Example 1 with AvaticaCommonsHttpClientSpnegoImpl
use of org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientSpnegoImpl in project calcite-avatica by apache.
the class HttpServerSpnegoWithoutJaasTest method testAuthenticatedClientsAllowed.
@Test
public void testAuthenticatedClientsAllowed() throws Exception {
// Create the subject for the client
final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(SpnegoTestUtil.CLIENT_PRINCIPAL, clientKeytab);
final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
// Make sure the subject has a principal
assertFalse(clientPrincipals.isEmpty());
// Get a TGT for the subject (might have many, different encryption types). The first should
// be the default encryption type.
Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
assertFalse(privateCredentials.isEmpty());
KerberosTicket tgt = privateCredentials.iterator().next();
assertNotNull(tgt);
LOG.info("Using TGT with etype: {}", tgt.getSessionKey().getAlgorithm());
// The name of the principal
final String principalName = clientPrincipals.iterator().next().getName();
// Run this code, logged in as the subject (the client)
byte[] response = Subject.doAs(clientSubject, new PrivilegedExceptionAction<byte[]>() {
@Override
public byte[] run() throws Exception {
// Logs in with Kerberos via GSS
GSSManager gssManager = GSSManager.getInstance();
Oid oid = new Oid(SpnegoTestUtil.JGSS_KERBEROS_TICKET_OID);
GSSName gssClient = gssManager.createName(principalName, GSSName.NT_USER_NAME);
GSSCredential credential = gssManager.createCredential(gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
// Passes the GSSCredential into the HTTP client implementation
final AvaticaCommonsHttpClientSpnegoImpl httpClient = new AvaticaCommonsHttpClientSpnegoImpl(httpServerUrl, credential);
return httpClient.send(new byte[0]);
}
});
// We should get a response which is "OK" with our client's name
assertNotNull(response);
assertEquals("OK " + SpnegoTestUtil.CLIENT_PRINCIPAL, new String(response, StandardCharsets.UTF_8));
}
Also used :
GSSName(org.ietf.jgss.GSSName)
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
Oid(org.ietf.jgss.Oid)
Subject(javax.security.auth.Subject)
KrbException(org.apache.kerby.kerberos.kerb.KrbException)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
AvaticaCommonsHttpClientSpnegoImpl(org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientSpnegoImpl)
Principal(java.security.Principal)
Test(org.junit.Test)
Example 2 with AvaticaCommonsHttpClientSpnegoImpl
use of org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientSpnegoImpl in project calcite-avatica by apache.
the class HttpServerSpnegoWithJaasTest method testAuthenticatedClientsAllowed.
@Test
public void testAuthenticatedClientsAllowed() throws Exception {
Assume.assumeThat("Test disabled on Windows", File.separatorChar, is('/'));
// Create the subject for the client
final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(SpnegoTestUtil.CLIENT_PRINCIPAL, clientKeytab);
final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
// Make sure the subject has a principal
assertFalse(clientPrincipals.isEmpty());
// Get a TGT for the subject (might have many, different encryption types). The first should
// be the default encryption type.
Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
assertFalse(privateCredentials.isEmpty());
KerberosTicket tgt = privateCredentials.iterator().next();
assertNotNull(tgt);
LOG.info("Using TGT with etype: {}", tgt.getSessionKey().getAlgorithm());
// The name of the principal
final String principalName = clientPrincipals.iterator().next().getName();
// Run this code, logged in as the subject (the client)
byte[] response = Subject.doAs(clientSubject, new PrivilegedExceptionAction<byte[]>() {
@Override
public byte[] run() throws Exception {
// Logs in with Kerberos via GSS
GSSManager gssManager = GSSManager.getInstance();
Oid oid = new Oid(SpnegoTestUtil.JGSS_KERBEROS_TICKET_OID);
GSSName gssClient = gssManager.createName(principalName, GSSName.NT_USER_NAME);
GSSCredential credential = gssManager.createCredential(gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
// Passes the GSSCredential into the HTTP client implementation
final AvaticaCommonsHttpClientSpnegoImpl httpClient = new AvaticaCommonsHttpClientSpnegoImpl(httpServerUrl, credential);
return httpClient.send(new byte[0]);
}
});
// We should get a response which is "OK" with our client's name
assertNotNull(response);
assertEquals("OK " + SpnegoTestUtil.CLIENT_PRINCIPAL, new String(response, StandardCharsets.UTF_8));
}
Also used :
GSSName(org.ietf.jgss.GSSName)
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
Oid(org.ietf.jgss.Oid)
Subject(javax.security.auth.Subject)
KrbException(org.apache.kerby.kerberos.kerb.KrbException)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
AvaticaCommonsHttpClientSpnegoImpl(org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientSpnegoImpl)
Principal(java.security.Principal)
Test(org.junit.Test)
Aggregations
Principal (java.security.Principal)2
Subject (javax.security.auth.Subject)2
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)2
AvaticaCommonsHttpClientSpnegoImpl (org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientSpnegoImpl)2
KrbException (org.apache.kerby.kerberos.kerb.KrbException)2
GSSCredential (org.ietf.jgss.GSSCredential)2
GSSManager (org.ietf.jgss.GSSManager)2
GSSName (org.ietf.jgss.GSSName)2
Oid (org.ietf.jgss.Oid)2
Test (org.junit.Test)2
