Java tutorial
/* * JBoss, Home of Professional Open Source. * Copyright 2014, Red Hat, Inc., and individual contributors * as indicated by the @author tags. See the copyright.txt file in the * distribution for a full listing of individual contributors. * * This is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this software; if not, write to the Free * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * 02110-1301 USA, or see the FSF site: http://www.fsf.org. */ package org.jboss.as.test.integration.security.common; import java.io.ByteArrayOutputStream; import java.io.DataOutputStream; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import org.apache.commons.io.FileUtils; import org.apache.commons.io.IOUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.text.StrSubstitutor; import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory; import org.apache.directory.server.kerberos.shared.keytab.Keytab; import org.apache.directory.shared.kerberos.KerberosTime; import org.apache.directory.shared.kerberos.codec.types.EncryptionType; import org.apache.directory.shared.kerberos.components.EncryptionKey; import org.apache.log4j.Logger; import org.jboss.as.arquillian.api.ServerSetupTask; import org.jboss.as.arquillian.container.ManagementClient; import org.jboss.as.network.NetworkUtils; /** * This server setup task creates a krb5.conf file and generates KeyTab files for the HTTP server and users hnelson and jduke. * The task also sets system properties * <ul> * <li>"java.security.krb5.conf" - path to the newly created krb5.conf is set</li> * <li>"sun.security.krb5.debug" - true is set (Kerberos debugging for Oracle Java)</li> * </ul> * * @author Josef Cacek */ public abstract class AbstractKrb5ConfServerSetupTask implements ServerSetupTask { private static Logger LOGGER = Logger.getLogger(AbstractKrb5ConfServerSetupTask.class); protected static final File WORK_DIR = new File("SPNEGO-workdir"); private static final String KRB5_CONF = "krb5.conf"; private static final File KRB5_CONF_FILE = new File(WORK_DIR, KRB5_CONF); public static final File HTTP_KEYTAB_FILE = new File(WORK_DIR, "http.keytab"); private String origKrb5Conf; private String origKrbDebug; private String origIbmJGSSDebug; private String origIbmKrbDebug; // Public methods -------------------------------------------------------- /** * * @param managementClient * @param containerId * @throws Exception * @see org.jboss.as.arquillian.api.ServerSetupTask#setup(org.jboss.as.arquillian.container.ManagementClient, * java.lang.String) */ public void setup(ManagementClient managementClient, String containerId) throws Exception { LOGGER.trace("(Re)Creating workdir: " + WORK_DIR.getAbsolutePath()); FileUtils.deleteDirectory(WORK_DIR); WORK_DIR.mkdirs(); final String cannonicalHost = NetworkUtils .formatPossibleIpv6Address(Utils.getCannonicalHost(managementClient)); final Map<String, String> map = new HashMap<String, String>(); map.put("hostname", cannonicalHost); final String supportedEncTypes = Utils.IBM_JDK ? getSupportedEncTypes() : "des-cbc-md5,des3-cbc-sha1-kd"; map.put("enctypes", supportedEncTypes); LOGGER.trace("Supported enctypes in krb5.conf: " + supportedEncTypes); FileUtils.write(KRB5_CONF_FILE, StrSubstitutor.replace(IOUtils.toString( AbstractKrb5ConfServerSetupTask.class.getResourceAsStream(KRB5_CONF), "UTF-8"), map), "UTF-8"); createServerKeytab(cannonicalHost); final List<UserForKeyTab> kerberosUsers = kerberosUsers(); if (kerberosUsers != null) { for (UserForKeyTab userForKeyTab : kerberosUsers) { createKeytab(userForKeyTab.getUser(), userForKeyTab.getPassword(), userForKeyTab.getKeyTabFileName()); } } LOGGER.trace("Setting Kerberos configuration: " + KRB5_CONF_FILE); origKrb5Conf = Utils.setSystemProperty("java.security.krb5.conf", KRB5_CONF_FILE.getAbsolutePath()); origKrbDebug = Utils.setSystemProperty("sun.security.krb5.debug", "true"); origIbmJGSSDebug = Utils.setSystemProperty("com.ibm.security.jgss.debug", "all"); origIbmKrbDebug = Utils.setSystemProperty("com.ibm.security.krb5.Krb5Debug", "all"); } /** * Removes working directory with Kerberos related generated files. * * @param managementClient * @param containerId * @throws Exception * @see org.jboss.as.arquillian.api.ServerSetupTask#tearDown(org.jboss.as.arquillian.container.ManagementClient, * java.lang.String) */ public void tearDown(ManagementClient managementClient, String containerId) throws Exception { FileUtils.deleteDirectory(WORK_DIR); Utils.setSystemProperty("java.security.krb5.conf", origKrb5Conf); Utils.setSystemProperty("sun.security.krb5.debug", origKrbDebug); Utils.setSystemProperty("com.ibm.security.jgss.debug", origIbmJGSSDebug); Utils.setSystemProperty("com.ibm.security.krb5.Krb5Debug", origIbmKrbDebug); } /** * Returns an absolute path to krb5.conf file. * * @return */ public static final String getKrb5ConfFullPath() { return KRB5_CONF_FILE.getAbsolutePath(); } /** * Returns an absolute path to a keytab with JBoss AS credentials (HTTP/host@JBOSS.ORG). * * @return */ public static final String getKeyTabFullPath() { return HTTP_KEYTAB_FILE.getAbsolutePath(); } /** * Creates a default "HTTP/{host}@JBOSS.ORG" server keytab. it can be overridden if you want to use another SPN, password or * keytab file location (or do more magic here). * * @param host * @throws IOException */ protected void createServerKeytab(String host) throws IOException { createKeytab("HTTP/" + host + "@JBOSS.ORG", "httppwd", HTTP_KEYTAB_FILE); } // Private methods ------------------------------------------------------- /** * Returns comma-separated list of JDK-supported encryption type names for use in krb5.conf. * * @return */ private String getSupportedEncTypes() { final List<String> enctypesList = new ArrayList<String>(); for (EncryptionType encType : KerberosKeyFactory.getKerberosKeys("dummy@JBOSS.ORG", "dummy").keySet()) { enctypesList.add(encType.getName()); } return StringUtils.join(enctypesList, ','); } /** * Creates a keytab file for given principal. * * @param principalName * @param passPhrase * @param keytabFile * @throws IOException */ protected void createKeytab(final String principalName, final String passPhrase, final File keytabFile) throws IOException { LOGGER.trace("Principal name: " + principalName); final KerberosTime timeStamp = new KerberosTime(); DataOutputStream dos = null; try { dos = new DataOutputStream(new FileOutputStream(keytabFile)); dos.write(Keytab.VERSION_0X502_BYTES); for (Map.Entry<EncryptionType, EncryptionKey> keyEntry : KerberosKeyFactory .getKerberosKeys(principalName, passPhrase).entrySet()) { final EncryptionKey key = keyEntry.getValue(); final byte keyVersion = (byte) key.getKeyVersion(); // entries.add(new KeytabEntry(principalName, principalType, timeStamp, keyVersion, key)); final ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream entryDos = new DataOutputStream(baos); // handle principal name String[] spnSplit = principalName.split("@"); String nameComponent = spnSplit[0]; String realm = spnSplit[1]; String[] nameComponents = nameComponent.split("/"); try { // increment for v1 entryDos.writeShort((short) nameComponents.length); entryDos.writeUTF(realm); // write components for (String component : nameComponents) { entryDos.writeUTF(component); } entryDos.writeInt(1); // principal type: KRB5_NT_PRINCIPAL entryDos.writeInt((int) (timeStamp.getTime() / 1000)); entryDos.write(keyVersion); entryDos.writeShort((short) key.getKeyType().getValue()); byte[] data = key.getKeyValue(); entryDos.writeShort((short) data.length); entryDos.write(data); } finally { IOUtils.closeQuietly(entryDos); } final byte[] entryBytes = baos.toByteArray(); dos.writeInt(entryBytes.length); dos.write(entryBytes); } // } catch (IOException ioe) { } finally { IOUtils.closeQuietly(dos); } } protected abstract List<UserForKeyTab> kerberosUsers(); public static class UserForKeyTab { private final String user; private final String password; private final File keyTabFileName; public UserForKeyTab(String user, String password, File keyTabFileName) { this.user = user; this.password = password; this.keyTabFileName = keyTabFileName; } public String getUser() { return user; } public String getPassword() { return password; } public File getKeyTabFileName() { return keyTabFileName; } } }