuthenticationProvider} to validate a Kerberos/SPNEGO Ticket.
|
||||
*
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
* @version $Id$
|
||||
@@ -29,11 +29,11 @@ import org.springframework.security.authentication.BadCredentialsException;
|
||||
*/
|
||||
public interface KerberosTicketValidator {
|
||||
|
||||
/** Validates a Kerberos/SPNEGO ticket.
|
||||
* @param token Kerbeos/SPNEGO ticket
|
||||
* @return authenticated kerberos principal
|
||||
* @throws BadCredentialsException if the ticket is not valid
|
||||
*/
|
||||
public String validateTicket(byte[] token) throws BadCredentialsException;
|
||||
/** Validates a Kerberos/SPNEGO ticket.
|
||||
* @param token Kerbeos/SPNEGO ticket
|
||||
* @return authenticated kerberos principal
|
||||
* @throws BadCredentialsException if the ticket is not valid
|
||||
*/
|
||||
public String validateTicket(byte[] token) throws BadCredentialsException;
|
||||
|
||||
}
|
||||
@@ -39,142 +39,142 @@ import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* Implementation of {@link KerberosTicketValidator} which uses the SUN JAAS
|
||||
* login module, which is included in the SUN JRE, it will not work with an IBM JRE.
|
||||
* login module, which is included in the SUN JRE, it will not work with an IBM JRE.
|
||||
* The whole configuration is done in this class, no additional JAAS configuration
|
||||
* is needed.
|
||||
*
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
* @version $Id$
|
||||
*/
|
||||
public class SunJaasKerberosTicketValidator implements KerberosTicketValidator, InitializingBean {
|
||||
|
||||
private String servicePrincipal;
|
||||
private Resource keyTabLocation;
|
||||
private Subject serviceSubject;
|
||||
private boolean debug = false;
|
||||
private String servicePrincipal;
|
||||
private Resource keyTabLocation;
|
||||
private Subject serviceSubject;
|
||||
private boolean debug = false;
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.extensions.kerberos.KerberosTicketValidator#validateTicket(byte[])
|
||||
*/
|
||||
public String validateTicket(byte[] token) {
|
||||
String username = null;
|
||||
try {
|
||||
username = Subject.doAs(this.serviceSubject, new KerberosValidateAction(token));
|
||||
} catch (PrivilegedActionException e) {
|
||||
throw new BadCredentialsException("Kerberos validation not succesfull", e);
|
||||
}
|
||||
return username;
|
||||
}
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.extensions.kerberos.KerberosTicketValidator#validateTicket(byte[])
|
||||
*/
|
||||
public String validateTicket(byte[] token) {
|
||||
String username = null;
|
||||
try {
|
||||
username = Subject.doAs(this.serviceSubject, new KerberosValidateAction(token));
|
||||
} catch (PrivilegedActionException e) {
|
||||
throw new BadCredentialsException("Kerberos validation not succesfull", e);
|
||||
}
|
||||
return username;
|
||||
}
|
||||
|
||||
/** The service principal of the application.
|
||||
* For web apps this is <code>HTTP/full-qualified-domain-name@DOMAIN</code>.
|
||||
* The keytab must contain the key for this principal.
|
||||
*
|
||||
* @param servicePrincipal service principal to use
|
||||
* @see #setKeyTabLocation(Resource)
|
||||
*/
|
||||
public void setServicePrincipal(String servicePrincipal) {
|
||||
this.servicePrincipal = servicePrincipal;
|
||||
}
|
||||
/** The service principal of the application.
|
||||
* For web apps this is <code>HTTP/full-qualified-domain-name@DOMAIN</code>.
|
||||
* The keytab must contain the key for this principal.
|
||||
*
|
||||
* @param servicePrincipal service principal to use
|
||||
* @see #setKeyTabLocation(Resource)
|
||||
*/
|
||||
public void setServicePrincipal(String servicePrincipal) {
|
||||
this.servicePrincipal = servicePrincipal;
|
||||
}
|
||||
|
||||
/**
|
||||
* The location of the keytab. You can use the normale Spring Resource
|
||||
* prefixes like <code>file:</code> or <code>classpath:</code>, but as the
|
||||
* file is later on read by JAAS, we cannot guarantee that <code>classpath</code>
|
||||
* works in every environment, esp. not in Java EE application servers. You
|
||||
* should use <code>file:</code> there.
|
||||
*
|
||||
* @param keyTabLocation The location where the keytab resides
|
||||
*/
|
||||
public void setKeyTabLocation(Resource keyTabLocation) {
|
||||
this.keyTabLocation = keyTabLocation;
|
||||
}
|
||||
|
||||
/** Enables the debug mode of the JAAS Kerberos login module
|
||||
* @param debug default is false
|
||||
*/
|
||||
public void setDebug(boolean debug) {
|
||||
this.debug = debug;
|
||||
}
|
||||
/**
|
||||
* The location of the keytab. You can use the normale Spring Resource
|
||||
* prefixes like <code>file:</code> or <code>classpath:</code>, but as the
|
||||
* file is later on read by JAAS, we cannot guarantee that <code>classpath</code>
|
||||
* works in every environment, esp. not in Java EE application servers. You
|
||||
* should use <code>file:</code> there.
|
||||
*
|
||||
* @param keyTabLocation The location where the keytab resides
|
||||
*/
|
||||
public void setKeyTabLocation(Resource keyTabLocation) {
|
||||
this.keyTabLocation = keyTabLocation;
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
|
||||
*/
|
||||
@Override
|
||||
public void afterPropertiesSet() throws Exception {
|
||||
Assert.notNull(this.servicePrincipal, "servicePrincipal must be specified");
|
||||
Assert.notNull(this.keyTabLocation, "keyTab must be specified");
|
||||
LoginConfig loginConfig = new LoginConfig(this.keyTabLocation.getURL().toExternalForm(), this.servicePrincipal,
|
||||
this.debug);
|
||||
Set<Principal> princ = new HashSet<Principal>(1);
|
||||
princ.add(new KerberosPrincipal(this.servicePrincipal));
|
||||
Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
|
||||
LoginContext lc = new LoginContext("", sub, null, loginConfig);
|
||||
lc.login();
|
||||
this.serviceSubject = lc.getSubject();
|
||||
}
|
||||
/** Enables the debug mode of the JAAS Kerberos login module
|
||||
* @param debug default is false
|
||||
*/
|
||||
public void setDebug(boolean debug) {
|
||||
this.debug = debug;
|
||||
}
|
||||
|
||||
/**
|
||||
* This class is needed, because the validation must run with previously generated JAAS subject
|
||||
* which belongs to the service principal and was loaded out of the keytab during startup.
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
*/
|
||||
private static class KerberosValidateAction implements PrivilegedExceptionAction<String> {
|
||||
byte[] kerberosTicket;
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
|
||||
*/
|
||||
@Override
|
||||
public void afterPropertiesSet() throws Exception {
|
||||
Assert.notNull(this.servicePrincipal, "servicePrincipal must be specified");
|
||||
Assert.notNull(this.keyTabLocation, "keyTab must be specified");
|
||||
LoginConfig loginConfig = new LoginConfig(this.keyTabLocation.getURL().toExternalForm(), this.servicePrincipal,
|
||||
this.debug);
|
||||
Set<Principal> princ = new HashSet<Principal>(1);
|
||||
princ.add(new KerberosPrincipal(this.servicePrincipal));
|
||||
Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
|
||||
LoginContext lc = new LoginContext("", sub, null, loginConfig);
|
||||
lc.login();
|
||||
this.serviceSubject = lc.getSubject();
|
||||
}
|
||||
|
||||
public KerberosValidateAction(byte[] kerberosTicket) {
|
||||
this.kerberosTicket = kerberosTicket;
|
||||
}
|
||||
/**
|
||||
* This class is needed, because the validation must run with previously generated JAAS subject
|
||||
* which belongs to the service principal and was loaded out of the keytab during startup.
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
*/
|
||||
private static class KerberosValidateAction implements PrivilegedExceptionAction<String> {
|
||||
byte[] kerberosTicket;
|
||||
|
||||
@Override
|
||||
public String run() throws Exception {
|
||||
GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
|
||||
context.acceptSecContext(kerberosTicket, 0, kerberosTicket.length);
|
||||
String user = context.getSrcName().toString();
|
||||
context.dispose();
|
||||
return user;
|
||||
}
|
||||
public KerberosValidateAction(byte[] kerberosTicket) {
|
||||
this.kerberosTicket = kerberosTicket;
|
||||
}
|
||||
|
||||
}
|
||||
@Override
|
||||
public String run() throws Exception {
|
||||
GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
|
||||
context.acceptSecContext(kerberosTicket, 0, kerberosTicket.length);
|
||||
String user = context.getSrcName().toString();
|
||||
context.dispose();
|
||||
return user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Normally you need a JAAS config file in order to use the JAAS Kerberos Login Module,
|
||||
* with this class it is not needed and you can have different configurations in one JVM.
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
*/
|
||||
private static class LoginConfig extends Configuration {
|
||||
private String keyTabLocation;
|
||||
private String servicePrincipalName;
|
||||
private boolean debug;
|
||||
}
|
||||
|
||||
public LoginConfig(String keyTabLocation, String servicePrincipalName, boolean debug) {
|
||||
this.keyTabLocation = keyTabLocation;
|
||||
this.servicePrincipalName = servicePrincipalName;
|
||||
this.debug = debug;
|
||||
}
|
||||
/**
|
||||
* Normally you need a JAAS config file in order to use the JAAS Kerberos Login Module,
|
||||
* with this class it is not needed and you can have different configurations in one JVM.
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
*/
|
||||
private static class LoginConfig extends Configuration {
|
||||
private String keyTabLocation;
|
||||
private String servicePrincipalName;
|
||||
private boolean debug;
|
||||
|
||||
@Override
|
||||
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
|
||||
HashMap<String, String> options = new HashMap<String, String>();
|
||||
options.put("useKeyTab", "true");
|
||||
options.put("keyTab", this.keyTabLocation);
|
||||
options.put("principal", this.servicePrincipalName);
|
||||
options.put("storeKey", "true");
|
||||
options.put("doNotPrompt", "true");
|
||||
if (this.debug) {
|
||||
options.put("debug", "true");
|
||||
}
|
||||
options.put("isInitiator", "false");
|
||||
public LoginConfig(String keyTabLocation, String servicePrincipalName, boolean debug) {
|
||||
this.keyTabLocation = keyTabLocation;
|
||||
this.servicePrincipalName = servicePrincipalName;
|
||||
this.debug = debug;
|
||||
}
|
||||
|
||||
return new AppConfigurationEntry[] { new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
|
||||
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options), };
|
||||
}
|
||||
@Override
|
||||
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
|
||||
HashMap<String, String> options = new HashMap<String, String>();
|
||||
options.put("useKeyTab", "true");
|
||||
options.put("keyTab", this.keyTabLocation);
|
||||
options.put("principal", this.servicePrincipalName);
|
||||
options.put("storeKey", "true");
|
||||
options.put("doNotPrompt", "true");
|
||||
if (this.debug) {
|
||||
options.put("debug", "true");
|
||||
}
|
||||
options.put("isInitiator", "false");
|
||||
|
||||
}
|
||||
return new AppConfigurationEntry[] { new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
|
||||
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options), };
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -39,7 +39,7 @@ import org.springframework.web.filter.GenericFilterBean;
|
||||
* Parses the SPNEGO authentication Header, which was generated by the browser
|
||||
* and creates a {@link KerberosServiceRequestToken} out if it. It will then call the
|
||||
* {@link AuthenticationManager}.
|
||||
*
|
||||
*
|
||||
* <p>A typical Spring Security configuration might look like this:</p>
|
||||
* <pre>
|
||||
* <beans xmlns="http://www.springframework.org/schema/beans"
|
||||
@@ -73,7 +73,7 @@ import org.springframework.web.filter.GenericFilterBean;
|
||||
* </property>
|
||||
* <property name="userDetailsService" ref="inMemoryUserDetailsService" />
|
||||
* </bean>
|
||||
*
|
||||
*
|
||||
* <bean id="inMemoryUserDetailsService"
|
||||
* class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
|
||||
* <property name="userProperties">
|
||||
@@ -84,7 +84,7 @@ import org.springframework.web.filter.GenericFilterBean;
|
||||
* </bean>
|
||||
* </beans>
|
||||
* </pre>
|
||||
*
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
* @version $Id$
|
||||
@@ -93,62 +93,62 @@ import org.springframework.web.filter.GenericFilterBean;
|
||||
*/
|
||||
public class SpnegoAuthenticationProcessingFilter extends GenericFilterBean {
|
||||
|
||||
private AuthenticationManager authenticationManager;
|
||||
private AuthenticationManager authenticationManager;
|
||||
|
||||
@Override
|
||||
public void doFilter(ServletRequest req, ServletResponse res,
|
||||
FilterChain chain) throws IOException, ServletException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
@Override
|
||||
public void doFilter(ServletRequest req, ServletResponse res,
|
||||
FilterChain chain) throws IOException, ServletException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
|
||||
String header = request.getHeader("Authorization");
|
||||
String header = request.getHeader("Authorization");
|
||||
|
||||
|
||||
if ((header != null) && header.startsWith("Negotiate ")) {
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Received Negotiate Header for request "+ request.getRequestURL()+ ": " + header);
|
||||
}
|
||||
String base64Token = header.substring(10);
|
||||
byte[] kerberosTicket = Base64.decodeBase64(base64Token.trim()
|
||||
.getBytes());
|
||||
KerberosServiceRequestToken authenticationRequest = new KerberosServiceRequestToken(
|
||||
kerberosTicket);
|
||||
Authentication authentication;
|
||||
try {
|
||||
authentication = authenticationManager
|
||||
.authenticate(authenticationRequest);
|
||||
} catch (AuthenticationException e) {
|
||||
// That shouldn't happen, as it is most likely a wrong configuration on the server side
|
||||
logger.warn("Negotiate Header was invalid: "+header, e);
|
||||
SecurityContextHolder.clearContext();
|
||||
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
|
||||
response.flushBuffer();
|
||||
return;
|
||||
}
|
||||
SecurityContextHolder.getContext()
|
||||
.setAuthentication(authentication);
|
||||
}
|
||||
if ((header != null) && header.startsWith("Negotiate ")) {
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Received Negotiate Header for request "+ request.getRequestURL()+ ": " + header);
|
||||
}
|
||||
String base64Token = header.substring(10);
|
||||
byte[] kerberosTicket = Base64.decodeBase64(base64Token.trim()
|
||||
.getBytes());
|
||||
KerberosServiceRequestToken authenticationRequest = new KerberosServiceRequestToken(
|
||||
kerberosTicket);
|
||||
Authentication authentication;
|
||||
try {
|
||||
authentication = authenticationManager
|
||||
.authenticate(authenticationRequest);
|
||||
} catch (AuthenticationException e) {
|
||||
// That shouldn't happen, as it is most likely a wrong configuration on the server side
|
||||
logger.warn("Negotiate Header was invalid: "+header, e);
|
||||
SecurityContextHolder.clearContext();
|
||||
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
|
||||
response.flushBuffer();
|
||||
return;
|
||||
}
|
||||
SecurityContextHolder.getContext()
|
||||
.setAuthentication(authentication);
|
||||
}
|
||||
|
||||
chain.doFilter(request, response);
|
||||
chain.doFilter(request, response);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* The authentication manager for validating the ticket.
|
||||
*
|
||||
* @param authenticationManager
|
||||
*/
|
||||
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
|
||||
this.authenticationManager = authenticationManager;
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.web.filter.GenericFilterBean#afterPropertiesSet()
|
||||
*/
|
||||
@Override
|
||||
public void afterPropertiesSet() throws ServletException {
|
||||
super.afterPropertiesSet();
|
||||
Assert.notNull(this.authenticationManager, "authenticationManager must be specified");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The authentication manager for validating the ticket.
|
||||
*
|
||||
* @param authenticationManager
|
||||
*/
|
||||
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
|
||||
this.authenticationManager = authenticationManager;
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.web.filter.GenericFilterBean#afterPropertiesSet()
|
||||
*/
|
||||
@Override
|
||||
public void afterPropertiesSet() throws ServletException {
|
||||
super.afterPropertiesSet();
|
||||
Assert.notNull(this.authenticationManager, "authenticationManager must be specified");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -30,29 +30,29 @@ import org.springframework.security.web.AuthenticationEntryPoint;
|
||||
|
||||
/**
|
||||
* Sends back a request for a Negotiate Authentication to the browser.
|
||||
*
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
* @version $Id$
|
||||
* @see SpnegoAuthenticationProcessingFilter
|
||||
*/
|
||||
public class SpnegoEntryPoint implements AuthenticationEntryPoint {
|
||||
|
||||
private static final Log LOG = LogFactory.getLog(SpnegoEntryPoint.class);
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.web.AuthenticationEntryPoint#commence(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.springframework.security.core.AuthenticationException)
|
||||
*/
|
||||
@Override
|
||||
public void commence(HttpServletRequest request, HttpServletResponse response,
|
||||
AuthenticationException ex) throws IOException, ServletException {
|
||||
private static final Log LOG = LogFactory.getLog(SpnegoEntryPoint.class);
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.web.AuthenticationEntryPoint#commence(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.springframework.security.core.AuthenticationException)
|
||||
*/
|
||||
@Override
|
||||
public void commence(HttpServletRequest request, HttpServletResponse response,
|
||||
AuthenticationException ex) throws IOException, ServletException {
|
||||
if (LOG.isDebugEnabled()) {
|
||||
LOG.debug("Sending back Negotiate Header for request: "+request.getRequestURL());
|
||||
LOG.debug("Sending back Negotiate Header for request: "+request.getRequestURL());
|
||||
}
|
||||
response.addHeader("WWW-Authenticate", "Negotiate");
|
||||
response.addHeader("WWW-Authenticate", "Negotiate");
|
||||
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
||||
response.flushBuffer();
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -38,94 +38,94 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
|
||||
/**
|
||||
* Test class for {@link KerberosServiceAuthenticationProvider}
|
||||
*
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
* @version $Id$
|
||||
*/
|
||||
public class KerberosServiceAuthenticationProviderTest {
|
||||
|
||||
private KerberosServiceAuthenticationProvider provider;
|
||||
private KerberosTicketValidator ticketValidator;
|
||||
private UserDetailsService userDetailsService;
|
||||
|
||||
// data
|
||||
private static final byte[] TEST_TOKEN = "TestToken".getBytes();
|
||||
private static final String TEST_USER = "Testuser@SPRINGSOURCE.ORG";
|
||||
private static final List<GrantedAuthority> AUTHORITY_LIST = AuthorityUtils.createAuthorityList("ROLE_ADMIN");
|
||||
private static final UserDetails USER_DETAILS = new User(TEST_USER, "empty", true, true, true,true, AUTHORITY_LIST);
|
||||
private static final KerberosServiceRequestToken INPUT_TOKEN = new KerberosServiceRequestToken(TEST_TOKEN);
|
||||
|
||||
@Before
|
||||
public void before() {
|
||||
// mocking
|
||||
this.ticketValidator = mock(KerberosTicketValidator.class);
|
||||
this.userDetailsService = mock(UserDetailsService.class);
|
||||
this.provider = new KerberosServiceAuthenticationProvider();
|
||||
this.provider.setTicketValidator(this.ticketValidator);
|
||||
this.provider.setUserDetailsService(this.userDetailsService);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testEverythingWorks() throws Exception {
|
||||
Authentication output = callProviderAndReturnUser(USER_DETAILS);
|
||||
assertNotNull(output);
|
||||
assertEquals(TEST_USER, output.getName());
|
||||
assertEquals(AUTHORITY_LIST, output.getAuthorities());
|
||||
assertEquals(USER_DETAILS, output.getPrincipal());
|
||||
}
|
||||
|
||||
@Test(expected=DisabledException.class)
|
||||
public void testUserIsDisabled() throws Exception {
|
||||
User disabledUser = new User(TEST_USER, "empty", false, true, true,true, AUTHORITY_LIST);
|
||||
callProviderAndReturnUser(disabledUser);
|
||||
}
|
||||
|
||||
@Test(expected=AccountExpiredException.class)
|
||||
public void testUserAccountIsExpired() throws Exception {
|
||||
User expiredUser = new User(TEST_USER, "empty", true, false, true,true, AUTHORITY_LIST);
|
||||
callProviderAndReturnUser(expiredUser);
|
||||
}
|
||||
|
||||
@Test(expected=CredentialsExpiredException.class)
|
||||
public void testUserCredentialsExpired() throws Exception {
|
||||
User credExpiredUser = new User(TEST_USER, "empty", true, true, false ,true, AUTHORITY_LIST);
|
||||
callProviderAndReturnUser(credExpiredUser);
|
||||
}
|
||||
|
||||
@Test(expected=LockedException.class)
|
||||
public void testUserAccountLockedCredentialsExpired() throws Exception {
|
||||
User lockedUser = new User(TEST_USER, "empty", true, true, true ,false, AUTHORITY_LIST);
|
||||
callProviderAndReturnUser(lockedUser);
|
||||
}
|
||||
|
||||
@Test(expected=UsernameNotFoundException.class)
|
||||
public void testUsernameNotFound() throws Exception {
|
||||
// stubbing
|
||||
when(ticketValidator.validateTicket(TEST_TOKEN)).thenReturn(TEST_USER);
|
||||
when(userDetailsService.loadUserByUsername(TEST_USER)).thenThrow(new UsernameNotFoundException(""));
|
||||
|
||||
// testing
|
||||
provider.authenticate(INPUT_TOKEN);
|
||||
}
|
||||
|
||||
|
||||
@Test(expected=BadCredentialsException.class)
|
||||
public void testTicketValidationWrong() throws Exception {
|
||||
// stubbing
|
||||
when(ticketValidator.validateTicket(TEST_TOKEN)).thenThrow(new BadCredentialsException(""));
|
||||
|
||||
// testing
|
||||
provider.authenticate(INPUT_TOKEN);
|
||||
}
|
||||
|
||||
private Authentication callProviderAndReturnUser(UserDetails disabledUser) {
|
||||
// stubbing
|
||||
when(ticketValidator.validateTicket(TEST_TOKEN)).thenReturn(TEST_USER);
|
||||
when(userDetailsService.loadUserByUsername(TEST_USER)).thenReturn(disabledUser);
|
||||
|
||||
// testing
|
||||
return provider.authenticate(INPUT_TOKEN);
|
||||
}
|
||||
private KerberosServiceAuthenticationProvider provider;
|
||||
private KerberosTicketValidator ticketValidator;
|
||||
private UserDetailsService userDetailsService;
|
||||
|
||||
// data
|
||||
private static final byte[] TEST_TOKEN = "TestToken".getBytes();
|
||||
private static final String TEST_USER = "Testuser@SPRINGSOURCE.ORG";
|
||||
private static final List<GrantedAuthority> AUTHORITY_LIST = AuthorityUtils.createAuthorityList("ROLE_ADMIN");
|
||||
private static final UserDetails USER_DETAILS = new User(TEST_USER, "empty", true, true, true,true, AUTHORITY_LIST);
|
||||
private static final KerberosServiceRequestToken INPUT_TOKEN = new KerberosServiceRequestToken(TEST_TOKEN);
|
||||
|
||||
@Before
|
||||
public void before() {
|
||||
// mocking
|
||||
this.ticketValidator = mock(KerberosTicketValidator.class);
|
||||
this.userDetailsService = mock(UserDetailsService.class);
|
||||
this.provider = new KerberosServiceAuthenticationProvider();
|
||||
this.provider.setTicketValidator(this.ticketValidator);
|
||||
this.provider.setUserDetailsService(this.userDetailsService);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testEverythingWorks() throws Exception {
|
||||
Authentication output = callProviderAndReturnUser(USER_DETAILS);
|
||||
assertNotNull(output);
|
||||
assertEquals(TEST_USER, output.getName());
|
||||
assertEquals(AUTHORITY_LIST, output.getAuthorities());
|
||||
assertEquals(USER_DETAILS, output.getPrincipal());
|
||||
}
|
||||
|
||||
@Test(expected=DisabledException.class)
|
||||
public void testUserIsDisabled() throws Exception {
|
||||
User disabledUser = new User(TEST_USER, "empty", false, true, true,true, AUTHORITY_LIST);
|
||||
callProviderAndReturnUser(disabledUser);
|
||||
}
|
||||
|
||||
@Test(expected=AccountExpiredException.class)
|
||||
public void testUserAccountIsExpired() throws Exception {
|
||||
User expiredUser = new User(TEST_USER, "empty", true, false, true,true, AUTHORITY_LIST);
|
||||
callProviderAndReturnUser(expiredUser);
|
||||
}
|
||||
|
||||
@Test(expected=CredentialsExpiredException.class)
|
||||
public void testUserCredentialsExpired() throws Exception {
|
||||
User credExpiredUser = new User(TEST_USER, "empty", true, true, false ,true, AUTHORITY_LIST);
|
||||
callProviderAndReturnUser(credExpiredUser);
|
||||
}
|
||||
|
||||
@Test(expected=LockedException.class)
|
||||
public void testUserAccountLockedCredentialsExpired() throws Exception {
|
||||
User lockedUser = new User(TEST_USER, "empty", true, true, true ,false, AUTHORITY_LIST);
|
||||
callProviderAndReturnUser(lockedUser);
|
||||
}
|
||||
|
||||
@Test(expected=UsernameNotFoundException.class)
|
||||
public void testUsernameNotFound() throws Exception {
|
||||
// stubbing
|
||||
when(ticketValidator.validateTicket(TEST_TOKEN)).thenReturn(TEST_USER);
|
||||
when(userDetailsService.loadUserByUsername(TEST_USER)).thenThrow(new UsernameNotFoundException(""));
|
||||
|
||||
// testing
|
||||
provider.authenticate(INPUT_TOKEN);
|
||||
}
|
||||
|
||||
|
||||
@Test(expected=BadCredentialsException.class)
|
||||
public void testTicketValidationWrong() throws Exception {
|
||||
// stubbing
|
||||
when(ticketValidator.validateTicket(TEST_TOKEN)).thenThrow(new BadCredentialsException(""));
|
||||
|
||||
// testing
|
||||
provider.authenticate(INPUT_TOKEN);
|
||||
}
|
||||
|
||||
private Authentication callProviderAndReturnUser(UserDetails disabledUser) {
|
||||
// stubbing
|
||||
when(ticketValidator.validateTicket(TEST_TOKEN)).thenReturn(TEST_USER);
|
||||
when(userDetailsService.loadUserByUsername(TEST_USER)).thenReturn(disabledUser);
|
||||
|
||||
// testing
|
||||
return provider.authenticate(INPUT_TOKEN);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -36,7 +36,7 @@ import org.springframework.security.extensions.kerberos.KerberosServiceRequestTo
|
||||
|
||||
/**
|
||||
* Test class for {@link SpnegoAuthenticationProcessingFilter}
|
||||
*
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
* @version $Id$
|
||||
@@ -45,72 +45,72 @@ public class SpnegoAuthenticationProcessingFilterTest {
|
||||
|
||||
|
||||
|
||||
private SpnegoAuthenticationProcessingFilter filter;
|
||||
private AuthenticationManager authenticationManager;
|
||||
private HttpServletRequest request;
|
||||
private HttpServletResponse response;
|
||||
private FilterChain chain;
|
||||
|
||||
// data
|
||||
private static final byte[] TEST_TOKEN = "TestToken".getBytes();
|
||||
private static final String TEST_TOKEN_BASE64 = "VGVzdFRva2Vu";
|
||||
private static final Authentication AUTHENTICATION = new KerberosServiceRequestToken("test",
|
||||
AuthorityUtils.createAuthorityList("ROLE_ADMIN"), TEST_TOKEN);
|
||||
private static final String HEADER = "Authorization";
|
||||
private static final String TOKEN_PREFIX = "Negotiate ";
|
||||
|
||||
private SpnegoAuthenticationProcessingFilter filter;
|
||||
private AuthenticationManager authenticationManager;
|
||||
private HttpServletRequest request;
|
||||
private HttpServletResponse response;
|
||||
private FilterChain chain;
|
||||
|
||||
@Before
|
||||
public void before() {
|
||||
// mocking
|
||||
authenticationManager = mock(AuthenticationManager.class);
|
||||
filter = new SpnegoAuthenticationProcessingFilter();
|
||||
filter.setAuthenticationManager(authenticationManager);
|
||||
request = mock(HttpServletRequest.class);
|
||||
response = mock(HttpServletResponse.class);
|
||||
chain = mock(FilterChain.class);
|
||||
}
|
||||
// data
|
||||
private static final byte[] TEST_TOKEN = "TestToken".getBytes();
|
||||
private static final String TEST_TOKEN_BASE64 = "VGVzdFRva2Vu";
|
||||
private static final Authentication AUTHENTICATION = new KerberosServiceRequestToken("test",
|
||||
AuthorityUtils.createAuthorityList("ROLE_ADMIN"), TEST_TOKEN);
|
||||
private static final String HEADER = "Authorization";
|
||||
private static final String TOKEN_PREFIX = "Negotiate ";
|
||||
|
||||
|
||||
@Before
|
||||
public void before() {
|
||||
// mocking
|
||||
authenticationManager = mock(AuthenticationManager.class);
|
||||
filter = new SpnegoAuthenticationProcessingFilter();
|
||||
filter.setAuthenticationManager(authenticationManager);
|
||||
request = mock(HttpServletRequest.class);
|
||||
response = mock(HttpServletResponse.class);
|
||||
chain = mock(FilterChain.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testEverythingWorks() throws Exception {
|
||||
// stubbing
|
||||
when(request.getHeader(HEADER)).thenReturn(TOKEN_PREFIX+TEST_TOKEN_BASE64);
|
||||
when(authenticationManager.authenticate(new KerberosServiceRequestToken(TEST_TOKEN))).thenReturn(AUTHENTICATION);
|
||||
|
||||
// testing
|
||||
filter.doFilter(request, response, chain);
|
||||
verify(chain).doFilter(request, response);
|
||||
assertEquals(AUTHENTICATION, SecurityContextHolder.getContext().getAuthentication());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testNoHeader() throws Exception {
|
||||
filter.doFilter(request, response, chain);
|
||||
// If the header is not present, the filter is not allowed to call authenticate()
|
||||
verify(authenticationManager, never()).authenticate(any(Authentication.class));
|
||||
// chain should go on
|
||||
verify(chain).doFilter(request, response);
|
||||
assertEquals(null, SecurityContextHolder.getContext().getAuthentication());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAuthenticationFails() throws Exception {
|
||||
// stubbing
|
||||
when(request.getHeader(HEADER)).thenReturn(TOKEN_PREFIX+TEST_TOKEN_BASE64);
|
||||
when(authenticationManager.authenticate(any(Authentication.class))).thenThrow(new BadCredentialsException(""));
|
||||
|
||||
// testing
|
||||
filter.doFilter(request, response, chain);
|
||||
// chain should stop here and it should send back a 500
|
||||
// future version should call some error handler
|
||||
verify(chain, never()).doFilter(any(ServletRequest.class), any(ServletResponse.class));
|
||||
verify(response).setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
|
||||
}
|
||||
|
||||
@After
|
||||
public void after() {
|
||||
SecurityContextHolder.clearContext();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testEverythingWorks() throws Exception {
|
||||
// stubbing
|
||||
when(request.getHeader(HEADER)).thenReturn(TOKEN_PREFIX+TEST_TOKEN_BASE64);
|
||||
when(authenticationManager.authenticate(new KerberosServiceRequestToken(TEST_TOKEN))).thenReturn(AUTHENTICATION);
|
||||
|
||||
// testing
|
||||
filter.doFilter(request, response, chain);
|
||||
verify(chain).doFilter(request, response);
|
||||
assertEquals(AUTHENTICATION, SecurityContextHolder.getContext().getAuthentication());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testNoHeader() throws Exception {
|
||||
filter.doFilter(request, response, chain);
|
||||
// If the header is not present, the filter is not allowed to call authenticate()
|
||||
verify(authenticationManager, never()).authenticate(any(Authentication.class));
|
||||
// chain should go on
|
||||
verify(chain).doFilter(request, response);
|
||||
assertEquals(null, SecurityContextHolder.getContext().getAuthentication());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAuthenticationFails() throws Exception {
|
||||
// stubbing
|
||||
when(request.getHeader(HEADER)).thenReturn(TOKEN_PREFIX+TEST_TOKEN_BASE64);
|
||||
when(authenticationManager.authenticate(any(Authentication.class))).thenThrow(new BadCredentialsException(""));
|
||||
|
||||
// testing
|
||||
filter.doFilter(request, response, chain);
|
||||
// chain should stop here and it should send back a 500
|
||||
// future version should call some error handler
|
||||
verify(chain, never()).doFilter(any(ServletRequest.class), any(ServletResponse.class));
|
||||
verify(response).setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
|
||||
}
|
||||
|
||||
@After
|
||||
public void after() {
|
||||
SecurityContextHolder.clearContext();
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
@@ -23,23 +23,23 @@ import org.junit.Test;
|
||||
|
||||
/**
|
||||
* Test class for {@link SpnegoEntryPoint}
|
||||
*
|
||||
*
|
||||
* @author Mike Wiesner
|
||||
* @since 1.0
|
||||
* @version $Id$
|
||||
*/
|
||||
public class SpnegoEntryPointTest {
|
||||
|
||||
private SpnegoEntryPoint entryPoint = new SpnegoEntryPoint();
|
||||
|
||||
@Test
|
||||
public void testEntryPointOk() throws Exception {
|
||||
HttpServletResponse response = mock(HttpServletResponse.class);
|
||||
|
||||
entryPoint.commence(null, response, null);
|
||||
|
||||
verify(response).addHeader("WWW-Authenticate", "Negotiate");
|
||||
verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
||||
}
|
||||
|
||||
private SpnegoEntryPoint entryPoint = new SpnegoEntryPoint();
|
||||
|
||||
@Test
|
||||
public void testEntryPointOk() throws Exception {
|
||||
HttpServletResponse response = mock(HttpServletResponse.class);
|
||||
|
||||
entryPoint.commence(null, response, null);
|
||||
|
||||
verify(response).addHeader("WWW-Authenticate", "Negotiate");
|
||||
verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user