Hi Aris,
I would not like to change the AuthorizationPolicy for this as we have a
quite special case here. Most other authorizations do not use oids. So I
asked on the irc what is a good way to do this and Sergey pointed me to
the message properties. These can be set in spring using
jaxws:properties on e.g. the jaxws:client and also programmatically so
this sounds like a good solution.
I have committed the change. I you have the chance it would be great if
you could test this against a Microsoft IIS and tell me which OID it
wants. In any case as we have positive feedback I will document the
feature on the website now.
Christian
Am 06.05.2011 14:51, schrieb Aris Tsaklidis:
Hi Christian,
I cannot comfirm that the change will work with every server. My Jboss 4.5.1
(+jboss negotiation module) uses SPNEGO as application-policy. Therefore I need
the SPNEGO_OID.
I would go with your suggestion to use an option for swithcing between kerberos
and spnego uid.
Maybe something like this:
public class AuthorizationPolicy {
@XmlElement(name = "UserName")
protected String userName;
@XmlElement(name = "Password")
protected String password;
@XmlElement(name = "AuthorizationType")
protected String authorizationType;
@XmlElement(name = "Authorization")
protected String authorization;
@XmlElement(name = "AuthorizationOid")
protected String authorizationOid;
...
}
public class SpnegoAuthSupplier implements HttpAuthSupplier {
public static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
public static final String SPNEGO_OID = "1.3.6.1.5.5.2";
....
private byte[] getToken(AuthorizationPolicy proxyAuthPolicy, String spn)
throws GSSException,
LoginException {
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName(spn, null);
// TODO Is it correct to use kerberos oid instead of spnego here?
Oid oid = new Oid(proxyAuthPolicy.getAuthorizationOid);
...
}
}
and then use:
HTTPConduit systemConduit = (HTTPConduit) systemClient.getConduit();
AuthorizationPolicy systemAuthPol = new AuthorizationPolicy();
systemAuthPol.setAuthorizationType("Negotiate");
systemAuthPol.setAuthorizationOid(SpnegoAuthSupplier.SPNEGO_OID);
systemConduit.setAuthorization(systemAuthPol);
Aris
-------- Original-Nachricht --------
Datum: Fri, 06 May 2011 13:31:03 +0200
Von: Christian Schneider<[email protected]>
An: [email protected]
Betreff: Re: CXF 2.4 - Kerberos SpnegoAuthSupplier - Message content from Soap
Response is null
Hi Aris,
thanks for the hard work.
A question. Can you confirm that the current cxf 2.4.0 code does not
work and that the change to Spnego OID works?
When I did the code I read that some servers work with OID spengo and
others with OID kerberos. So I am not sure if the change is good for
everyone.
In case we need both we will have to create an option to toggle it.
Christian
Am 06.05.2011 12:08, schrieb Aris Tsaklidis:
Found the problem.
I already mentioned that my old code was similiar to the cxf 2.4 code. I
kinda realized that with adding the AuthorizationType in my code I made
HTTPConduit call SpnegoAuthSupplier in the send process. So my kerberos
ticket was overwritten by the SpnegoAuthSupplier. So basically there had
to
be some error in the SpnegoAuthSupplier.
So i kinda compared my code with the SpnegoAuthSupplier and realized
that I
used the SPNEGO OID and cxf 2.4 used KERBEROS OID. I changed the
SpnegoAuthSupplier and buildet the transport project. Updated my
workbench
and it worked.
created a ticket with the working source code attached
https://issues.apache.org/jira/browse/CXF-3496
--
Christian Schneider
http://www.liquid-reality.de
CXF and Camel Architect
--
Christian Schneider
http://www.liquid-reality.de
CXF and Camel Architect
