Re: Client HTTP transport with Kerberos/SPNEGO

Mon, 12 Sep 2011 04:20:25 -0700

I am not sure about the first exception. Could you debug into the code and try to find out more about the point where the exception happens?
About the second problem when using no username and password on windows. Can you check if you have the registry setting that allows java to use the tgt? 
See: http://www.javaactivedirectory.com/?page_id=93

Christian


Am 12.09.2011 13:07, schrieb Michael Sliwak:

Hello everyone!

According to http://cxf.apache.org/docs/client-http-transport-including-ssl-
support.html#ClientHTTPTransport%28includingSSLsupport%29-
SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
Kerberos/SPNEGO authentication when accessing web services.

I'm trying to access an ASP.NET Web Service that is secured by Kerberos
(Integrated Windows authentication) using CXF.

I have configured everything as stated in the documentation. Here's my cxf.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans";
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:sec="http://cxf.apache.org/configuration/security";
   xmlns:http="http://cxf.apache.org/transports/http/configuration";
   xmlns:jaxws="http://cxf.apache.org/jaxws";
   xsi:schemaLocation="
            http://cxf.apache.org/configuration/security
            http://cxf.apache.org/schemas/configuration/security.xsd
            http://cxf.apache.org/transports/http/configuration
            http://cxf.apache.org/schemas/configuration/http-conf.xsd
            http://cxf.apache.org/jaxws
            http://cxf.apache.org/schemas/jaxws.xsd
            http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans.xsd";>

   <http:conduit name="{http://some.name.space/}SoapPort.http-conduit";>
     <http:client AllowChunking="false" />
     <http:authorization>
       <sec:UserName>username</sec:UserName>
       <sec:Password>password</sec:Password>
       <sec:AuthorizationType>Negotiate</sec:AuthorizationType>
     </http:authorization>
   </http:conduit>

</beans>

Whenever i run my code, i get the following exception:

Caused by: java.lang.RuntimeException: Invalid null input: name
        at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:80)
        at
org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:771)
        at 
org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:541)
        at
org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
        at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
        at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
        at 
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
        ... 2 more
Caused by: javax.security.auth.login.LoginException: Invalid null input: name
        at javax.security.auth.login.LoginContext.init(LoginContext.java:229)
        at javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
        at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:104)
        at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:144)
        at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:77)
        ... 12 more

This happens on both Windows and Linux.

krb5.conf/krb5.ini is present and found by Java.

On the other hand, when I leave the Username and password blank i get an
exception that no TGT could be aquired. Anyhow 'klist' on both Windows and
Linux states that there is a TGT available in the cache.

Caused by: java.lang.RuntimeException: No valid credentials provided
(Mechanism level: No valid credentials provided (Mechanism level: Failed to
find any Kerberos tgt))
        at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:82)
        at
org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:771)
        at 
org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:541)
        at
org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
        at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
        at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
        at 
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
        ... 2 more
Caused by: GSSException: No valid credentials provided (Mechanism level: No
valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))
        at
sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:450)
        at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
        at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
        at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:100)
        at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:144)
        at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:77)
        ... 12 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
        at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
        at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
        at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
        at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
        at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
        at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
        at
sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:851)
        at
sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:309)
        ... 17 more

Did I miss anything in my configuration?

Thanks in advance!




--
--
Christian Schneider
http://www.liquid-reality.de

Open Source Architect
Talend Application Integration Division http://www.talend.com

Reply via email to