Google Git
Sign in
apache / hbase-site / 0082cda45f48d1755543336c908ec6d80d4ec0a9 / . / testdevapidocs / src-html / org / apache / hadoop / hbase / http / TestProxyUserSpnegoHttpServer.html
blob: 0c211bc0b82bb7554f97846bc74e84712197f064 [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<!-- Generated by javadoc (17) -->
<title>Source code</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="source: package: org.apache.hadoop.hbase.http, class: TestProxyUserSpnegoHttpServer">
<meta name="generator" content="javadoc/SourceToHTMLConverter">
<link rel="stylesheet" type="text/css" href="../../../../../../stylesheet.css" title="Style">
</head>
<body class="source-page">
<main role="main">
<div class="source-container">
<pre><span class="source-line-no">001</span><span id="line-1">/*</span>
<span class="source-line-no">002</span><span id="line-2"> * Licensed to the Apache Software Foundation (ASF) under one</span>
<span class="source-line-no">003</span><span id="line-3"> * or more contributor license agreements. See the NOTICE file</span>
<span class="source-line-no">004</span><span id="line-4"> * distributed with this work for additional information</span>
<span class="source-line-no">005</span><span id="line-5"> * regarding copyright ownership. The ASF licenses this file</span>
<span class="source-line-no">006</span><span id="line-6"> * to you under the Apache License, Version 2.0 (the</span>
<span class="source-line-no">007</span><span id="line-7"> * "License"); you may not use this file except in compliance</span>
<span class="source-line-no">008</span><span id="line-8"> * with the License. You may obtain a copy of the License at</span>
<span class="source-line-no">009</span><span id="line-9"> *</span>
<span class="source-line-no">010</span><span id="line-10"> * http://www.apache.org/licenses/LICENSE-2.0</span>
<span class="source-line-no">011</span><span id="line-11"> *</span>
<span class="source-line-no">012</span><span id="line-12"> * Unless required by applicable law or agreed to in writing, software</span>
<span class="source-line-no">013</span><span id="line-13"> * distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="source-line-no">014</span><span id="line-14"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="source-line-no">015</span><span id="line-15"> * See the License for the specific language governing permissions and</span>
<span class="source-line-no">016</span><span id="line-16"> * limitations under the License.</span>
<span class="source-line-no">017</span><span id="line-17"> */</span>
<span class="source-line-no">018</span><span id="line-18">package org.apache.hadoop.hbase.http;</span>
<span class="source-line-no">019</span><span id="line-19"></span>
<span class="source-line-no">020</span><span id="line-20">import static org.junit.Assert.assertEquals;</span>
<span class="source-line-no">021</span><span id="line-21">import static org.junit.Assert.assertFalse;</span>
<span class="source-line-no">022</span><span id="line-22">import static org.junit.Assert.assertNotNull;</span>
<span class="source-line-no">023</span><span id="line-23">import static org.junit.Assert.assertTrue;</span>
<span class="source-line-no">024</span><span id="line-24"></span>
<span class="source-line-no">025</span><span id="line-25">import java.io.File;</span>
<span class="source-line-no">026</span><span id="line-26">import java.net.HttpURLConnection;</span>
<span class="source-line-no">027</span><span id="line-27">import java.net.URL;</span>
<span class="source-line-no">028</span><span id="line-28">import java.security.Principal;</span>
<span class="source-line-no">029</span><span id="line-29">import java.security.PrivilegedExceptionAction;</span>
<span class="source-line-no">030</span><span id="line-30">import java.util.Set;</span>
<span class="source-line-no">031</span><span id="line-31">import javax.security.auth.Subject;</span>
<span class="source-line-no">032</span><span id="line-32">import javax.security.auth.kerberos.KerberosTicket;</span>
<span class="source-line-no">033</span><span id="line-33">import org.apache.hadoop.conf.Configuration;</span>
<span class="source-line-no">034</span><span id="line-34">import org.apache.hadoop.hbase.HBaseClassTestRule;</span>
<span class="source-line-no">035</span><span id="line-35">import org.apache.hadoop.hbase.HBaseCommonTestingUtil;</span>
<span class="source-line-no">036</span><span id="line-36">import org.apache.hadoop.hbase.http.TestHttpServer.EchoServlet;</span>
<span class="source-line-no">037</span><span id="line-37">import org.apache.hadoop.hbase.http.resource.JerseyResource;</span>
<span class="source-line-no">038</span><span id="line-38">import org.apache.hadoop.hbase.testclassification.MiscTests;</span>
<span class="source-line-no">039</span><span id="line-39">import org.apache.hadoop.hbase.testclassification.SmallTests;</span>
<span class="source-line-no">040</span><span id="line-40">import org.apache.hadoop.hbase.util.SimpleKdcServerUtil;</span>
<span class="source-line-no">041</span><span id="line-41">import org.apache.hadoop.security.authentication.util.KerberosName;</span>
<span class="source-line-no">042</span><span id="line-42">import org.apache.hadoop.security.authorize.AccessControlList;</span>
<span class="source-line-no">043</span><span id="line-43">import org.apache.http.HttpHost;</span>
<span class="source-line-no">044</span><span id="line-44">import org.apache.http.HttpResponse;</span>
<span class="source-line-no">045</span><span id="line-45">import org.apache.http.auth.AuthSchemeProvider;</span>
<span class="source-line-no">046</span><span id="line-46">import org.apache.http.auth.AuthScope;</span>
<span class="source-line-no">047</span><span id="line-47">import org.apache.http.auth.KerberosCredentials;</span>
<span class="source-line-no">048</span><span id="line-48">import org.apache.http.client.HttpClient;</span>
<span class="source-line-no">049</span><span id="line-49">import org.apache.http.client.config.AuthSchemes;</span>
<span class="source-line-no">050</span><span id="line-50">import org.apache.http.client.methods.HttpGet;</span>
<span class="source-line-no">051</span><span id="line-51">import org.apache.http.client.protocol.HttpClientContext;</span>
<span class="source-line-no">052</span><span id="line-52">import org.apache.http.config.Lookup;</span>
<span class="source-line-no">053</span><span id="line-53">import org.apache.http.config.RegistryBuilder;</span>
<span class="source-line-no">054</span><span id="line-54">import org.apache.http.impl.auth.SPNegoSchemeFactory;</span>
<span class="source-line-no">055</span><span id="line-55">import org.apache.http.impl.client.BasicCredentialsProvider;</span>
<span class="source-line-no">056</span><span id="line-56">import org.apache.http.impl.client.HttpClients;</span>
<span class="source-line-no">057</span><span id="line-57">import org.apache.http.util.EntityUtils;</span>
<span class="source-line-no">058</span><span id="line-58">import org.apache.kerby.kerberos.kerb.KrbException;</span>
<span class="source-line-no">059</span><span id="line-59">import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil;</span>
<span class="source-line-no">060</span><span id="line-60">import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;</span>
<span class="source-line-no">061</span><span id="line-61">import org.ietf.jgss.GSSCredential;</span>
<span class="source-line-no">062</span><span id="line-62">import org.ietf.jgss.GSSManager;</span>
<span class="source-line-no">063</span><span id="line-63">import org.ietf.jgss.GSSName;</span>
<span class="source-line-no">064</span><span id="line-64">import org.ietf.jgss.Oid;</span>
<span class="source-line-no">065</span><span id="line-65">import org.junit.AfterClass;</span>
<span class="source-line-no">066</span><span id="line-66">import org.junit.BeforeClass;</span>
<span class="source-line-no">067</span><span id="line-67">import org.junit.ClassRule;</span>
<span class="source-line-no">068</span><span id="line-68">import org.junit.Test;</span>
<span class="source-line-no">069</span><span id="line-69">import org.junit.experimental.categories.Category;</span>
<span class="source-line-no">070</span><span id="line-70">import org.slf4j.Logger;</span>
<span class="source-line-no">071</span><span id="line-71">import org.slf4j.LoggerFactory;</span>
<span class="source-line-no">072</span><span id="line-72"></span>
<span class="source-line-no">073</span><span id="line-73">/**</span>
<span class="source-line-no">074</span><span id="line-74"> * Test class for SPNEGO Proxyuser authentication on the HttpServer. Uses Kerby's MiniKDC and Apache</span>
<span class="source-line-no">075</span><span id="line-75"> * HttpComponents to verify that the doas= mechanicsm works, and that the proxyuser settings are</span>
<span class="source-line-no">076</span><span id="line-76"> * observed.</span>
<span class="source-line-no">077</span><span id="line-77"> */</span>
<span class="source-line-no">078</span><span id="line-78">@Category({ MiscTests.class, SmallTests.class })</span>
<span class="source-line-no">079</span><span id="line-79">public class TestProxyUserSpnegoHttpServer extends HttpServerFunctionalTest {</span>
<span class="source-line-no">080</span><span id="line-80"> @ClassRule</span>
<span class="source-line-no">081</span><span id="line-81"> public static final HBaseClassTestRule CLASS_RULE =</span>
<span class="source-line-no">082</span><span id="line-82"> HBaseClassTestRule.forClass(TestProxyUserSpnegoHttpServer.class);</span>
<span class="source-line-no">083</span><span id="line-83"></span>
<span class="source-line-no">084</span><span id="line-84"> private static final Logger LOG = LoggerFactory.getLogger(TestProxyUserSpnegoHttpServer.class);</span>
<span class="source-line-no">085</span><span id="line-85"> private static final String KDC_SERVER_HOST = "localhost";</span>
<span class="source-line-no">086</span><span id="line-86"> private static final String WHEEL_PRINCIPAL = "wheel";</span>
<span class="source-line-no">087</span><span id="line-87"> private static final String UNPRIVILEGED_PRINCIPAL = "unprivileged";</span>
<span class="source-line-no">088</span><span id="line-88"> private static final String PRIVILEGED_PRINCIPAL = "privileged";</span>
<span class="source-line-no">089</span><span id="line-89"> private static final String PRIVILEGED2_PRINCIPAL = "privileged2";</span>
<span class="source-line-no">090</span><span id="line-90"></span>
<span class="source-line-no">091</span><span id="line-91"> private static HttpServer server;</span>
<span class="source-line-no">092</span><span id="line-92"> private static URL baseUrl;</span>
<span class="source-line-no">093</span><span id="line-93"> private static SimpleKdcServer kdc;</span>
<span class="source-line-no">094</span><span id="line-94"> private static File infoServerKeytab;</span>
<span class="source-line-no">095</span><span id="line-95"> private static File wheelKeytab;</span>
<span class="source-line-no">096</span><span id="line-96"> private static File unprivilegedKeytab;</span>
<span class="source-line-no">097</span><span id="line-97"> private static File privilegedKeytab;</span>
<span class="source-line-no">098</span><span id="line-98"> private static File privileged2Keytab;</span>
<span class="source-line-no">099</span><span id="line-99"></span>
<span class="source-line-no">100</span><span id="line-100"> @BeforeClass</span>
<span class="source-line-no">101</span><span id="line-101"> public static void setupServer() throws Exception {</span>
<span class="source-line-no">102</span><span id="line-102"> Configuration conf = new Configuration();</span>
<span class="source-line-no">103</span><span id="line-103"> HBaseCommonTestingUtil htu = new HBaseCommonTestingUtil(conf);</span>
<span class="source-line-no">104</span><span id="line-104"></span>
<span class="source-line-no">105</span><span id="line-105"> final String serverPrincipal = "HTTP/" + KDC_SERVER_HOST;</span>
<span class="source-line-no">106</span><span id="line-106"></span>
<span class="source-line-no">107</span><span id="line-107"> kdc = SimpleKdcServerUtil.getRunningSimpleKdcServer(new File(htu.getDataTestDir().toString()),</span>
<span class="source-line-no">108</span><span id="line-108"> HBaseCommonTestingUtil::randomFreePort);</span>
<span class="source-line-no">109</span><span id="line-109"> File keytabDir = new File(htu.getDataTestDir("keytabs").toString());</span>
<span class="source-line-no">110</span><span id="line-110"> if (keytabDir.exists()) {</span>
<span class="source-line-no">111</span><span id="line-111"> deleteRecursively(keytabDir);</span>
<span class="source-line-no">112</span><span id="line-112"> }</span>
<span class="source-line-no">113</span><span id="line-113"> keytabDir.mkdirs();</span>
<span class="source-line-no">114</span><span id="line-114"></span>
<span class="source-line-no">115</span><span id="line-115"> infoServerKeytab = new File(keytabDir, serverPrincipal.replace('/', '_') + ".keytab");</span>
<span class="source-line-no">116</span><span id="line-116"> wheelKeytab = new File(keytabDir, WHEEL_PRINCIPAL + ".keytab");</span>
<span class="source-line-no">117</span><span id="line-117"> unprivilegedKeytab = new File(keytabDir, UNPRIVILEGED_PRINCIPAL + ".keytab");</span>
<span class="source-line-no">118</span><span id="line-118"> privilegedKeytab = new File(keytabDir, PRIVILEGED_PRINCIPAL + ".keytab");</span>
<span class="source-line-no">119</span><span id="line-119"> privileged2Keytab = new File(keytabDir, PRIVILEGED2_PRINCIPAL + ".keytab");</span>
<span class="source-line-no">120</span><span id="line-120"></span>
<span class="source-line-no">121</span><span id="line-121"> setupUser(kdc, wheelKeytab, WHEEL_PRINCIPAL);</span>
<span class="source-line-no">122</span><span id="line-122"> setupUser(kdc, unprivilegedKeytab, UNPRIVILEGED_PRINCIPAL);</span>
<span class="source-line-no">123</span><span id="line-123"> setupUser(kdc, privilegedKeytab, PRIVILEGED_PRINCIPAL);</span>
<span class="source-line-no">124</span><span id="line-124"> setupUser(kdc, privileged2Keytab, PRIVILEGED2_PRINCIPAL);</span>
<span class="source-line-no">125</span><span id="line-125"></span>
<span class="source-line-no">126</span><span id="line-126"> setupUser(kdc, infoServerKeytab, serverPrincipal);</span>
<span class="source-line-no">127</span><span id="line-127"></span>
<span class="source-line-no">128</span><span id="line-128"> buildSpnegoConfiguration(conf, serverPrincipal, infoServerKeytab);</span>
<span class="source-line-no">129</span><span id="line-129"> AccessControlList acl = buildAdminAcl(conf);</span>
<span class="source-line-no">130</span><span id="line-130"></span>
<span class="source-line-no">131</span><span id="line-131"> server = createTestServerWithSecurityAndAcl(conf, acl);</span>
<span class="source-line-no">132</span><span id="line-132"> server.addPrivilegedServlet("echo", "/echo", EchoServlet.class);</span>
<span class="source-line-no">133</span><span id="line-133"> server.addJerseyResourcePackage(JerseyResource.class.getPackage().getName(), "/jersey/*");</span>
<span class="source-line-no">134</span><span id="line-134"> server.start();</span>
<span class="source-line-no">135</span><span id="line-135"> baseUrl = getServerURL(server);</span>
<span class="source-line-no">136</span><span id="line-136"></span>
<span class="source-line-no">137</span><span id="line-137"> LOG.info("HTTP server started: " + baseUrl);</span>
<span class="source-line-no">138</span><span id="line-138"> }</span>
<span class="source-line-no">139</span><span id="line-139"></span>
<span class="source-line-no">140</span><span id="line-140"> @AfterClass</span>
<span class="source-line-no">141</span><span id="line-141"> public static void stopServer() throws Exception {</span>
<span class="source-line-no">142</span><span id="line-142"> try {</span>
<span class="source-line-no">143</span><span id="line-143"> if (null != server) {</span>
<span class="source-line-no">144</span><span id="line-144"> server.stop();</span>
<span class="source-line-no">145</span><span id="line-145"> }</span>
<span class="source-line-no">146</span><span id="line-146"> } catch (Exception e) {</span>
<span class="source-line-no">147</span><span id="line-147"> LOG.info("Failed to stop info server", e);</span>
<span class="source-line-no">148</span><span id="line-148"> }</span>
<span class="source-line-no">149</span><span id="line-149"> try {</span>
<span class="source-line-no">150</span><span id="line-150"> if (null != kdc) {</span>
<span class="source-line-no">151</span><span id="line-151"> kdc.stop();</span>
<span class="source-line-no">152</span><span id="line-152"> }</span>
<span class="source-line-no">153</span><span id="line-153"> } catch (Exception e) {</span>
<span class="source-line-no">154</span><span id="line-154"> LOG.info("Failed to stop mini KDC", e);</span>
<span class="source-line-no">155</span><span id="line-155"> }</span>
<span class="source-line-no">156</span><span id="line-156"> }</span>
<span class="source-line-no">157</span><span id="line-157"></span>
<span class="source-line-no">158</span><span id="line-158"> private static void setupUser(SimpleKdcServer kdc, File keytab, String principal)</span>
<span class="source-line-no">159</span><span id="line-159"> throws KrbException {</span>
<span class="source-line-no">160</span><span id="line-160"> kdc.createPrincipal(principal);</span>
<span class="source-line-no">161</span><span id="line-161"> kdc.exportPrincipal(principal, keytab);</span>
<span class="source-line-no">162</span><span id="line-162"> }</span>
<span class="source-line-no">163</span><span id="line-163"></span>
<span class="source-line-no">164</span><span id="line-164"> protected static Configuration buildSpnegoConfiguration(Configuration conf,</span>
<span class="source-line-no">165</span><span id="line-165"> String serverPrincipal, File serverKeytab) {</span>
<span class="source-line-no">166</span><span id="line-166"> KerberosName.setRules("DEFAULT");</span>
<span class="source-line-no">167</span><span id="line-167"></span>
<span class="source-line-no">168</span><span id="line-168"> conf.setInt(HttpServer.HTTP_MAX_THREADS, TestHttpServer.MAX_THREADS);</span>
<span class="source-line-no">169</span><span id="line-169"></span>
<span class="source-line-no">170</span><span id="line-170"> // Enable Kerberos (pre-req)</span>
<span class="source-line-no">171</span><span id="line-171"> conf.set("hbase.security.authentication", "kerberos");</span>
<span class="source-line-no">172</span><span id="line-172"> conf.set(HttpServer.HTTP_UI_AUTHENTICATION, "kerberos");</span>
<span class="source-line-no">173</span><span id="line-173"> conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY, serverPrincipal);</span>
<span class="source-line-no">174</span><span id="line-174"> conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY, serverKeytab.getAbsolutePath());</span>
<span class="source-line-no">175</span><span id="line-175"></span>
<span class="source-line-no">176</span><span id="line-176"> conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, PRIVILEGED_PRINCIPAL);</span>
<span class="source-line-no">177</span><span id="line-177"> conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PROXYUSER_ENABLE_KEY, "true");</span>
<span class="source-line-no">178</span><span id="line-178"> conf.set("hadoop.security.authorization", "true");</span>
<span class="source-line-no">179</span><span id="line-179"></span>
<span class="source-line-no">180</span><span id="line-180"> conf.set("hadoop.proxyuser.wheel.hosts", "*");</span>
<span class="source-line-no">181</span><span id="line-181"> conf.set("hadoop.proxyuser.wheel.users", PRIVILEGED_PRINCIPAL + "," + UNPRIVILEGED_PRINCIPAL);</span>
<span class="source-line-no">182</span><span id="line-182"> return conf;</span>
<span class="source-line-no">183</span><span id="line-183"> }</span>
<span class="source-line-no">184</span><span id="line-184"></span>
<span class="source-line-no">185</span><span id="line-185"> /**</span>
<span class="source-line-no">186</span><span id="line-186"> * Builds an ACL that will restrict the users who can issue commands to endpoints on the UI which</span>
<span class="source-line-no">187</span><span id="line-187"> * are meant only for administrators.</span>
<span class="source-line-no">188</span><span id="line-188"> */</span>
<span class="source-line-no">189</span><span id="line-189"> public static AccessControlList buildAdminAcl(Configuration conf) {</span>
<span class="source-line-no">190</span><span id="line-190"> final String userGroups = conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null);</span>
<span class="source-line-no">191</span><span id="line-191"> final String adminGroups =</span>
<span class="source-line-no">192</span><span id="line-192"> conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY, null);</span>
<span class="source-line-no">193</span><span id="line-193"> if (userGroups == null &amp;&amp; adminGroups == null) {</span>
<span class="source-line-no">194</span><span id="line-194"> // Backwards compatibility - if the user doesn't have anything set, allow all users in.</span>
<span class="source-line-no">195</span><span id="line-195"> return new AccessControlList("*", null);</span>
<span class="source-line-no">196</span><span id="line-196"> }</span>
<span class="source-line-no">197</span><span id="line-197"> return new AccessControlList(userGroups, adminGroups);</span>
<span class="source-line-no">198</span><span id="line-198"> }</span>
<span class="source-line-no">199</span><span id="line-199"></span>
<span class="source-line-no">200</span><span id="line-200"> @Test</span>
<span class="source-line-no">201</span><span id="line-201"> public void testProxyAllowed() throws Exception {</span>
<span class="source-line-no">202</span><span id="line-202"> testProxy(WHEEL_PRINCIPAL, PRIVILEGED_PRINCIPAL, HttpURLConnection.HTTP_OK, null);</span>
<span class="source-line-no">203</span><span id="line-203"> }</span>
<span class="source-line-no">204</span><span id="line-204"></span>
<span class="source-line-no">205</span><span id="line-205"> @Test</span>
<span class="source-line-no">206</span><span id="line-206"> public void testProxyDisallowedForUnprivileged() throws Exception {</span>
<span class="source-line-no">207</span><span id="line-207"> testProxy(WHEEL_PRINCIPAL, UNPRIVILEGED_PRINCIPAL, HttpURLConnection.HTTP_FORBIDDEN,</span>
<span class="source-line-no">208</span><span id="line-208"> "403 User unprivileged is unauthorized to access this page.");</span>
<span class="source-line-no">209</span><span id="line-209"> }</span>
<span class="source-line-no">210</span><span id="line-210"></span>
<span class="source-line-no">211</span><span id="line-211"> @Test</span>
<span class="source-line-no">212</span><span id="line-212"> public void testProxyDisallowedForNotSudoAble() throws Exception {</span>
<span class="source-line-no">213</span><span id="line-213"> testProxy(WHEEL_PRINCIPAL, PRIVILEGED2_PRINCIPAL, HttpURLConnection.HTTP_FORBIDDEN,</span>
<span class="source-line-no">214</span><span id="line-214"> "403 Forbidden");</span>
<span class="source-line-no">215</span><span id="line-215"> }</span>
<span class="source-line-no">216</span><span id="line-216"></span>
<span class="source-line-no">217</span><span id="line-217"> public void testProxy(String clientPrincipal, String doAs, int responseCode, String statusLine)</span>
<span class="source-line-no">218</span><span id="line-218"> throws Exception {</span>
<span class="source-line-no">219</span><span id="line-219"> // Create the subject for the client</span>
<span class="source-line-no">220</span><span id="line-220"> final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(WHEEL_PRINCIPAL, wheelKeytab);</span>
<span class="source-line-no">221</span><span id="line-221"> final Set&lt;Principal&gt; clientPrincipals = clientSubject.getPrincipals();</span>
<span class="source-line-no">222</span><span id="line-222"> // Make sure the subject has a principal</span>
<span class="source-line-no">223</span><span id="line-223"> assertFalse(clientPrincipals.isEmpty());</span>
<span class="source-line-no">224</span><span id="line-224"></span>
<span class="source-line-no">225</span><span id="line-225"> // Get a TGT for the subject (might have many, different encryption types). The first should</span>
<span class="source-line-no">226</span><span id="line-226"> // be the default encryption type.</span>
<span class="source-line-no">227</span><span id="line-227"> Set&lt;KerberosTicket&gt; privateCredentials =</span>
<span class="source-line-no">228</span><span id="line-228"> clientSubject.getPrivateCredentials(KerberosTicket.class);</span>
<span class="source-line-no">229</span><span id="line-229"> assertFalse(privateCredentials.isEmpty());</span>
<span class="source-line-no">230</span><span id="line-230"> KerberosTicket tgt = privateCredentials.iterator().next();</span>
<span class="source-line-no">231</span><span id="line-231"> assertNotNull(tgt);</span>
<span class="source-line-no">232</span><span id="line-232"></span>
<span class="source-line-no">233</span><span id="line-233"> // The name of the principal</span>
<span class="source-line-no">234</span><span id="line-234"> final String principalName = clientPrincipals.iterator().next().getName();</span>
<span class="source-line-no">235</span><span id="line-235"></span>
<span class="source-line-no">236</span><span id="line-236"> // Run this code, logged in as the subject (the client)</span>
<span class="source-line-no">237</span><span id="line-237"> HttpResponse resp = Subject.doAs(clientSubject, new PrivilegedExceptionAction&lt;HttpResponse&gt;() {</span>
<span class="source-line-no">238</span><span id="line-238"> @Override</span>
<span class="source-line-no">239</span><span id="line-239"> public HttpResponse run() throws Exception {</span>
<span class="source-line-no">240</span><span id="line-240"> // Logs in with Kerberos via GSS</span>
<span class="source-line-no">241</span><span id="line-241"> GSSManager gssManager = GSSManager.getInstance();</span>
<span class="source-line-no">242</span><span id="line-242"> // jGSS Kerberos login constant</span>
<span class="source-line-no">243</span><span id="line-243"> Oid oid = new Oid("1.2.840.113554.1.2.2");</span>
<span class="source-line-no">244</span><span id="line-244"> GSSName gssClient = gssManager.createName(principalName, GSSName.NT_USER_NAME);</span>
<span class="source-line-no">245</span><span id="line-245"> GSSCredential credential = gssManager.createCredential(gssClient,</span>
<span class="source-line-no">246</span><span id="line-246"> GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);</span>
<span class="source-line-no">247</span><span id="line-247"></span>
<span class="source-line-no">248</span><span id="line-248"> HttpClientContext context = HttpClientContext.create();</span>
<span class="source-line-no">249</span><span id="line-249"> Lookup&lt;AuthSchemeProvider&gt; authRegistry = RegistryBuilder.&lt;AuthSchemeProvider&gt; create()</span>
<span class="source-line-no">250</span><span id="line-250"> .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build();</span>
<span class="source-line-no">251</span><span id="line-251"></span>
<span class="source-line-no">252</span><span id="line-252"> HttpClient client = HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry).build();</span>
<span class="source-line-no">253</span><span id="line-253"> BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();</span>
<span class="source-line-no">254</span><span id="line-254"> credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));</span>
<span class="source-line-no">255</span><span id="line-255"></span>
<span class="source-line-no">256</span><span id="line-256"> URL url = new URL(getServerURL(server), "/echo?doAs=" + doAs + "&amp;a=b");</span>
<span class="source-line-no">257</span><span id="line-257"> context.setTargetHost(new HttpHost(url.getHost(), url.getPort()));</span>
<span class="source-line-no">258</span><span id="line-258"> context.setCredentialsProvider(credentialsProvider);</span>
<span class="source-line-no">259</span><span id="line-259"> context.setAuthSchemeRegistry(authRegistry);</span>
<span class="source-line-no">260</span><span id="line-260"></span>
<span class="source-line-no">261</span><span id="line-261"> HttpGet get = new HttpGet(url.toURI());</span>
<span class="source-line-no">262</span><span id="line-262"> return client.execute(get, context);</span>
<span class="source-line-no">263</span><span id="line-263"> }</span>
<span class="source-line-no">264</span><span id="line-264"> });</span>
<span class="source-line-no">265</span><span id="line-265"></span>
<span class="source-line-no">266</span><span id="line-266"> assertNotNull(resp);</span>
<span class="source-line-no">267</span><span id="line-267"> assertEquals(responseCode, resp.getStatusLine().getStatusCode());</span>
<span class="source-line-no">268</span><span id="line-268"> if (responseCode == HttpURLConnection.HTTP_OK) {</span>
<span class="source-line-no">269</span><span id="line-269"> assertTrue(EntityUtils.toString(resp.getEntity()).trim().contains("a:b"));</span>
<span class="source-line-no">270</span><span id="line-270"> } else {</span>
<span class="source-line-no">271</span><span id="line-271"> assertTrue(resp.getStatusLine().toString().contains(statusLine)</span>
<span class="source-line-no">272</span><span id="line-272"> || EntityUtils.toString(resp.getEntity()).contains(statusLine));</span>
<span class="source-line-no">273</span><span id="line-273"> }</span>
<span class="source-line-no">274</span><span id="line-274"> }</span>
<span class="source-line-no">275</span><span id="line-275"></span>
<span class="source-line-no">276</span><span id="line-276">}</span>
</pre>
</div>
</main>
</body>
</html>