@Test
public void testMutualAuthenticationWithDNSInCNField() throws Exception {
// Although specifying a DNS name using the Common Name field has been deprecated, it is
// still used in practice (e.g., see http://tools.ietf.org/html/rfc2818). This test makes
// sure that general name matching during authentication still works in this case.
final SaslClientFactory clientFactory = obtainSaslClientFactory(EntitySaslClientFactory.class);
assertNotNull(clientFactory);
final KeyStore keyStore = loadKeyStore(serverKeyStore);
final Certificate[] certificateChain = keyStore.getCertificateChain("dnsInCNServer");
final SaslServer saslServer =
createSaslServer(
SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1,
"testserver2.example.com",
getX509TrustManager(serverTrustStore),
(PrivateKey) keyStore.getKey("dnsInCNServer", KEYSTORE_PASSWORD),
Arrays.copyOf(certificateChain, certificateChain.length, X509Certificate[].class));
final String[] mechanisms =
new String[] {SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1};
CallbackHandler cbh =
createClientCallbackHandler(
mechanisms,
clientKeyStore,
"dnsInCNClient",
KEYSTORE_PASSWORD,
getX509TrustManager(clientTrustStore));
final SaslClient saslClient =
clientFactory.createSaslClient(
mechanisms,
null,
"test",
"testserver2.example.com",
Collections.<String, Object>emptyMap(),
cbh);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
byte[] message = saslServer.evaluateResponse(new byte[0]);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
message = saslClient.evaluateChallenge(message);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
message = saslServer.evaluateResponse(message);
assertNotNull(message);
message = saslClient.evaluateChallenge(message);
assertNull(message);
assertTrue(saslClient.isComplete());
assertTrue(saslServer.isComplete());
assertEquals(
"cn=testclient2.example.com,ou=jboss,o=red hat,l=raleigh,st=north carolina,c=us",
saslServer.getAuthorizationID());
}
@Test
public void testSimpleMutualSha1WithRsaAuthentication() throws Exception {
final SaslClientFactory clientFactory = obtainSaslClientFactory(EntitySaslClientFactory.class);
assertNotNull(clientFactory);
final SaslServer saslServer =
createSaslServer(
SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC,
"testserver1.example.com",
getX509KeyManager(serverKeyStore, KEYSTORE_PASSWORD),
getX509TrustManager(serverTrustStore));
final String[] mechanisms =
new String[] {SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC};
CallbackHandler cbh =
createClientCallbackHandler(
mechanisms,
clientKeyStore,
CLIENT_KEYSTORE_ALIAS,
KEYSTORE_PASSWORD,
getX509TrustManager(clientTrustStore));
final SaslClient saslClient =
clientFactory.createSaslClient(
mechanisms,
null,
"test",
"testserver1.example.com",
Collections.<String, Object>emptyMap(),
cbh);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
byte[] message = saslServer.evaluateResponse(new byte[0]);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
message = saslClient.evaluateChallenge(message);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
message = saslServer.evaluateResponse(message);
assertNotNull(message);
message = saslClient.evaluateChallenge(message);
assertNull(message);
assertTrue(saslClient.isComplete());
assertTrue(saslServer.isComplete());
assertEquals(
"cn=test client 1,ou=jboss,o=red hat,l=raleigh,st=north carolina,c=us",
saslServer.getAuthorizationID());
}
public AuthenticationResult authenticate(SaslServer server, byte[] response) {
try {
// Process response from the client
byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);
if (server.isComplete()) {
final Subject subject = new Subject();
subject.getPrincipals().add(new UsernamePrincipal(server.getAuthorizationID()));
return new AuthenticationResult(subject);
} else {
return new AuthenticationResult(
challenge, AuthenticationResult.AuthenticationStatus.CONTINUE);
}
} catch (SaslException e) {
return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
}
}
public boolean process(final TProtocol inProt, final TProtocol outProt) throws TException {
// populating request context
ReqContext req_context = ReqContext.context();
TTransport trans = inProt.getTransport();
// Sasl transport
TSaslServerTransport saslTrans = (TSaslServerTransport) trans;
// remote address
TSocket tsocket = (TSocket) saslTrans.getUnderlyingTransport();
Socket socket = tsocket.getSocket();
req_context.setRemoteAddress(socket.getInetAddress());
// remote subject
SaslServer saslServer = saslTrans.getSaslServer();
String authId = saslServer.getAuthorizationID();
Subject remoteUser = new Subject();
remoteUser.getPrincipals().add(new User(authId));
req_context.setSubject(remoteUser);
// invoke service handler
return wrapped.process(inProt, outProt);
}
public String getUserName() {
return saslServer.getAuthorizationID();
}
public static void main(String[] args) throws Exception {
try {
Sasl.createSaslClient(
new String[] {"NTLM"}, "abc", "ldap", "server", new HashMap<String, Object>(), null);
} catch (SaslException se) {
System.out.println(se);
}
try {
Sasl.createSaslServer("NTLM", "ldap", "server", new HashMap<String, Object>(), null);
} catch (SaslException se) {
System.out.println(se);
}
try {
Sasl.createSaslClient(
new String[] {"NTLM"},
"abc",
"ldap",
"server",
null,
new CallbackHandler() {
@Override
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {}
});
} catch (SaslException se) {
System.out.println(se);
}
try {
SaslServer saslServer =
Sasl.createSaslServer(
"NTLM",
"ldap",
"abc",
null,
new CallbackHandler() {
@Override
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {}
});
System.err.println("saslServer = " + saslServer);
System.err.println("saslServer.isComplete() = " + saslServer.isComplete());
// IllegalStateException is expected here
saslServer.getNegotiatedProperty("prop");
System.err.println("No IllegalStateException");
} catch (IllegalStateException se) {
System.out.println(se);
}
try {
SaslServer saslServer =
Sasl.createSaslServer(
"NTLM",
"ldap",
"abc",
null,
new CallbackHandler() {
@Override
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {}
});
System.err.println("saslServer = " + saslServer);
System.err.println("saslServer.isComplete() = " + saslServer.isComplete());
// IllegalStateException is expected here
saslServer.getAuthorizationID();
System.err.println("No IllegalStateException");
} catch (IllegalStateException se) {
System.out.println(se);
}
try {
SaslServer saslServer =
Sasl.createSaslServer(
"NTLM",
"ldap",
"abc",
null,
new CallbackHandler() {
@Override
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {}
});
System.err.println("saslServer = " + saslServer);
System.err.println("saslServer.isComplete() = " + saslServer.isComplete());
// IllegalStateException is expected here
saslServer.wrap(new byte[0], 0, 0);
System.err.println("No IllegalStateException");
} catch (IllegalStateException se) {
System.out.println(se);
}
}
public static void main(String[] args) throws Exception {
if (args.length == 0) {
namesfile = null;
auto = true;
} else {
int i = 0;
if (args[i].equals("-m")) {
i++;
auto = false;
}
if (args.length > i) {
namesfile = args[i++];
if (args.length > i) {
proxyfile = args[i];
}
} else {
namesfile = null;
}
}
CallbackHandler clntCbh = null;
final CallbackHandler srvCbh = new PropertiesFileCallbackHandler(null, namesfile, proxyfile);
Subject clntSubj = doLogin("client");
Subject srvSubj = doLogin("server");
final HashMap clntprops = new HashMap();
final HashMap srvprops = new HashMap();
clntprops.put(Sasl.QOP, "auth");
srvprops.put(Sasl.QOP, "auth,auth-int,auth-conf");
final SaslClient clnt =
(SaslClient)
Subject.doAs(
clntSubj,
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return Sasl.createSaslClient(
new String[] {MECH}, null, PROTOCOL, SERVER_FQDN, clntprops, null);
}
});
if (verbose) {
System.out.println(clntSubj);
System.out.println(srvSubj);
}
final SaslServer srv =
(SaslServer)
Subject.doAs(
srvSubj,
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return Sasl.createSaslServer(MECH, PROTOCOL, SERVER_FQDN, srvprops, srvCbh);
}
});
if (clnt == null) {
throw new IllegalStateException("Unable to find client impl for " + MECH);
}
if (srv == null) {
throw new IllegalStateException("Unable to find server impl for " + MECH);
}
byte[] response;
byte[] challenge;
response =
(byte[])
Subject.doAs(
clntSubj,
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return (clnt.hasInitialResponse() ? clnt.evaluateChallenge(EMPTY) : EMPTY);
}
});
while (!clnt.isComplete() || !srv.isComplete()) {
final byte[] responseCopy = response;
challenge =
(byte[])
Subject.doAs(
srvSubj,
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return srv.evaluateResponse(responseCopy);
}
});
if (challenge != null) {
final byte[] challengeCopy = challenge;
response =
(byte[])
Subject.doAs(
clntSubj,
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return clnt.evaluateChallenge(challengeCopy);
}
});
}
}
if (clnt.isComplete() && srv.isComplete()) {
if (verbose) {
System.out.println("SUCCESS");
System.out.println("authzid is " + srv.getAuthorizationID());
}
} else {
throw new IllegalStateException(
"FAILURE: mismatched state:"
+ " client complete? "
+ clnt.isComplete()
+ " server complete? "
+ srv.isComplete());
}
if (verbose) {
System.out.println(clnt.getNegotiatedProperty(Sasl.QOP));
}
// Now try to use security layer
byte[] clntBuf = new byte[] {0, 1, 2, 3};
try {
byte[] wrapped = clnt.wrap(clntBuf, 0, clntBuf.length);
throw new Exception("clnt wrap should not be allowed w/no security layer");
} catch (IllegalStateException e) {
// expected
}
byte[] srvBuf = new byte[] {10, 11, 12, 13};
try {
byte[] wrapped = srv.wrap(srvBuf, 0, srvBuf.length);
throw new Exception("srv wrap should not be allowed w/no security layer");
} catch (IllegalStateException e) {
// expected
}
try {
byte[] unwrapped = clnt.unwrap(clntBuf, 0, clntBuf.length);
throw new Exception("clnt wrap should not be allowed w/no security layer");
} catch (IllegalStateException e) {
// expected
}
try {
byte[] unwrapped = srv.unwrap(srvBuf, 0, srvBuf.length);
throw new Exception("srv wrap should not be allowed w/no security layer");
} catch (IllegalStateException e) {
// expected
}
}
public String getAuthorizationID() {
return server.getAuthorizationID();
}
