J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. |
| 8 | * |
| 9 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 10 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 11 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 12 | * version 2 for more details (a copy is included in the LICENSE file that |
| 13 | * accompanied this code). |
| 14 | * |
| 15 | * You should have received a copy of the GNU General Public License version |
| 16 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 17 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 18 | * |
| 19 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 20 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 21 | * have any questions. |
| 22 | */ |
| 23 | |
| 24 | /** |
| 25 | * @test |
| 26 | * @author Vincent Ryan |
| 27 | * @bug 4814522 |
| 28 | * @summary Check that an LdapLoginModule can be initialized using various |
| 29 | * JAAS configurations. |
| 30 | * (LdapLoginModule replaces the JndiLoginModule for LDAP access) |
| 31 | * |
| 32 | * Run this test twice, once using the default security manager: |
| 33 | * |
| 34 | * @run main/othervm CheckConfigs |
| 35 | * @run main/othervm/policy=CheckConfigs.policy CheckConfigs |
| 36 | */ |
| 37 | |
| 38 | import java.io.IOException; |
| 39 | import java.util.Collections; |
| 40 | import java.util.Map; |
| 41 | import java.util.HashMap; |
| 42 | |
| 43 | import javax.naming.CommunicationException; |
| 44 | import javax.security.auth.*; |
| 45 | import javax.security.auth.login.*; |
| 46 | import javax.security.auth.callback.*; |
| 47 | import com.sun.security.auth.module.LdapLoginModule; |
| 48 | |
| 49 | public class CheckConfigs { |
| 50 | |
| 51 | public static void main(String[] args) throws Exception { |
| 52 | SecurityManager securityManager = System.getSecurityManager(); |
| 53 | System.out.println(securityManager == null |
| 54 | ? "[security manager is not running]" |
| 55 | : "[security manager is running: " + |
| 56 | securityManager.getClass().getName() + "]"); |
| 57 | init(); |
| 58 | checkConfigModes(); |
| 59 | } |
| 60 | |
| 61 | private static void init() throws Exception { |
| 62 | } |
| 63 | |
| 64 | private static void checkConfigModes() throws Exception { |
| 65 | |
| 66 | LoginContext ldapLogin; |
| 67 | |
| 68 | // search-first mode |
| 69 | System.out.println("Testing search-first mode..."); |
| 70 | try { |
| 71 | ldapLogin = new LoginContext(LdapConfiguration.LOGIN_CONFIG_NAME, |
| 72 | null, new TestCallbackHandler(), new SearchFirstMode()); |
| 73 | ldapLogin.login(); |
| 74 | throw new SecurityException("expected a LoginException"); |
| 75 | |
| 76 | } catch (LoginException le) { |
| 77 | // expected behaviour (because no LDAP server is available) |
| 78 | if (!(le.getCause() instanceof CommunicationException)) { |
| 79 | throw le; |
| 80 | } |
| 81 | } |
| 82 | |
| 83 | // authentication-first mode |
| 84 | System.out.println("\nTesting authentication-first mode..."); |
| 85 | try { |
| 86 | ldapLogin = new LoginContext(LdapConfiguration.LOGIN_CONFIG_NAME, |
| 87 | null, new TestCallbackHandler(), new AuthFirstMode()); |
| 88 | ldapLogin.login(); |
| 89 | throw new SecurityException("expected a LoginException"); |
| 90 | |
| 91 | } catch (LoginException le) { |
| 92 | // expected behaviour (because no LDAP server is available) |
| 93 | if (!(le.getCause() instanceof CommunicationException)) { |
| 94 | throw le; |
| 95 | } |
| 96 | } |
| 97 | |
| 98 | // authentication-only mode |
| 99 | System.out.println("\nTesting authentication-only mode..."); |
| 100 | try { |
| 101 | ldapLogin = new LoginContext(LdapConfiguration.LOGIN_CONFIG_NAME, |
| 102 | null, new TestCallbackHandler(), new AuthOnlyMode()); |
| 103 | ldapLogin.login(); |
| 104 | throw new SecurityException("expected a LoginException"); |
| 105 | |
| 106 | } catch (LoginException le) { |
| 107 | // expected behaviour (because no LDAP server is available) |
| 108 | if (!(le.getCause() instanceof CommunicationException)) { |
| 109 | throw le; |
| 110 | } |
| 111 | } |
| 112 | } |
| 113 | |
| 114 | private static class TestCallbackHandler implements CallbackHandler { |
| 115 | |
| 116 | public void handle(Callback[] callbacks) |
| 117 | throws IOException, UnsupportedCallbackException { |
| 118 | |
| 119 | for (int i = 0; i < callbacks.length; i++) { |
| 120 | if (callbacks[i] instanceof NameCallback) { |
| 121 | ((NameCallback)callbacks[i]).setName("myname"); |
| 122 | |
| 123 | } else if (callbacks[i] instanceof PasswordCallback) { |
| 124 | ((PasswordCallback)callbacks[i]) |
| 125 | .setPassword("mypassword".toCharArray()); |
| 126 | |
| 127 | } else { |
| 128 | throw new UnsupportedCallbackException |
| 129 | (callbacks[i], "Unrecognized callback"); |
| 130 | } |
| 131 | } |
| 132 | } |
| 133 | } |
| 134 | } |
| 135 | |
| 136 | class LdapConfiguration extends Configuration { |
| 137 | |
| 138 | // The JAAS configuration name for ldap-based authentication |
| 139 | public static final String LOGIN_CONFIG_NAME = "TestAuth"; |
| 140 | |
| 141 | // The JAAS configuration for ldap-based authentication |
| 142 | protected static AppConfigurationEntry[] entries; |
| 143 | |
| 144 | // The classname of the login module for ldap-based authentication |
| 145 | protected static final String LDAP_LOGIN_MODULE = |
| 146 | LdapLoginModule.class.getName(); |
| 147 | |
| 148 | /** |
| 149 | * Gets the JAAS configuration for ldap-based authentication |
| 150 | */ |
| 151 | public AppConfigurationEntry[] getAppConfigurationEntry(String name) { |
| 152 | return name.equals(LOGIN_CONFIG_NAME) ? entries : null; |
| 153 | } |
| 154 | |
| 155 | /** |
| 156 | * Refreshes the configuration. |
| 157 | */ |
| 158 | public void refresh() { |
| 159 | // the configuration is fixed |
| 160 | } |
| 161 | } |
| 162 | |
| 163 | /** |
| 164 | * This class defines the JAAS configuration for ldap-based authentication. |
| 165 | * It is equivalent to the following textual configuration entry: |
| 166 | * <pre> |
| 167 | * TestAuth { |
| 168 | * com.sun.security.auth.module.LdapLoginModule REQUIRED |
| 169 | * userProvider="ldap://localhost:23456/dc=example,dc=com" |
| 170 | * userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))" |
| 171 | * authzIdentity="{EMPLOYEENUMBER}" |
| 172 | * debug=true; |
| 173 | * }; |
| 174 | * </pre> |
| 175 | */ |
| 176 | class SearchFirstMode extends LdapConfiguration { |
| 177 | |
| 178 | public SearchFirstMode() { |
| 179 | super(); |
| 180 | |
| 181 | Map<String, String> options = new HashMap<String, String>(4); |
| 182 | options.put("userProvider", "ldap://localhost:23456/dc=example,dc=com"); |
| 183 | options.put("userFilter", |
| 184 | "(&(uid={USERNAME})(objectClass=inetOrgPerson))"); |
| 185 | options.put("authzIdentity", "{EMPLOYEENUMBER}"); |
| 186 | options.put("debug", "true"); |
| 187 | |
| 188 | entries = new AppConfigurationEntry[] { |
| 189 | new AppConfigurationEntry(LDAP_LOGIN_MODULE, |
| 190 | AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, |
| 191 | options) |
| 192 | }; |
| 193 | } |
| 194 | |
| 195 | } |
| 196 | |
| 197 | /** |
| 198 | * This class defines the JAAS configuration for ldap-based authentication. |
| 199 | * It is equivalent to the following textual configuration entry: |
| 200 | * <pre> |
| 201 | * TestAuth { |
| 202 | * com.sun.security.auth.module.LdapLoginModule REQUIRED |
| 203 | * userProvider="ldap://localhost:23456/dc=example,dc=com" |
| 204 | * authIdentity="{USERNAME}" |
| 205 | * userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))" |
| 206 | * useSSL=false |
| 207 | * debug=true; |
| 208 | * }; |
| 209 | * </pre> |
| 210 | */ |
| 211 | class AuthFirstMode extends LdapConfiguration { |
| 212 | |
| 213 | public AuthFirstMode() { |
| 214 | super(); |
| 215 | |
| 216 | Map<String, String> options = new HashMap<String, String>(5); |
| 217 | options.put("userProvider", "ldap://localhost:23456/dc=example,dc=com"); |
| 218 | options.put("authIdentity", "{USERNAME}"); |
| 219 | options.put("userFilter", |
| 220 | "(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})" + |
| 221 | "(cn={USERNAME}))(objectClass=user))"); |
| 222 | options.put("useSSL", "false"); |
| 223 | options.put("debug", "true"); |
| 224 | |
| 225 | entries = new AppConfigurationEntry[] { |
| 226 | new AppConfigurationEntry(LDAP_LOGIN_MODULE, |
| 227 | AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, |
| 228 | options) |
| 229 | }; |
| 230 | } |
| 231 | } |
| 232 | |
| 233 | /** |
| 234 | * This class defines the JAAS configuration for ldap-based authentication. |
| 235 | * It is equivalent to the following textual configuration entry: |
| 236 | * <pre> |
| 237 | * TestAuth { |
| 238 | * com.sun.security.auth.module.LdapLoginModule REQUIRED |
| 239 | * userProvider="ldap://localhost:23456 ldap://localhost:23457" |
| 240 | * authIdentity="cn={USERNAME},ou=people,dc=example,dc=com" |
| 241 | * authzIdentity="staff" |
| 242 | * debug=true; |
| 243 | * }; |
| 244 | * </pre> |
| 245 | */ |
| 246 | class AuthOnlyMode extends LdapConfiguration { |
| 247 | |
| 248 | public AuthOnlyMode() { |
| 249 | super(); |
| 250 | |
| 251 | Map<String, String> options = new HashMap<String, String>(4); |
| 252 | options.put("userProvider", |
| 253 | "ldap://localhost:23456 ldap://localhost:23457"); |
| 254 | options.put("authIdentity", |
| 255 | "cn={USERNAME},ou=people,dc=example,dc=com"); |
| 256 | options.put("authzIdentity", "staff"); |
| 257 | options.put("debug", "true"); |
| 258 | |
| 259 | entries = new AppConfigurationEntry[] { |
| 260 | new AppConfigurationEntry(LDAP_LOGIN_MODULE, |
| 261 | AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, |
| 262 | options) |
| 263 | }; |
| 264 | } |
| 265 | |
| 266 | } |