/** Configure the httpclient for use in all requests. */
private void configureHttpClient(final DefaultHttpClient httpclient)
throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException,
UnrecoverableKeyException {
configureTrust(httpclient);
configureAuthentication(httpclient, BASIC, new BasicUserPrincipal(username));
if (enableKerberos) {
if (kerberosUseHttpSpn) {
httpclient
.getAuthSchemes()
.register(KERBEROS, new KerberosSchemeFactory(!kerberosAddPortToSpn));
httpclient
.getAuthSchemes()
.register(SPNEGO, new SPNegoSchemeFactory(!kerberosAddPortToSpn));
} else {
httpclient
.getAuthSchemes()
.register(KERBEROS, new WsmanKerberosSchemeFactory(!kerberosAddPortToSpn));
httpclient
.getAuthSchemes()
.register(SPNEGO, new WsmanSPNegoSchemeFactory(!kerberosAddPortToSpn));
}
configureAuthentication(httpclient, KERBEROS, new KerberosPrincipal(username));
configureAuthentication(httpclient, SPNEGO, new KerberosPrincipal(username));
}
httpclient.getParams().setBooleanParameter(HANDLE_AUTHENTICATION, true);
}
protected void initHttpClient(boolean useSpnego) {
if (client != null) {
after();
}
DefaultHttpClient httpClient = (DefaultHttpClient) new HttpClientBuilder().build();
httpClient.getAuthSchemes().register(AuthPolicy.SPNEGO, spnegoSchemeFactory);
if (useSpnego) {
Credentials fake =
new Credentials() {
public String getPassword() {
return null;
}
public Principal getUserPrincipal() {
return null;
}
};
httpClient.getCredentialsProvider().setCredentials(new AuthScope(null, -1, null), fake);
}
ApacheHttpClient4Engine engine = new ApacheHttpClient4Engine(httpClient);
client = new ResteasyClientBuilder().httpEngine(engine).build();
}
/**
* Get's an SSO Uri or null if there are any errors
*
* @return SSO uri or null
*/
protected Uri doGetSSO() {
if (user == null || pass == null) {
return null;
}
DefaultHttpClient client = new DefaultHttpClient();
client.getParams().setParameter(CoreProtocolPNames.USER_AGENT, App.userAgent);
// register ntlm auth scheme
client.getAuthSchemes().register("ntlm", new NTLMSchemeFactory());
client
.getCredentialsProvider()
.setCredentials(
// Limit the credentials only to the specified domain and port
new AuthScope("portal.myfanshawe.ca", -1),
// Specify credentials, most of the time only user/pass is needed
new NTCredentials(user, pass, "", ""));
final String[] ssoUrl = {null};
final RedirectHandler defaultHandler = client.getRedirectHandler();
client.setRedirectHandler(
new RedirectHandler() {
@Override
public boolean isRedirectRequested(HttpResponse httpResponse, HttpContext httpContext) {
Log.i(TAG, "isRedirectRequested");
for (Header header : httpResponse.getAllHeaders()) {
String name = header.getName();
String value = header.getValue();
if ("Location".equals(name)) {
ssoUrl[0] = value;
}
}
return false;
}
@Override
public URI getLocationURI(HttpResponse httpResponse, HttpContext httpContext)
throws ProtocolException {
return defaultHandler.getLocationURI(httpResponse, httpContext);
}
});
HttpGet folSSO = new HttpGet(requestURL);
try {
HttpResponse response = client.execute(folSSO);
HttpEntity entity = response.getEntity();
entity.consumeContent();
Log.i(TAG, "SSO OK");
} catch (IOException e) {
return null;
}
if (ssoUrl[0] == null) {
return null;
}
return Uri.parse(ssoUrl[0]);
}
protected HttpClient createHttpClient() {
DefaultHttpClient client = new DefaultHttpClient(createClientConnectionManager());
client.getAuthSchemes().register("Negotiate", new CustomSPNegoSchemeFactory());
client
.getCredentialsProvider()
.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password));
final HttpParams httpParams = new BasicHttpParams();
HttpConnectionParams.setConnectionTimeout(httpParams, DEFAULT_CONNECTION_TIMEOUT);
HttpConnectionParams.setSoTimeout(httpParams, DEFAULT_CONNECTION_TIMEOUT);
client.setParams(httpParams);
return client;
}
public static void main(String[] args) throws Exception {
System.setProperty("java.security.auth.login.config", "login.conf");
System.setProperty("java.security.krb5.conf", "krb5.conf");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
DefaultHttpClient httpclient = new DefaultHttpClient();
NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
// nsf.setStripPort(false);
// nsf.setSpengoGenerator(new BouncySpnegoTokenGenerator());
httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
Credentials use_jaas_creds =
new Credentials() {
public String getPassword() {
return null;
}
public Principal getUserPrincipal() {
return null;
}
};
httpclient
.getCredentialsProvider()
.setCredentials(new AuthScope(null, -1, null), use_jaas_creds);
HttpUriRequest request = new HttpGet("http://kerberoshost/");
HttpResponse response = httpclient.execute(request);
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
System.out.println("----------------------------------------");
if (entity != null) {
System.out.println(EntityUtils.toString(entity));
}
System.out.println("----------------------------------------");
// This ensures the connection gets released back to the manager
if (entity != null) {
entity.consumeContent();
}
// When HttpClient instance is no longer needed,
// shut down the connection manager to ensure
// immediate deallocation of all system resources
httpclient.getConnectionManager().shutdown();
}
/**
* Creates request against SPNEGO protected web-app with FORM fallback. It tries to login using
* SPNEGO first - if it fails, FORM is used.
*
* @param contextUrl
* @param page
* @param user
* @param pass
* @param expectedStatusCode
* @return
* @throws IOException
* @throws URISyntaxException
* @throws PrivilegedActionException
* @throws LoginException
*/
public static String makeHttpCallWithFallback(
final String contextUrl,
final String page,
final String user,
final String pass,
final int expectedStatusCode)
throws IOException, URISyntaxException, PrivilegedActionException, LoginException {
final String strippedContextUrl = StringUtils.stripEnd(contextUrl, "/");
final String url = strippedContextUrl + page;
LOGGER.info("Requesting URL: " + url);
final DefaultHttpClient httpClient = new DefaultHttpClient();
httpClient.setRedirectStrategy(REDIRECT_STRATEGY);
String unauthorizedPageBody = null;
try {
httpClient
.getAuthSchemes()
.register(AuthPolicy.SPNEGO, new JBossNegotiateSchemeFactory(true));
httpClient
.getCredentialsProvider()
.setCredentials(new AuthScope(null, -1, null), new NullHCCredentials());
final HttpGet httpGet = new HttpGet(url);
final HttpResponse response = httpClient.execute(httpGet);
int statusCode = response.getStatusLine().getStatusCode();
if (HttpServletResponse.SC_UNAUTHORIZED != statusCode || StringUtils.isEmpty(user)) {
assertEquals("Unexpected HTTP response status code.", expectedStatusCode, statusCode);
return EntityUtils.toString(response.getEntity());
}
final Header[] authnHeaders = response.getHeaders("WWW-Authenticate");
assertTrue(
"WWW-Authenticate header is present", authnHeaders != null && authnHeaders.length > 0);
final Set<String> authnHeaderValues = new HashSet<String>();
for (final Header header : authnHeaders) {
authnHeaderValues.add(header.getValue());
}
assertTrue(
"WWW-Authenticate: Negotiate header is missing", authnHeaderValues.contains("Negotiate"));
LOGGER.debug("HTTP response was SC_UNAUTHORIZED, let's authenticate the user " + user);
unauthorizedPageBody = EntityUtils.toString(response.getEntity());
// Use our custom configuration to avoid reliance on external config
Configuration.setConfiguration(new Krb5LoginConfiguration());
// 1. Authenticate to Kerberos.
final LoginContext lc =
new LoginContext(Utils.class.getName(), new UsernamePasswordHandler(user, pass));
lc.login();
// 2. Perform the work as authenticated Subject.
final String responseBody =
Subject.doAs(
lc.getSubject(),
new PrivilegedExceptionAction<String>() {
public String run() throws Exception {
final HttpResponse response = httpClient.execute(httpGet);
int statusCode = response.getStatusLine().getStatusCode();
assertEquals(
"Unexpected status code returned after the authentication.",
expectedStatusCode,
statusCode);
return EntityUtils.toString(response.getEntity());
}
});
lc.logout();
return responseBody;
} catch (LoginException e) {
assertNotNull(unauthorizedPageBody);
assertTrue(unauthorizedPageBody.contains("j_security_check"));
HttpPost httpPost = new HttpPost(strippedContextUrl + "/j_security_check");
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();
nameValuePairs.add(new BasicNameValuePair("j_username", user));
nameValuePairs.add(new BasicNameValuePair("j_password", pass));
httpPost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
final HttpResponse response = httpClient.execute(httpPost);
int statusCode = response.getStatusLine().getStatusCode();
assertEquals(
"Unexpected status code returned after the authentication.",
expectedStatusCode,
statusCode);
return EntityUtils.toString(response.getEntity());
} finally {
// When HttpClient instance is no longer needed,
// shut down the connection manager to ensure
// immediate deallocation of all system resources
httpClient.getConnectionManager().shutdown();
}
}
/**
* Returns response body for the given URL request as a String. It also checks if the returned
* HTTP status code is the expected one. If the server returns {@link
* HttpServletResponse#SC_UNAUTHORIZED} and an username is provided, then the given user is
* authenticated against Kerberos and a new request is executed under the new subject.
*
* @param uri URI to which the request should be made
* @param user Username
* @param pass Password
* @param expectedStatusCode expected status code returned from the requested server
* @return HTTP response body
* @throws IOException
* @throws URISyntaxException
* @throws PrivilegedActionException
* @throws LoginException
*/
public static String makeCallWithKerberosAuthn(
final URI uri, final String user, final String pass, final int expectedStatusCode)
throws IOException, URISyntaxException, PrivilegedActionException, LoginException {
LOGGER.info("Requesting URI: " + uri);
final DefaultHttpClient httpClient = new DefaultHttpClient();
try {
httpClient
.getAuthSchemes()
.register(AuthPolicy.SPNEGO, new JBossNegotiateSchemeFactory(true));
httpClient
.getCredentialsProvider()
.setCredentials(new AuthScope(null, -1, null), new NullHCCredentials());
final HttpGet httpGet = new HttpGet(uri);
final HttpResponse response = httpClient.execute(httpGet);
int statusCode = response.getStatusLine().getStatusCode();
if (HttpServletResponse.SC_UNAUTHORIZED != statusCode || StringUtils.isEmpty(user)) {
assertEquals("Unexpected HTTP response status code.", expectedStatusCode, statusCode);
return EntityUtils.toString(response.getEntity());
}
final HttpEntity entity = response.getEntity();
final Header[] authnHeaders = response.getHeaders("WWW-Authenticate");
assertTrue(
"WWW-Authenticate header is present", authnHeaders != null && authnHeaders.length > 0);
final Set<String> authnHeaderValues = new HashSet<String>();
for (final Header header : authnHeaders) {
authnHeaderValues.add(header.getValue());
}
assertTrue(
"WWW-Authenticate: Negotiate header is missing", authnHeaderValues.contains("Negotiate"));
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("HTTP response was SC_UNAUTHORIZED, let's authenticate the user " + user);
}
if (entity != null) EntityUtils.consume(entity);
// Use our custom configuration to avoid reliance on external config
Configuration.setConfiguration(new Krb5LoginConfiguration());
// 1. Authenticate to Kerberos.
final LoginContext lc =
new LoginContext(Utils.class.getName(), new UsernamePasswordHandler(user, pass));
lc.login();
// 2. Perform the work as authenticated Subject.
final String responseBody =
Subject.doAs(
lc.getSubject(),
new PrivilegedExceptionAction<String>() {
public String run() throws Exception {
final HttpResponse response = httpClient.execute(httpGet);
int statusCode = response.getStatusLine().getStatusCode();
assertEquals(
"Unexpected status code returned after the authentication.",
expectedStatusCode,
statusCode);
return EntityUtils.toString(response.getEntity());
}
});
lc.logout();
return responseBody;
} finally {
// When HttpClient instance is no longer needed,
// shut down the connection manager to ensure
// immediate deallocation of all system resources
httpClient.getConnectionManager().shutdown();
}
}
