[jira] [Created] (CXF-6534) Kerberos delegation not possible if Authorization given

Wed, 12 Aug 2015 08:35:29 -0700 

Bernard Chesnoy created CXF-6534:
------------------------------------

             Summary: Kerberos delegation not possible if Authorization given
                 Key: CXF-6534
                 URL: https://issues.apache.org/jira/browse/CXF-6534
             Project: CXF
          Issue Type: Bug
          Components: Transports
    Affects Versions: 3.1.2, 3.0.6, 3.1.1, 3.0.5, 3.1.0, 3.0.4, 3.1.3
            Reporter: Bernard Chesnoy


Issue discovered while migrating from version 3.0.2 to 3.1.2.

In documentation it's say that to enable kerberos you have to give the 
informations policy for Authorization and AuthorizationType:

{code:xml}
<conduit name="{http://example.com/}HelloWorldServicePort.http-conduit";
  xmlns="http://cxf.apache.org/transports/http/configuration";>
  <authorization>
     <AuthorizationType>Negotiate</AuthorizationType>
     <Authorization>CXFClient</Authorization>
  </authorization>
</conduit>
{code}

And for delegation it's not necessary to give the Authorization field.
But If you give a policy with both of them, It will never try to do delegation, 
resulting in my application not working anymore (browser -> unix(wildfly) -> 
windows 2012 by kerberos delegation).

After a look to the source code, it seems the problem is due to a change in 
version 3.0.4 for the file AbstractSpnegoAuthSupplier.java:

{code:java}
    private byte[] getToken(AuthorizationPolicy authPolicy, 
                            String spn, 
                            Oid oid,
                            Message message) throws GSSException, 
        LoginException {
        
        Subject subject = null;
        if (authPolicy != null) {
            String contextName = authPolicy.getAuthorization();
            if (contextName == null) {
                contextName = "";
            }
        
            if (!(StringUtils.isEmpty(authPolicy.getUserName())
                && StringUtils.isEmpty(contextName) && loginConfig == null)) {
                CallbackHandler callbackHandler = getUsernamePasswordHandler(
                    authPolicy.getUserName(), authPolicy.getPassword());
                LoginContext lc = new LoginContext(contextName, null, 
callbackHandler, loginConfig);
                lc.login();
                subject = lc.getSubject();
            }
        }
                                                                 
        GSSManager manager = GSSManager.getInstance();
{code}

If the contextName is not null, it will always try to use 
getUsernamePasswordHandler resulting in a loginException.

Workaround : not specifying an authorization

Possible fix :
{code:java}
if (authPolicy != null && !isCredDelegationRequired(message)) {
{code}

Do not hesitate to tell me if there is another way to do it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to