I am not sure if it is the login.conf but you need to specify that you
want to use the tgt cache like this:
SampleClient {
com.sun.security.auth.module.Krb5LoginModule required*useTicketCache=true*
};
I am not sure about the name SampleClient above and what you should write there
but the
*useTicketCache=true* is important.
I currently have no kerberos environment else I would do a test and let you
know what is necessary.
Btw. Have you tried to do a kerberos login without CXF? The config you need
there should be the same as for cxf.
Christian
Am 12.09.2011 14:38, schrieb Michael Sliwak:
Hi Christian!
Setting the corresponding registry key on windows does not have any effect.
Just one quick question before I dive more in to the code of CXF. Do I have to
specify a login.conf for JGSS when using CXF?
The Javadoc for the LoginContext states
(http://download.oracle.com/javase/1,5.0/docs/api/javax/security/auth/login/LoginContext.html#LoginContext(java.lang.String,
%20javax.security.auth.callback.CallbackHandler):
Throws:
LoginException - if the caller-specified name does not appear in the
Configuration and there is no Configuration entry for "other", if the caller-
specified subject is null, or if the auth.login.defaultCallbackHandler security
property was set, but the implementation class could not be loaded.
I have a slight suspicion that I'm still missing some configuration.
Michael
On Monday 12 September 2011 13:19:16 Christian Schneider wrote:
I am not sure about the first exception. Could you debug into the code
and try to find out more about the point where the exception happens?
About the second problem when using no username and password on windows.
Can you check if you have the registry setting that allows java to use
the tgt?
See: http://www.javaactivedirectory.com/?page_id=93
Christian
Am 12.09.2011 13:07, schrieb Michael Sliwak:
Hello everyone!
According to
http://cxf.apache.org/docs/client-http-transport-including-ssl-
support.html#ClientHTTPTransport%28includingSSLsupport%29-
SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
Kerberos/SPNEGO authentication when accessing web services.
I'm trying to access an ASP.NET Web Service that is secured by Kerberos
(Integrated Windows authentication) using CXF.
I have configured everything as stated in the documentation. Here's my
cxf.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:sec="http://cxf.apache.org/configuration/security";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xsi:schemaLocation="
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/secu
rity.xsd
http://cxf.apache.org/transports/http/configurat
ion
http://cxf.apache.org/schemas/configuration/http
-conf.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spri
ng-beans.xsd">>
<http:conduit
name="{http://some.name.space/}SoapPort.http-conduit";>
<http:client AllowChunking="false" />
<http:authorization>
<sec:UserName>username</sec:UserName>
<sec:Password>password</sec:Password>
<sec:AuthorizationType>Negotiate</sec:AuthorizationType>
</http:authorization>
</http:conduit>
</beans>
Whenever i run my code, i get the following exception:
Caused by: java.lang.RuntimeException: Invalid null input: name
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
pnegoAuthSupplier.java:80)>
at
org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolic
y(HTTPConduit.java:771)>
at
org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:54
1) at
org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(Messag
eSenderInterceptor.java:46)>
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:263)>
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:13
4) ... 2 more
Caused by: javax.security.auth.login.LoginException: Invalid null input:
name>
at javax.security.auth.login.LoginContext.init(LoginContext.java:229)
at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
hSupplier.java:104)>
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
hSupplier.java:144)>
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
pnegoAuthSupplier.java:77)>
... 12 more
This happens on both Windows and Linux.
krb5.conf/krb5.ini is present and found by Java.
On the other hand, when I leave the Username and password blank i get an
exception that no TGT could be aquired. Anyhow 'klist' on both Windows
and Linux states that there is a TGT available in the cache.
Caused by: java.lang.RuntimeException: No valid credentials provided
(Mechanism level: No valid credentials provided (Mechanism level: Failed
to find any Kerberos tgt))
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
pnegoAuthSupplier.java:82)>
at
org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolic
y(HTTPConduit.java:771)>
at
org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:54
1) at
org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(Messag
eSenderInterceptor.java:46)>
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:263)>
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:13
4) ... 2 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
No valid credentials provided (Mechanism level: Failed to find any
Kerberos tgt))>
at
sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java
:450)>
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:2
30) at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
62) at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
hSupplier.java:100)>
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
hSupplier.java:144)>
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
pnegoAuthSupplier.java:77)>
... 12 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
.java:130)>
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFact
ory.java:106)>
at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFacto
ry.java:172)>
at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java
:209)>
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
95) at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
62) at
sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.
java:851)>
at
sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java
:309)>
... 17 more
Did I miss anything in my configuration?
Thanks in advance!
--
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com
