Use latest argeo-build

[gpl/argeo-slc.git] / org.argeo.slc.cms / src / org / argeo / slc / cms / httpclient3 / SpnegoAuthScheme.java

package org.argeo.slc.cms.httpclient3;

import java.net.URL;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;

import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;

import org.apache.commons.httpclient.Credentials;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.auth.AuthPolicy;
import org.apache.commons.httpclient.auth.AuthScheme;
import org.apache.commons.httpclient.auth.AuthenticationException;
import org.apache.commons.httpclient.auth.CredentialsProvider;
import org.apache.commons.httpclient.auth.MalformedChallengeException;
import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.httpclient.params.DefaultHttpParams;
import org.apache.commons.httpclient.params.HttpMethodParams;
import org.apache.commons.httpclient.params.HttpParams;
import org.argeo.cms.auth.RemoteAuthUtils;

//// Register client-side SPNEGO auth scheme
//AuthPolicy.registerAuthScheme(SpnegoAuthScheme.NAME, SpnegoAuthScheme.class);
//HttpParams params = DefaultHttpParams.getDefaultParams();
//ArrayList<String> schemes = new ArrayList<>();
//schemes.add(SpnegoAuthScheme.NAME);// SPNEGO preferred
//// schemes.add(AuthPolicy.BASIC);// incompatible with Basic
//params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes);
//params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider());
//params.setParameter(HttpMethodParams.COOKIE_POLICY, KernelConstants.COOKIE_POLICY_BROWSER_COMPATIBILITY);
//// params.setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY);



/** Implementation of the SPNEGO auth scheme. */
public class SpnegoAuthScheme implements AuthScheme {
//      private final static Log log = LogFactory.getLog(SpnegoAuthScheme.class);

        public static final String NAME = "Negotiate";
//      private final static Oid KERBEROS_OID;
//      static {
//              try {
//                      KERBEROS_OID = new Oid("1.3.6.1.5.5.2");
//              } catch (GSSException e) {
//                      throw new IllegalStateException("Cannot create Kerberos OID", e);
//              }
//      }

        private final static String DEFAULT_KERBEROS_SERVICE = "HTTP";

        private boolean complete = false;
        private String realm;

        @Override
        public void processChallenge(String challenge) throws MalformedChallengeException {
                // if(tokenStr!=null){
                // log.error("Received challenge while there is a token. Failing.");
                // complete = false;
                // }

        }

        @Override
        public String getSchemeName() {
                return NAME;
        }

        @Override
        public String getParameter(String name) {
                return null;
        }

        @Override
        public String getRealm() {
                return realm;
        }

        @Override
        public String getID() {
                return NAME;
        }

        @Override
        public boolean isConnectionBased() {
                return true;
        }

        @Override
        public boolean isComplete() {
                return complete;
        }

        @Override
        public String authenticate(Credentials credentials, String method, String uri) throws AuthenticationException {
                // log.debug("authenticate " + method + " " + uri);
                // return null;
                throw new UnsupportedOperationException();
        }

        @Override
        public String authenticate(Credentials credentials, HttpMethod method) throws AuthenticationException {
//              GSSContext context = null;
                String hostname;
                try {
                        hostname = method.getURI().getHost();
                        String tokenStr = RemoteAuthUtils.createGssToken(null, DEFAULT_KERBEROS_SERVICE, hostname);
                        return "Negotiate " + tokenStr;
                } catch (Exception e1) {
                        complete = true;
                        throw new AuthenticationException("Cannot authenticate " + method, e1);
                }
//              String serverPrinc = DEFAULT_KERBEROS_SERVICE + "@" + hostname;
//
//              try {
//                      // Get service's principal name
//                      GSSManager manager = GSSManager.getInstance();
//                      GSSName serverName = manager.createName(serverPrinc, GSSName.NT_HOSTBASED_SERVICE, KERBEROS_OID);
//
//                      // Get the context for authentication
//                      context = manager.createContext(serverName, KERBEROS_OID, null, GSSContext.DEFAULT_LIFETIME);
//                      // context.requestMutualAuth(true); // Request mutual authentication
//                      // context.requestConf(true); // Request confidentiality
//                      context.requestCredDeleg(true);
//
//                      byte[] token = new byte[0];
//
//                      // token is ignored on the first call
//                      token = context.initSecContext(token, 0, token.length);
//
//                      // Send a token to the server if one was generated by
//                      // initSecContext
//                      if (token != null) {
//                              tokenStr = Base64.getEncoder().encodeToString(token);
//                              // complete=true;
//                      }
//              } catch (GSSException e) {
//                      complete = true;
//                      throw new AuthenticationException("Cannot authenticate to " + serverPrinc, e);
//              }
        }

        public static void main(String[] args) {
                String principal = System.getProperty("javax.security.auth.login.name");
                if (args.length == 0 || principal == null) {
                        System.err.println("usage: java -Djavax.security.auth.login.name=<principal@REALM> "
                                        + SpnegoAuthScheme.class.getName() + " <url>");
                        System.exit(1);
                        return;
                }
                String url = args[0];

                URL jaasUrl = SpnegoAuthScheme.class.getResource("jaas.cfg");
                System.setProperty("java.security.auth.login.config", jaasUrl.toExternalForm());
                try {
                        LoginContext lc = new LoginContext("SINGLE_USER");
                        lc.login();

                        AuthPolicy.registerAuthScheme(SpnegoAuthScheme.NAME, SpnegoAuthScheme.class);
                        HttpParams params = DefaultHttpParams.getDefaultParams();
                        ArrayList<String> schemes = new ArrayList<>();
                        schemes.add(SpnegoAuthScheme.NAME);
                        params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, schemes);
                        params.setParameter(CredentialsProvider.PROVIDER, new HttpCredentialProvider());

                        int responseCode = Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<Integer>() {
                                public Integer run() throws Exception {
                                        HttpClient httpClient = new HttpClient();
                                        return httpClient.executeMethod(new GetMethod(url));
                                }
                        });
                        System.out.println("Reponse code: " + responseCode);
                } catch (Exception e) {
                        e.printStackTrace();
                }
        }

}