Add better support for KerberosRestTemplate

- Better configuration model - Updates to ref docs - New boot based client sample
butzopower · Mar 11, 2015 · c390b24 · c390b24
1 parent 66c6689
commit c390b24
Show file tree

Hide file tree

Showing 12 changed files with 432 additions and 128 deletions.
diff --git a/build.gradle b/build.gradle
@@ -11,12 +11,18 @@ buildscript {
 	}
 }
 
-def sampleProjects() {
+def sampleServerProjects() {
 	subprojects.findAll { project ->
 		project.name.contains('sec-server') && project.name != 'spring-security-kerberos-samples-common'
 	}
 }
 
+def sampleClientProjects() {
+	subprojects.findAll { project ->
+		project.name.contains('sec-client')
+	}
+}
+
 configure(allprojects) {
 	apply plugin: 'java'
 	apply plugin: 'eclipse'
@@ -90,7 +96,6 @@ configure(subprojects) { subproject ->
 
 }
 
-
 project('spring-security-kerberos-core') {
 	description = 'Spring Security Kerberos Core'
 	dependencies {
@@ -158,7 +163,7 @@ project('spring-security-kerberos-samples-common') {
 	}
 }
 
-configure(sampleProjects()) {
+configure(sampleServerProjects()) {
 	apply plugin: 'spring-boot'
 	dependencies {
 		compile project(":spring-security-kerberos-samples-common")
@@ -171,6 +176,19 @@ configure(sampleProjects()) {
 	}
 }
 
+configure(sampleClientProjects()) {
+	apply plugin: 'spring-boot'
+	dependencies {
+		compile project(":spring-security-kerberos-samples-common")
+		compile project(":spring-security-kerberos-client")
+		compile "org.springframework.boot:spring-boot-starter:$springBootVersion"
+		testCompile "org.springframework:spring-test:$springVersion"
+		testCompile "org.hamcrest:hamcrest-core:$hamcrestVersion"
+		testCompile "org.hamcrest:hamcrest-library:$hamcrestVersion"
+		testCompile "junit:junit:$junitVersion"
+	}
+}
+
 configure(rootProject) {
 	description = 'Spring Security Kerberos Extension'
 
@@ -213,6 +231,7 @@ configure(rootProject) {
 
 	task copyDocsSamples(type: Copy) {
 		from 'spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/'
+		from 'spring-security-kerberos-client/src/test/java/org/springframework/security/extensions/kerberos/client/docs/'
 		include '**/*.java'
 		include '**/*.xml'
 		into 'docs/src/reference/asciidoc/samples'

diff --git a/docs/src/reference/asciidoc/appendix.adoc b/docs/src/reference/asciidoc/appendix.adoc
@@ -145,7 +145,7 @@ services.
 ----
 
 Now you can use `kadmin` with previously created `root/admin`
-principal. Lets create our first user.
+principal. Lets create our first user `user1`.
 
 [source,text,indent=0]
 ----
@@ -157,15 +157,22 @@ Re-enter password for principal "[email protected]":
 Principal "[email protected]" created.
 ----
 
-If you like you can create a keytab file for this user.
+Lets create our second user `user2` and export a keytab file.
 
 [source,text,indent=0]
 ----
-kadmin:  ktadd -k /tmp/user1.keytab [email protected]
-Entry for principal [email protected] with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/user1.keytab.
-Entry for principal [email protected] with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/user1.keytab.
-Entry for principal [email protected] with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/user1.keytab.
-Entry for principal [email protected] with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/tmp/user1.keytab.
+kadmin:  addprinc user2
+WARNING: no policy specified for [email protected]; defaulting to no
+policy
+Enter password for principal "[email protected]": 
+Re-enter password for principal "[email protected]": 
+Principal "[email protected]" created.
+
+kadmin:  ktadd -k /tmp/user2.keytab [email protected]
+Entry for principal [email protected] with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/user2.keytab.
+Entry for principal [email protected] with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/user2.keytab.
+Entry for principal [email protected] with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/user2.keytab.
+Entry for principal [email protected] with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/tmp/user2.keytab.
 ----
 
 Lets create a service ticket for tomcat and export credentials to a

diff --git a/docs/src/reference/asciidoc/samples.adoc b/docs/src/reference/asciidoc/samples.adoc
@@ -27,6 +27,8 @@ with spnego and form
 <<samples-sec-server-spnego-form-auth-xml>> sample using ticket
 validation with spnego and form (xml config)
 
+<<samples-sec-client-rest-template>> sample for KerberosRestTemplate
+
 [[samples-sec-server-win-auth]]
 == Security Server Windows Auth Sample
 Goals of this sample:
@@ -102,7 +104,7 @@ Spnego based negotiation from a browser while still being able to fall
 back to a form based authentication.
 
 Using a `user1` principal <<setupmitkerberos>>, do a kerberos login
-either using credentials.
+manually using credentials.
 [source,text]
 ----
 $ kinit user1
@@ -121,11 +123,11 @@ or using a keytab file.
 
 [source,text]
 ----
-$ kinit -kt user1.keytab user1
+$ kinit -kt user2.keytab user1
 
 $ klist
 Ticket cache: FILE:/tmp/krb5cc_1000
-Default principal: user1@EXAMPLE.ORG
+Default principal: user2@EXAMPLE.ORG
 
 Valid starting     Expires            Service principal
 10/03/15 17:25:03  11/03/15 03:25:03  krbtgt/[email protected]
@@ -167,3 +169,66 @@ Run a server.
 $ java -jar sec-server-spnego-form-auth-xml-{revnumber}.jar
 ----
 
+[[samples-sec-client-rest-template]]
+== Security Client KerberosRestTemplate Sample
+This is a sample using a Spring RestTemplate to access Kerberos
+protected resource. You can use this together with
+<<samples-sec-server-spnego-form-auth>>.
+
+Default application is configured as shown below.
+[source,yaml,indent=0]
+----
+app:
+    user-principal: [email protected]
+    keytab-location: /tmp/user2.keytab
+    access-url: https://neo.example.org:8080/hello
+----
+
+
+Using a `user1` principal <<setupmitkerberos>>, do a kerberos login
+manually using credentials.
+[source,text,subs="attributes"]
+----
+$ java -jar sec-client-rest-template-{revnumber}.jar --app.user-principal --app.keytab-location
+----
+
+[NOTE]
+====
+In above we simply set `app.user-principal` and `app.keytab-location`
+to empty values which disables a use of keytab file.
+====
+
+If operation is succesfull you should see below output with `[email protected]`.
+[source,text]
+----
+<html xmlns="https://www.w3.org/1999/xhtml"
+      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
+  <head>
+    <title>Spring Security Kerberos Example</title>
+  </head>
+  <body>
+    <h1>Hello [email protected]!</h1>
+  </body>
+</html>
+----
+
+Or use a `user2` with a keytab file.
+[source,text,subs="attributes"]
+----
+$ java -jar sec-client-rest-template-{revnumber}.jar
+----
+
+If operation is succesfull you should see below output with `[email protected]`.
+[source,text]
+----
+<html xmlns="https://www.w3.org/1999/xhtml"
+      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
+  <head>
+    <title>Spring Security Kerberos Example</title>
+  </head>
+  <body>
+    <h1>Hello [email protected]!</h1>
+  </body>
+</html>
+----
+
diff --git a/docs/src/reference/asciidoc/samples/SpnegoConfig.xml b/docs/src/reference/asciidoc/samples/SpnegoConfig.xml
@@ -8,53 +8,53 @@
     https://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans-4.1.xsd
     https://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context-4.1.xsd">
 
-	<sec:http entry-point-ref="spnegoEntryPoint" use-expressions="true" >
-		<sec:intercept-url pattern="/" access="permitAll" />
-		<sec:intercept-url pattern="/home" access="permitAll" />
-		<sec:intercept-url pattern="/login" access="permitAll" />
-		<sec:intercept-url pattern="/**" access="authenticated"/>
-		<sec:form-login login-page="/login" />
-		<sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
-			before="BASIC_AUTH_FILTER" />
-	</sec:http>
-
-	<sec:authentication-manager alias="authenticationManager">
-		<sec:authentication-provider ref="kerberosAuthenticationProvider" />
-		<sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
-	</sec:authentication-manager>
-
-	<bean id="kerberosAuthenticationProvider"
-		class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
-		<property name="userDetailsService" ref="dummyUserDetailsService"/>
-		<property name="kerberosClient">
-			<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
-				<property name="debug" value="true"/>
-			</bean>
-		</property>
-	</bean>
-
-	<bean id="spnegoEntryPoint"
-		class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" >
-		<constructor-arg value="/login" />
-	</bean>
-
-	<bean id="spnegoAuthenticationProcessingFilter"
-		class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
-		<property name="authenticationManager" ref="authenticationManager" />
-	</bean>
-
-	<bean id="kerberosServiceAuthenticationProvider"
-		class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
-		<property name="ticketValidator">
-			<bean
-				class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
-				<property name="servicePrincipal" value="${app.service-principal}" />
-				<property name="keyTabLocation" value="${app.keytab-location}" />
-				<property name="debug" value="true" />
-			</bean>
-		</property>
-		<property name="userDetailsService" ref="dummyUserDetailsService" />
-	</bean>
+  <sec:http entry-point-ref="spnegoEntryPoint" use-expressions="true" >
+    <sec:intercept-url pattern="/" access="permitAll" />
+    <sec:intercept-url pattern="/home" access="permitAll" />
+    <sec:intercept-url pattern="/login" access="permitAll" />
+    <sec:intercept-url pattern="/**" access="authenticated"/>
+    <sec:form-login login-page="/login" />
+    <sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
+      before="BASIC_AUTH_FILTER" />
+  </sec:http>
+
+  <sec:authentication-manager alias="authenticationManager">
+    <sec:authentication-provider ref="kerberosAuthenticationProvider" />
+    <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
+  </sec:authentication-manager>
+
+  <bean id="kerberosAuthenticationProvider"
+    class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
+    <property name="userDetailsService" ref="dummyUserDetailsService"/>
+    <property name="kerberosClient">
+      <bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
+        <property name="debug" value="true"/>
+      </bean>
+    </property>
+  </bean>
+
+  <bean id="spnegoEntryPoint"
+    class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" >
+    <constructor-arg value="/login" />
+  </bean>
+
+  <bean id="spnegoAuthenticationProcessingFilter"
+    class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
+    <property name="authenticationManager" ref="authenticationManager" />
+  </bean>
+
+  <bean id="kerberosServiceAuthenticationProvider"
+    class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
+    <property name="ticketValidator">
+      <bean
+        class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
+        <property name="servicePrincipal" value="${app.service-principal}" />
+        <property name="keyTabLocation" value="${app.keytab-location}" />
+        <property name="debug" value="true" />
+      </bean>
+    </property>
+    <property name="userDetailsService" ref="dummyUserDetailsService" />
+  </bean>
 
   <bean id="dummyUserDetailsService"
     class="org.springframework.security.extensions.kerberos.docs.DummyUserDetailsService" />

diff --git a/docs/src/reference/asciidoc/ssk.adoc b/docs/src/reference/asciidoc/ssk.adoc
@@ -8,6 +8,8 @@ that Spring Security Kerberos provides to any Spring based application.
 
 <<ssk-spnego>> describes the spnego negotiate support.
 
+<<ssk-resttemplate>> describes the RestTemplate support.
+
 
 [[ssk-authprovider]]
 == Authentication Provider
@@ -43,3 +45,31 @@ Spnego configuration using xml.
 include::samples/SpnegoConfig.xml[tags=snippetA]
 ----
 
+[[ssk-resttemplate]]
+== Using KerberosRestTemplate
+
+If there is a need to access Kerberos protected web resources
+programmatically we have `KerberosRestTemplate` which extends
+`RestTemplate` and does necessary login actions prior to delegating to
+actual RestTemplate methods. You basically have few options to
+configure this template.
+
+- Leave keyTabLocation and userPrincipal empty if you want to
+  use cached ticket.
+- Use keyTabLocation and userPrincipal if you want to use
+  keytab file.
+- Use loginOptions if you want to customise Krb5LoginModule options.
+- Use a customised httpClient.
+
+With ticket cache.
+[source,java,indent=0]
+----
+include::samples/KerberosRestTemplateConfig.java[tags=snippetA]
+----
+
+With keytab file.
+[source,java,indent=0]
+----
+include::samples/KerberosRestTemplateConfig.java[tags=snippetB]
+----
+
diff --git a/settings.gradle b/settings.gradle
@@ -8,6 +8,7 @@ include 'spring-security-kerberos-samples:sec-server-client-auth'
 include 'spring-security-kerberos-samples:sec-server-spnego-form-auth'
 include 'spring-security-kerberos-samples:sec-server-spnego-form-auth-xml'
 include 'spring-security-kerberos-samples:sec-server-win-auth'
+include 'spring-security-kerberos-samples:sec-client-rest-template'
 
 rootProject.children.find {
 	if (it.name == 'spring-security-kerberos-samples') {