Author: buildbot
Date: Tue Sep 8 14:47:35 2015
New Revision: 964766
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-kerberos.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Tue Sep 8
14:47:35 2015
@@ -117,12 +117,12 @@ Apache CXF -- JAXRS Kerberos
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><p> </p><p> </p><p><span
class="inline-first-p" style="font-size:2em;font-weight:bold"> JAX-RS Kerberos
Support </span></p><p> </p><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1435780188110 {padding: 0px;}
-div.rbtoc1435780188110 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1435780188110 li {margin-left: 0px;padding-left: 0px;}
+<div id="ConfluenceContent"><p> </p><p> <span class="inline-first-p"
style="font-size:2em;font-weight:bold">JAX-RS Kerberos
Support</span> </p><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
+div.rbtoc1441723615900 {padding: 0px;}
+div.rbtoc1441723615900 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1441723615900 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1435780188110">
+/*]]>*/</style></p><div class="toc-macro rbtoc1441723615900">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAXRSKerberos-Introduction">Introduction</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAXRSKerberos-Setup">Setup</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAXRSKerberos-Unix">Unix</a></li><li><a shape="rect"
href="#JAXRSKerberos-Windows">Windows</a></li></ul>
@@ -151,7 +151,7 @@ WebClient.getConfig(wc).getOutIntercepto
Book b = wc.get(Book.class);
</pre>
-</div></div><p>In this example, the <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg";>KerberosClientKeyTab</a>
policy is used which links to the available keytab; otherwise
AuthorizationPolicy 'UserName' and 'Password' properties would most likely have
to be set too (with the possible exceptions on Windows)</p><h3
id="JAXRSKerberos-Configuringtheserviceprincipalname">Configuring the service
principal name</h3><p>Service principal identifies a target service.</p><p>By
default, the service principal name is calculated by concatenating "HTTP", "/"
and the name of the target host, example, when invoking on
"http://localhost:8080/services";, the service principal name is set to
"HTTP/localhost".</p><p>The "servicePrincipalName" and "realm" properties can
be used to customize it, example, setting "servicePrincipalName" to
"HTTP/www.mycompany.com" and realm to "services.org"
will result in the "HTTP/[email protected]" service principal
name being used.</p><h3 id="JAXRSKerberos-UsingJAASConfiguration">Using JAAS
Configuration</h3><p>Both HTTPConduit and interceptor handlers need a
"java.security.auth.login.config" system property set up. This property needs
to point to the file containing the configuration of the specific Kerberos
login module.</p><p>Instead of setting this system property and maintaining a
configuration file, one might want to use an implementation of
javax.security.auth.login.Configuration and set it on the interceptor as a
"loginConfig" property.</p><h3
id="JAXRSKerberos-Howtoavoidsettingusernameandpasswordproperties">How to avoid
setting username and password properties</h3><p>Typically, one may have to set
AuthorizationPolicy UserName and Password properties for the Kerberos login
module to authenticate the user.</p><p>The next option is to create a keytab as
noted in the Setup section, which will let one to avoid speci
fying a password property.<br clear="none"> Finally, if the user actually owns
the Java process which runs the code then no username and password properties
have to be provided, assuming the Kerberos login configuration has
'useTicketCache' and possibly 'renewTGT' properties set to "true"</p><h1
id="JAXRSKerberos-Serverconfiguration">Server
configuration</h1><p>org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter
can be used to protected JAX-RS endpoints and enforce that a Negotiate
authentication scheme is used by clients, example:</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>In this example, the <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg";>KerberosClientKeyTab</a>
policy is used which links to the available keytab; otherwise
AuthorizationPolicy 'UserName' and 'Password' properties would most likely have
to be set too (with the possible exceptions on Windows)</p><h3
id="JAXRSKerberos-Configuringtheserviceprincipalname">Configuring the service
principal name</h3><p>Service principal identifies a target service.</p><p>By
default, the service principal name is calculated by concatenating "HTTP", "/"
and the name of the target host, example, when invoking on
"http://localhost:8080/services";, the service principal name is set to
"HTTP/localhost".</p><p>The "servicePrincipalName" and "realm" properties can
be used to customize it, example, setting "servicePrincipalName" to
"HTTP/www.mycompany.com" and realm to "services.org"
will result in the "HTTP/[email protected]" service principal
name being used.</p><p>When the "servicePrincipalName" is not specified, the
target host from the provided endpoint URL is used to construct one
as-is.  To perform canonicalization of this hostname (e.g. if a CNAME
record <a shape="rect" class="external-link" href="http://host.example.com";
rel="nofollow">host.example.com</a> points to an A record <a shape="rect"
class="external-link" href="http://host-x.example.com";
rel="nofollow">host-x.example.com</a>, then use "<a shape="rect"
class="external-link" href="http://host-x.example.com";
rel="nofollow">host-x.example.com</a>" when constructing the
servicePrincipalName), the "useCanonicalHostname" property can be set to
"true".</p><h3 id="JAXRSKerberos-UsingJAASConfiguration">Using JAAS
Configuration</h3><p>Both HTTPConduit and interceptor handlers need a
"java.security.auth.login.config" system property set up. This property needs
to point to the file contai
ning the configuration of the specific Kerberos login module.</p><p>Instead of
setting this system property and maintaining a configuration file, one might
want to use an implementation of javax.security.auth.login.Configuration and
set it on the interceptor as a "loginConfig" property.</p><h3
id="JAXRSKerberos-Howtoavoidsettingusernameandpasswordproperties">How to avoid
setting username and password properties</h3><p>Typically, one may have to set
AuthorizationPolicy UserName and Password properties for the Kerberos login
module to authenticate the user.</p><p>The next option is to create a keytab as
noted in the Setup section, which will let one to avoid specifying a password
property.<br clear="none"> Finally, if the user actually owns the Java process
which runs the code then no username and password properties have to be
provided, assuming the Kerberos login configuration has 'useTicketCache' and
possibly 'renewTGT' properties set to "true"</p><h1
id="JAXRSKerberos-Serverconfig
uration">Server
configuration</h1><p>org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter
can be used to protected JAX-RS endpoints and enforce that a Negotiate
authentication scheme is used by clients, example:</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><bean id="kerberosFilter"
class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="KerberosServiceKeyTab"/>
</bean>
