jaxrs-kerberos.html

buildbot Wed, 01 Aug 2012 06:48:16 -0700

Author: buildbot
Date: Wed Aug  1 13:47:27 2012
New Revision: 827609

Log:
Production update by buildbot for cxf


Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jaxrs-kerberos.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug  1 
13:47:27 2012
@@ -124,20 +124,66 @@ Apache CXF -- JAXRS Kerberos
 <div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold"> 
JAX-RS Kerberos Support </span></p>
 
 <div>
-<ul><li><a shape="rect" 
href="#JAXRSKerberos-Introduction">Introduction</a></li><ul><li><a shape="rect" 
href="#JAXRSKerberos-Clientconfiguration">Client 
configuration</a></li><ul><li><a shape="rect" 
href="#JAXRSKerberos-HTTPConduit">HTTPConduit</a></li><li><a shape="rect" 
href="#JAXRSKerberos-Interceptor">Interceptor</a></li></ul><li><a shape="rect" 
href="#JAXRSKerberos-Serverconfiguration">Server 
configuration</a></li></ul></ul></div>
+<ul><li><a shape="rect" 
href="#JAXRSKerberos-Introduction">Introduction</a></li><ul><li><a shape="rect" 
href="#JAXRSKerberos-Kerberos">Kerberos</a></li><li><a shape="rect" 
href="#JAXRSKerberos-HTTPNegotiatescheme">HTTP Negotiate scheme</a></li><li><a 
shape="rect" href="#JAXRSKerberos-GSSAPI">GSS API</a></li></ul><li><a 
shape="rect" href="#JAXRSKerberos-Clientconfiguration">Client 
configuration</a></li><ul><li><a shape="rect" 
href="#JAXRSKerberos-HTTPConduit">HTTPConduit</a></li><li><a shape="rect" 
href="#JAXRSKerberos-Interceptor">Interceptor</a></li><ul><li><a shape="rect" 
href="#JAXRSKerberos-AuthorizationPolicy">Authorization Policy</a></li><li><a 
shape="rect" 
href="#JAXRSKerberos-Configuringtheserviceprincipalname">Configuring the 
service principal name</a></li><li><a shape="rect" 
href="#JAXRSKerberos-UsingJAASConfiguration">Using JAAS 
Configuration</a></li></ul></ul><li><a shape="rect" 
href="#JAXRSKerberos-Serverconfiguration">Server configuration</a></li><li><a 
shape="
 rect" href="#JAXRSKerberos-CredentialDelegation">Credential 
Delegation</a></li></ul></div>
 
 <h1><a shape="rect" name="JAXRSKerberos-Introduction"></a>Introduction</h1>
+<h2><a shape="rect" name="JAXRSKerberos-Kerberos"></a>Kerberos</h2>
+<h2><a shape="rect" name="JAXRSKerberos-HTTPNegotiatescheme"></a>HTTP 
Negotiate scheme </h2>
+<h2><a shape="rect" name="JAXRSKerberos-GSSAPI"></a>GSS API</h2>
 
-<h2><a shape="rect" name="JAXRSKerberos-Clientconfiguration"></a>Client 
configuration</h2>
+<h1><a shape="rect" name="JAXRSKerberos-Clientconfiguration"></a>Client 
configuration</h1>
 
-<h3><a shape="rect" name="JAXRSKerberos-HTTPConduit"></a>HTTPConduit</h3>
+<h2><a shape="rect" name="JAXRSKerberos-HTTPConduit"></a>HTTPConduit</h2>
 
 <p>Please see <a shape="rect" 
href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29";>this
 page</a> for the information about Spnego/Kerberos HTTPConduit client support. 
</p>
 
-<h3><a shape="rect" name="JAXRSKerberos-Interceptor"></a>Interceptor</h3>
+<h2><a shape="rect" name="JAXRSKerberos-Interceptor"></a>Interceptor</h2>
 
+<p>org.apache.cxf.jaxrs.security.KerberosAuthOutInterceptor can be used as an 
alternative to configuring HTTPConduit.</p>
 
-<h2><a shape="rect" name="JAXRSKerberos-Serverconfiguration"></a>Server 
configuration</h2></div>
+<p>KerberosAuthOutInterceptor and the HTTPConduit Spnego handler share the 
same base code. Having HTTPConduit configuration can be enough in many cases<br 
clear="none">
+especially when SSL is also being setup at the conduit level. Using the 
interceptor can be handy when testing as well as when setting few extra 
properties which is not easy to set up at the generic HTTP Conduit 
Authorization Policy level. </p>
+
+<p>The interceptor properties are explained in the following sub-sections</p>
+
+<h3><a shape="rect" name="JAXRSKerberos-AuthorizationPolicy"></a>Authorization 
Policy</h3>
+
+<p>As explained on <a shape="rect" 
href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29";>this
 page</a>, Authorization Policy typically needs to have its type set to 
"Negotiate" and its "authorization" property set to the name of the JAAS 
context. AuthorizationPolicy is set as a "policy" property on the interceptor, 
example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent 
panelContent">
+<pre class="code-java">
+WebClient wc = WebClient.create(<span class="code-quote">"http:<span 
class="code-comment">//localhost:"</span> + PORT + <span 
class="code-quote">"/bookstore/books/123"</span>);
+</span>        
+KerberosAuthOutInterceptor kbInterceptor = <span 
class="code-keyword">new</span> KerberosAuthOutInterceptor();
+        
+AuthorizationPolicy policy = <span class="code-keyword">new</span> 
AuthorizationPolicy();
+policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
+policy.setAuthorization(<span 
class="code-quote">"KerberosClientKeyTab"</span>);
+        
+kbInterceptor.setPolicy(policy);
+WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
+        
+Book b = wc.get(Book.class);
+</pre>
+</div></div>
+
+
+<h3><a shape="rect" 
name="JAXRSKerberos-Configuringtheserviceprincipalname"></a>Configuring the 
service principal name</h3>
+
+<p>By default, the service principal name is calculated by concatenating 
"HTTP", "/" and the name of the target host, example, when invoking on 
"http://localhost:8080/services";, the service principal name is set to 
"HTTP/localhost".</p>
+
+<p>The "servicePrincipalName" and "realm" properties can be used to customize 
it, example, setting "servicePrincipalName" to "HTTP/www.mycompany.com" and 
realm to "services.org" will result in the 
"HTTP/[email protected]" service principal name being used. </p>
+
+<h3><a shape="rect" name="JAXRSKerberos-UsingJAASConfiguration"></a>Using JAAS 
Configuration</h3>
+
+<p>Both HTTPConduit and interceptor handlers need a 
"java.security.auth.login.config" system property set up. This property needs 
to point to the file containing the configuration of the specific Kerberos 
login module.</p>
+
+<p>Instead of setting this system property and maintaining a configuration 
file, one might want to use an implementation of 
javax.security.auth.login.Configuration and set it on the interceptor as a 
"loginConfig" property.    </p>
+
+<h1><a shape="rect" name="JAXRSKerberos-Serverconfiguration"></a>Server 
configuration</h1>
+
+<h1><a shape="rect" name="JAXRSKerberos-CredentialDelegation"></a>Credential 
Delegation</h1>
+</div>
            </div>
            <!-- Content -->
          </td>

svn commit: r827609 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html

Reply via email to