Java tutorial
/* * JBoss, Home of Professional Open Source. * Copyright 2014 Red Hat, Inc., and individual contributors * as indicated by the @author tags. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package io.undertow.server.security; import io.undertow.security.api.AuthenticationMechanism; import io.undertow.security.api.GSSAPIServerSubjectFactory; import io.undertow.security.api.SecurityNotification.EventType; import io.undertow.security.impl.GSSAPIAuthenticationMechanism; import io.undertow.testutils.AjpIgnore; import io.undertow.testutils.DefaultServer; import io.undertow.testutils.HttpClientUtils; import io.undertow.testutils.TestHttpClient; import io.undertow.util.FlexBase64; import io.undertow.util.StatusCodes; import org.apache.commons.lang.ArrayUtils; import org.apache.http.Header; import org.apache.http.HttpResponse; import org.apache.http.client.methods.HttpGet; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSManager; import org.ietf.jgss.GSSName; import org.ietf.jgss.Oid; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; import java.nio.charset.StandardCharsets; import java.security.GeneralSecurityException; import java.security.PrivilegedExceptionAction; import java.util.Base64; import java.util.Collections; import java.util.List; import javax.security.auth.Subject; import static io.undertow.server.security.KerberosKDCUtil.login; import static io.undertow.util.Headers.AUTHORIZATION; import static io.undertow.util.Headers.NEGOTIATE; import static io.undertow.util.Headers.WWW_AUTHENTICATE; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; /** * A test case to test the SPNEGO authentication mechanism. * * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a> */ @RunWith(DefaultServer.class) @AjpIgnore(apacheOnly = true, value = "SPNEGO requires a single connection to the server, and apache cannot guarantee that") public class SpnegoAuthenticationTestCase extends AuthenticationTestBase { private static Oid SPNEGO; @Override protected List<AuthenticationMechanism> getTestMechanisms() { AuthenticationMechanism mechanism = new GSSAPIAuthenticationMechanism(new SubjectFactory()); return Collections.singletonList(mechanism); } @BeforeClass public static void startServers() throws Exception { KerberosKDCUtil.startServer(); SPNEGO = new Oid("1.3.6.1.5.5.2"); } @AfterClass public static void stopServers() { } @Test public void testSpnegoSuccess() throws Exception { final TestHttpClient client = new TestHttpClient(); HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL()); HttpResponse result = client.execute(get); assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode()); Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString()); String header = getAuthHeader(NEGOTIATE, values); assertEquals(NEGOTIATE.toString(), header); HttpClientUtils.readResponse(result); Subject clientSubject = login("jduke", "theduke".toCharArray()); Subject.doAs(clientSubject, new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { GSSManager gssManager = GSSManager.getInstance(); GSSName serverName = gssManager .createName("HTTP/" + DefaultServer.getDefaultServerAddress().getHostString(), null); GSSContext context = gssManager.createContext(serverName, SPNEGO, null, GSSContext.DEFAULT_LIFETIME); byte[] token = new byte[0]; boolean gotOur200 = false; while (!context.isEstablished()) { token = context.initSecContext(token, 0, token.length); if (token != null && token.length > 0) { HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL()); get.addHeader(AUTHORIZATION.toString(), NEGOTIATE + " " + FlexBase64.encodeString(token, false)); HttpResponse result = client.execute(get); Header[] headers = result.getHeaders(WWW_AUTHENTICATE.toString()); if (headers.length > 0) { String header = getAuthHeader(NEGOTIATE, headers); byte[] headerBytes = header.getBytes(StandardCharsets.US_ASCII); // FlexBase64.decode() returns byte buffer, which can contain backend array of greater size. // when on such ByteBuffer is called array(), it returns the underlying byte array including the 0 bytes // at the end, which makes the token invalid. => using Base64 mime decoder, which returnes directly properly sized byte[]. token = Base64.getMimeDecoder().decode(ArrayUtils.subarray(headerBytes, NEGOTIATE.toString().length() + 1, headerBytes.length)); } if (result.getStatusLine().getStatusCode() == StatusCodes.OK) { Header[] values = result.getHeaders("ProcessedBy"); assertEquals(1, values.length); assertEquals("ResponseHandler", values[0].getValue()); HttpClientUtils.readResponse(result); assertSingleNotificationType(EventType.AUTHENTICATED); gotOur200 = true; } else if (result.getStatusLine().getStatusCode() == StatusCodes.UNAUTHORIZED) { assertTrue("We did get a header.", headers.length > 0); HttpClientUtils.readResponse(result); } else { fail(String.format("Unexpected status code %d", result.getStatusLine().getStatusCode())); } } } assertTrue(gotOur200); assertTrue(context.isEstablished()); return null; } }); } private class SubjectFactory implements GSSAPIServerSubjectFactory { @Override public Subject getSubjectForHost(String hostName) throws GeneralSecurityException { return login("HTTP/" + hostName, "servicepwd".toCharArray()); } } }