ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1549607 - in /webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test: dom/KerberosTest.java kerberos/ kerberos/KerberosTest.java stax/KerberosTest.java
Date Mon, 09 Dec 2013 16:26:11 GMT
Author: coheigea
Date: Mon Dec  9 16:26:11 2013
New Revision: 1549607

URL: http://svn.apache.org/r1549607
Log:
Run Kerberos DOM + StAX tests together to avoid the penalty of starting the KDC twice

Added:
    webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/
    webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/KerberosTest.java
      - copied, changed from r1549603, webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java
Removed:
    webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/dom/KerberosTest.java
    webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java

Copied: webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/KerberosTest.java
(from r1549603, webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/KerberosTest.java?p2=webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/KerberosTest.java&p1=webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java&r1=1549603&r2=1549607&rev=1549607&view=diff
==============================================================================
--- webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java
(original)
+++ webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/kerberos/KerberosTest.java
Mon Dec  9 16:26:11 2013
@@ -16,9 +16,12 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.wss4j.integration.test.stax;
+package org.apache.wss4j.integration.test.kerberos;
 
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.kerberos.KerberosContextAndServiceNameCallback;
+import org.apache.wss4j.common.spnego.SpnegoTokenContext;
+import org.apache.wss4j.common.util.XMLUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSConfig;
 import org.apache.wss4j.dom.WSSecurityEngine;
@@ -71,6 +74,9 @@ import java.util.ArrayList;
 import java.util.List;
 
 public class KerberosTest extends AbstractTestBase {
+    
+    private static final org.slf4j.Logger LOG = 
+        org.slf4j.LoggerFactory.getLogger(KerberosTest.class);
 
     private static boolean kerberosServerStarted = false;
 
@@ -101,6 +107,525 @@ public class KerberosTest extends Abstra
         }
         SecurityTestUtil.cleanup();
     }
+    
+    //
+    // DOM tests
+    //
+    
+    /**
+     * Test using the KerberosSecurity class to retrieve a service ticket from a KDC, wrap
it
+     * in a BinarySecurityToken, and process it.
+     */
+    @Test
+    public void testKerberosCreationAndProcessing() throws Exception {
+        if (!kerberosServerStarted) {
+            System.out.println("Skipping test because kerberos server could not be started");
+            return;
+        }
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        KerberosSecurity bst = new KerberosSecurity(doc);
+        CallbackHandler callbackHandler = new CallbackHandler() {
+            @Override
+            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+                PasswordCallback passwordCallback = (PasswordCallback)callbacks[0];
+                if (passwordCallback.getPrompt().contains("alice")) {
+                    passwordCallback.setPassword("alice".toCharArray());
+                } else if (passwordCallback.getPrompt().contains("bob")) {
+                    passwordCallback.setPassword("bob".toCharArray());
+                }
+            }
+        };
+        bst.retrieveServiceTicket("alice", callbackHandler, "bob@service.ws.apache.org");
+        WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                XMLUtils.PrettyDocumentToString(doc);
+            LOG.debug(outputString);
+        }
+        
+        // Configure the Validator
+        WSSConfig wssConfig = WSSConfig.getNewInstance();
+        KerberosTokenValidator validator = new KerberosTokenValidator();
+        validator.setContextName("bob");
+        validator.setServiceName("bob@service.ws.apache.org");
+        wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        secEngine.setWssConfig(wssConfig);
+
+        List<WSSecurityEngineResult> results =
+            secEngine.processSecurityHeader(doc, null, callbackHandler, null);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+        BinarySecurity token =
+            (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+        Assert.assertTrue(token != null);
+        
+        Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        Assert.assertTrue(principal instanceof KerberosPrincipal);
+        Assert.assertTrue(principal.getName().contains("alice"));
+    }
+    
+    /**
+     * Get and validate a SPNEGO token.
+     */
+    @Test
+    public void testSpnego() throws Exception {
+        if (!kerberosServerStarted) {
+            System.out.println("Skipping test because kerberos server could not be started");
+            return;
+        }
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        SpnegoTokenContext spnegoToken = new SpnegoTokenContext();
+        CallbackHandler callbackHandler = new CallbackHandler() {
+            @Override
+            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+                PasswordCallback passwordCallback = (PasswordCallback)callbacks[0];
+                if (passwordCallback.getPrompt().contains("alice")) {
+                    passwordCallback.setPassword("alice".toCharArray());
+                } else if (passwordCallback.getPrompt().contains("bob")) {
+                    passwordCallback.setPassword("bob".toCharArray());
+                }
+            }
+        };
+        spnegoToken.retrieveServiceTicket("alice", callbackHandler, "bob@service.ws.apache.org");
+        
+        byte[] token = spnegoToken.getToken();
+        Assert.assertNotNull(token);
+        
+        spnegoToken = new SpnegoTokenContext();
+        spnegoToken.validateServiceTicket("bob", callbackHandler, "bob@service.ws.apache.org",
token);
+        Assert.assertTrue(spnegoToken.isEstablished());
+    }
+    
+    /**
+     * Various unit tests for a kerberos client
+     */
+    @Test
+    public void testKerberosClient() throws Exception {
+        if (!kerberosServerStarted) {
+            System.out.println("Skipping test because kerberos server could not be started");
+            return;
+        }
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        CallbackHandler callbackHandler = new CallbackHandler() {
+            @Override
+            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+                PasswordCallback passwordCallback = (PasswordCallback)callbacks[0];
+                if (passwordCallback.getPrompt().contains("alice")) {
+                    passwordCallback.setPassword("alice".toCharArray());
+                } else if (passwordCallback.getPrompt().contains("bob")) {
+                    passwordCallback.setPassword("bob".toCharArray());
+                }
+            }
+        };
+
+        try {
+            KerberosSecurity bst = new KerberosSecurity(doc);
+            bst.retrieveServiceTicket("alice2", callbackHandler, "bob@service");
+            Assert.fail("Failure expected on an unknown user");
+        } catch (WSSecurityException ex) {
+            Assert.assertEquals(ex.getMessage(), "An error occurred in trying to obtain a
TGT: No LoginModules configured for alice2");
+        }
+        
+        
+        try {
+            KerberosSecurity bst = new KerberosSecurity(doc);
+            bst.retrieveServiceTicket("alice", callbackHandler, "bob2@service");
+            Assert.fail("Failure expected on an unknown user");
+        } catch (WSSecurityException ex) {
+            Assert.assertEquals(ex.getMessage(), "An error occurred in trying to obtain a
service ticket");
+        }
+        
+    }
+    
+    /**
+     * Test using the KerberosSecurity class to retrieve a service ticket from a KDC, wrap
it
+     * in a BinarySecurityToken, and use the session key to sign the SOAP Body.
+     */
+    @Test
+    public void testKerberosSignature() throws Exception {
+        if (!kerberosServerStarted) {
+            System.out.println("Skipping test because kerberos server could not be started");
+            return;
+        }
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        KerberosSecurity bst = new KerberosSecurity(doc);
+        CallbackHandler callbackHandler = new CallbackHandler() {
+            @Override
+            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+                if (callbacks[0] instanceof PasswordCallback) {
+                    PasswordCallback passwordCallback = (PasswordCallback)callbacks[0];
+                    if (passwordCallback.getPrompt().contains("alice")) {
+                        passwordCallback.setPassword("alice".toCharArray());
+                    } else if (passwordCallback.getPrompt().contains("bob")) {
+                        passwordCallback.setPassword("bob".toCharArray());
+                    }
+                }
+            }
+        };
+        bst.retrieveServiceTicket("alice", callbackHandler, "bob@service.ws.apache.org");
+        bst.setID("Id-" + bst.hashCode());
+        WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
+        
+        WSSecSignature sign = new WSSecSignature();
+        sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+        sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+        sign.setCustomTokenId(bst.getID());
+        sign.setCustomTokenValueType(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
+        
+        SecretKey secretKey = bst.getSecretKey();
+        sign.setSecretKey(secretKey.getEncoded());
+        
+        Document signedDoc = sign.build(doc, null, secHeader);
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                XMLUtils.PrettyDocumentToString(signedDoc);
+            LOG.debug(outputString);
+        }
+        
+        // Configure the Validator
+        WSSConfig wssConfig = WSSConfig.getNewInstance();
+        KerberosTokenValidator validator = new KerberosTokenValidator();
+        validator.setContextName("bob");
+        validator.setServiceName("bob@service.ws.apache.org");
+        wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        secEngine.setWssConfig(wssConfig);
+        
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(doc, null, callbackHandler, null);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+        BinarySecurity token =
+            (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+        Assert.assertTrue(token != null);
+        
+        Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        Assert.assertTrue(principal instanceof KerberosPrincipal);
+        Assert.assertTrue(principal.getName().contains("alice"));
+    }
+    
+    
+    /**
+     * Test using the KerberosSecurity class to retrieve a service ticket from a KDC, wrap
it
+     * in a BinarySecurityToken, and use the session key to sign the SOAP Body.
+     */
+    @Test
+    public void testKerberosSignatureKI() throws Exception {
+        if (!kerberosServerStarted) {
+            System.out.println("Skipping test because kerberos server could not be started");
+            return;
+        }
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        KerberosSecurity bst = new KerberosSecurity(doc);
+        CallbackHandler callbackHandler = new CallbackHandler() {
+            @Override
+            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+                if (callbacks[0] instanceof PasswordCallback) {
+                    PasswordCallback passwordCallback = (PasswordCallback)callbacks[0];
+                    if (passwordCallback.getPrompt().contains("alice")) {
+                        passwordCallback.setPassword("alice".toCharArray());
+                    } else if (passwordCallback.getPrompt().contains("bob")) {
+                        passwordCallback.setPassword("bob".toCharArray());
+                    }
+                }
+            }
+        };
+        bst.retrieveServiceTicket("alice", callbackHandler, "bob@service.ws.apache.org");
+        bst.setID("Id-" + bst.hashCode());
+        
+        WSSecSignature sign = new WSSecSignature();
+        sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+        sign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+        sign.setCustomTokenValueType(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+        
+        SecretKey secretKey = bst.getSecretKey();
+        byte[] keyData = secretKey.getEncoded();
+        sign.setSecretKey(keyData);
+        
+        byte[] digestBytes = WSSecurityUtil.generateDigest(bst.getToken());
+        sign.setCustomTokenId(Base64.encode(digestBytes));
+        
+        Document signedDoc = sign.build(doc, null, secHeader);
+        
+        WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                XMLUtils.PrettyDocumentToString(signedDoc);
+            LOG.debug(outputString);
+        }
+        
+        // Configure the Validator
+        WSSConfig wssConfig = WSSConfig.getNewInstance();
+        KerberosTokenValidator validator = new KerberosTokenValidator();
+        validator.setContextName("bob");
+        validator.setServiceName("bob@service.ws.apache.org");
+        wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        secEngine.setWssConfig(wssConfig);
+        
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(doc, null, callbackHandler, null);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+        BinarySecurity token =
+            (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+        Assert.assertTrue(token != null);
+        
+        Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        Assert.assertTrue(principal instanceof KerberosPrincipal);
+        Assert.assertTrue(principal.getName().contains("alice"));
+    }
+    
+    
+    /**
+     * Test using the KerberosSecurity class to retrieve a service ticket from a KDC, wrap
it
+     * in a BinarySecurityToken, and use the session key to encrypt the SOAP Body.
+     */
+    @Test
+    public void testKerberosEncryption() throws Exception {
+        if (!kerberosServerStarted) {
+            System.out.println("Skipping test because kerberos server could not be started");
+            return;
+        }
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        KerberosSecurity bst = new KerberosSecurity(doc);
+        CallbackHandler callbackHandler = new CallbackHandler() {
+            @Override
+            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+                if (callbacks[0] instanceof PasswordCallback) {
+                    PasswordCallback passwordCallback = (PasswordCallback)callbacks[0];
+                    if (passwordCallback.getPrompt().contains("alice")) {
+                        passwordCallback.setPassword("alice".toCharArray());
+                    } else if (passwordCallback.getPrompt().contains("bob")) {
+                        passwordCallback.setPassword("bob".toCharArray());
+                    }
+                }
+            }
+        };
+        bst.retrieveServiceTicket("alice", callbackHandler, "bob@service.ws.apache.org");
+        bst.setID("Id-" + bst.hashCode());
+        WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
+        
+        WSSecEncrypt builder = new WSSecEncrypt();
+        builder.setSymmetricEncAlgorithm(WSConstants.AES_128);
+        SecretKey secretKey = bst.getSecretKey();
+        builder.setSymmetricKey(secretKey);
+        builder.setEncryptSymmKey(false);
+        builder.setCustomReferenceValue(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
+        builder.setEncKeyId(bst.getID());
+
+        Document encryptedDoc = builder.build(doc, null, secHeader);
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                XMLUtils.PrettyDocumentToString(encryptedDoc);
+            LOG.debug(outputString);
+        }
+        
+        // Configure the Validator
+        WSSConfig wssConfig = WSSConfig.getNewInstance();
+        KerberosTokenValidator validator = new KerberosTokenValidator();
+        validator.setContextName("bob");
+        validator.setServiceName("bob@service.ws.apache.org");
+        wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        secEngine.setWssConfig(wssConfig);
+        
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(encryptedDoc, null, callbackHandler, null);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+        BinarySecurity token =
+            (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+        Assert.assertTrue(token != null);
+        
+        Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        Assert.assertTrue(principal instanceof KerberosPrincipal);
+        Assert.assertTrue(principal.getName().contains("alice"));
+    }
+    
+    /**
+     * Test using the KerberosSecurity class to retrieve a service ticket from a KDC, wrap
it
+     * in a BinarySecurityToken, and use the session key to encrypt the SOAP Body.
+     */
+    @Test
+    public void testKerberosEncryptionBSTFirst() throws Exception {
+        if (!kerberosServerStarted) {
+            System.out.println("Skipping test because kerberos server could not be started");
+            return;
+        }
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        KerberosSecurity bst = new KerberosSecurity(doc);
+        CallbackHandler callbackHandler = new CallbackHandler() {
+            @Override
+            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+                if (callbacks[0] instanceof PasswordCallback) {
+                    PasswordCallback passwordCallback = (PasswordCallback)callbacks[0];
+                    if (passwordCallback.getPrompt().contains("alice")) {
+                        passwordCallback.setPassword("alice".toCharArray());
+                    } else if (passwordCallback.getPrompt().contains("bob")) {
+                        passwordCallback.setPassword("bob".toCharArray());
+                    }
+                }
+            }
+        };
+        bst.retrieveServiceTicket("alice", callbackHandler, "bob@service.ws.apache.org");
+        bst.setID("Id-" + bst.hashCode());
+        
+        WSSecEncrypt builder = new WSSecEncrypt();
+        builder.setSymmetricEncAlgorithm(WSConstants.AES_128);
+        SecretKey secretKey = bst.getSecretKey();
+        builder.setSymmetricKey(secretKey);
+        builder.setEncryptSymmKey(false);
+        builder.setCustomReferenceValue(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
+        builder.setEncKeyId(bst.getID());
+
+        Document encryptedDoc = builder.build(doc, null, secHeader);
+        
+        WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                XMLUtils.PrettyDocumentToString(encryptedDoc);
+            LOG.debug(outputString);
+        }
+        
+        // Configure the Validator
+        WSSConfig wssConfig = WSSConfig.getNewInstance();
+        KerberosTokenValidator validator = new KerberosTokenValidator();
+        validator.setContextName("bob");
+        validator.setServiceName("bob@service.ws.apache.org");
+        wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        secEngine.setWssConfig(wssConfig);
+        
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(encryptedDoc, null, callbackHandler, null);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+        BinarySecurity token =
+            (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+        Assert.assertTrue(token != null);
+        
+        Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        Assert.assertTrue(principal instanceof KerberosPrincipal);
+        Assert.assertTrue(principal.getName().contains("alice"));
+    }
+    
+    /**
+     * Test using the KerberosSecurity class to retrieve a service ticket from a KDC, wrap
it
+     * in a BinarySecurityToken, and use the session key to encrypt the SOAP Body.
+     */
+    @Test
+    public void testKerberosEncryptionKI() throws Exception {
+        if (!kerberosServerStarted) {
+            System.out.println("Skipping test because kerberos server could not be started");
+            return;
+        }
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        KerberosSecurity bst = new KerberosSecurity(doc);
+        CallbackHandler callbackHandler = new CallbackHandler() {
+            @Override
+            public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+                if (callbacks[0] instanceof PasswordCallback) {
+                    PasswordCallback passwordCallback = (PasswordCallback)callbacks[0];
+                    if (passwordCallback.getPrompt().contains("alice")) {
+                        passwordCallback.setPassword("alice".toCharArray());
+                    } else if (passwordCallback.getPrompt().contains("bob")) {
+                        passwordCallback.setPassword("bob".toCharArray());
+                    }
+                }
+            }
+        };
+        bst.retrieveServiceTicket("alice", callbackHandler, "bob@service.ws.apache.org");
+        bst.setID("Id-" + bst.hashCode());
+        
+        WSSecEncrypt builder = new WSSecEncrypt();
+        builder.setSymmetricEncAlgorithm(WSConstants.AES_128);
+        SecretKey secretKey = bst.getSecretKey();
+        builder.setSymmetricKey(secretKey);
+        builder.setEncryptSymmKey(false);
+        builder.setCustomReferenceValue(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+
+        byte[] digestBytes = WSSecurityUtil.generateDigest(bst.getToken());
+        builder.setEncKeyId(Base64.encode(digestBytes));
+        
+        Document encryptedDoc = builder.build(doc, null, secHeader);
+        
+        WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                XMLUtils.PrettyDocumentToString(encryptedDoc);
+            LOG.debug(outputString);
+        }
+        
+        // Configure the Validator
+        WSSConfig wssConfig = WSSConfig.getNewInstance();
+        KerberosTokenValidator validator = new KerberosTokenValidator();
+        validator.setContextName("bob");
+        validator.setServiceName("bob@service.ws.apache.org");
+        wssConfig.setValidator(WSSecurityEngine.BINARY_TOKEN, validator);
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        secEngine.setWssConfig(wssConfig);
+        
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(encryptedDoc, null, callbackHandler, null);
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+        BinarySecurity token =
+            (BinarySecurity)actionResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+        Assert.assertTrue(token != null);
+        
+        Principal principal = (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        Assert.assertTrue(principal instanceof KerberosPrincipal);
+        Assert.assertTrue(principal.getName().contains("alice"));
+    }
+    
+    //
+    // Streaming tests
+    //
 
     @Test
     public void testKerberosSignatureOutbound() throws Exception {



Mime
View raw message