I successfully logged in with Kerberos using httpcomponents-client as
described here http://hc.apache.org/httpcomponents-client-
ga/tutorial/html/authentication.html#spnego
After a debugging run it seems that you have to set
<sec:Authorization/>
when using <sec:UserName /> and <sec:Password /> in cxf.xml.
Line 104 in SpnegoAuthSupplier.java creates a new LoginContext with
authPolicy.getAuthorization() as the first constructor argument. Currently this
method returns null as I did not set <sec:Authorization/> in cxf.xml. Maybe
this sets the name for the login.conf section. SampleClient in your example.
I'll give it a try.
On Monday 12 September 2011 14:50:54 Christian Schneider wrote:
> I am not sure if it is the login.conf but you need to specify that you
> want to use the tgt cache like this:
>
> SampleClient {
> com.sun.security.auth.module.Krb5LoginModule
> required*useTicketCache=true* };
>
> I am not sure about the name SampleClient above and what you should write
> there but the *useTicketCache=true* is important.
> I currently have no kerberos environment else I would do a test and let you
> know what is necessary.
>
> Btw. Have you tried to do a kerberos login without CXF? The config you need
> there should be the same as for cxf.
>
> Christian
>
> Am 12.09.2011 14:38, schrieb Michael Sliwak:
> > Hi Christian!
> >
> > Setting the corresponding registry key on windows does not have any
> > effect.
> >
> > Just one quick question before I dive more in to the code of CXF. Do I
> > have to specify a login.conf for JGSS when using CXF?
> >
> > The Javadoc for the LoginContext states
> > (http://download.oracle.com/javase/1,5.0/docs/api/javax/security/auth/lo
> > gin/LoginContext.html#LoginContext(java.lang.String,
> > %20javax.security.auth.callback.CallbackHandler):
> >
> > Throws:
> > LoginException - if the caller-specified name does not appear in the
> > Configuration and there is no Configuration entry for "other", if the
> > caller- specified subject is null, or if the
> > auth.login.defaultCallbackHandler security property was set, but the
> > implementation class could not be loaded.
> >
> > I have a slight suspicion that I'm still missing some configuration.
> >
> > Michael
> >
> > On Monday 12 September 2011 13:19:16 Christian Schneider wrote:
> >> I am not sure about the first exception. Could you debug into the code
> >> and try to find out more about the point where the exception happens?
> >>
> >> About the second problem when using no username and password on
> >> windows.
> >> Can you check if you have the registry setting that allows java to use
> >> the tgt?
> >> See: http://www.javaactivedirectory.com/?page_id=93
> >>
> >> Christian
> >>
> >> Am 12.09.2011 13:07, schrieb Michael Sliwak:
> >>> Hello everyone!
> >>>
> >>> According to
> >>> http://cxf.apache.org/docs/client-http-transport-including-ssl-
> >>> support.html#ClientHTTPTransport%28includingSSLsupport%29-
> >>> SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
> >>> Kerberos/SPNEGO authentication when accessing web services.
> >>>
> >>> I'm trying to access an ASP.NET Web Service that is secured by
> >>> Kerberos
> >>> (Integrated Windows authentication) using CXF.
> >>>
> >>> I have configured everything as stated in the documentation. Here's
> >>> my
> >>> cxf.xml
> >>>
> >>> <?xml version="1.0" encoding="UTF-8"?>
> >>>
> >>> <beans xmlns="http://www.springframework.org/schema/beans";
> >>>
> >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> >>>
> >>> xmlns:sec="http://cxf.apache.org/configuration/security";
> >>>
> >>> xmlns:http="http://cxf.apache.org/transports/http/configurat
> >>> ion"
> >>> xmlns:jaxws="http://cxf.apache.org/jaxws";
> >>> xsi:schemaLocation="
> >>>
> >>> http://cxf.apache.org/configuration/securi
> >>> ty
> >>> http://cxf.apache.org/schemas/configuratio
> >>> n/secu
> >>> rity.xsd
> >>> http://cxf.apache.org/transports/http/conf
> >>> igurat
> >>> ion
> >>> http://cxf.apache.org/schemas/configuratio
> >>> n/http
> >>> -conf.xsd
> >>> http://cxf.apache.org/jaxws
> >>> http://cxf.apache.org/schemas/jaxws.xsd
> >>> http://www.springframework.org/schema/bean
> >>> s
> >>> http://www.springframework.org/schema/bean
> >>> s/spri
> >>> ng-beans.xsd">>
> >>>
> >>> <http:conduit
> >>> name="{http://some.name.space/}SoapPort.http-conduit";>
> >>>
> >>> <http:client AllowChunking="false" />
> >>> <http:authorization>
> >>>
> >>> <sec:UserName>username</sec:UserName>
> >>> <sec:Password>password</sec:Password>
> >>> <sec:AuthorizationType>Negotiate</sec:AuthorizationT
> >>> ype>
> >>>
> >>> </http:authorization>
> >>>
> >>> </http:conduit>
> >>>
> >>> </beans>
> >>>
> >>> Whenever i run my code, i get the following exception:
> >>>
> >>> Caused by: java.lang.RuntimeException: Invalid null input: name
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorizati
> >>> on(S pnegoAuthSupplier.java:80)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationP
> >>> olic y(HTTPConduit.java:771)>
> >>>
> >>> at
> >>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java
> >>> :54
> >>> 1) at
> >>>
> >>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(Me
> >>> ssag eSenderInterceptor.java:46)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercep
> >>> torC hain.java:263)>
> >>>
> >>> at
> >>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
> >>> at
> >>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:8
> >>> 8)
> >>> at
> >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java
> >>> :13
> >>> 4) ... 2 more
> >>>
> >>> Caused by: javax.security.auth.login.LoginException: Invalid null
> >>> input: name>
> >>>
> >>> at
> >>> javax.security.auth.login.LoginContext.init(LoginContext.java:229
> >>> )
> >>> at
> >>> javax.security.auth.login.LoginContext.<init>(LoginContext.java:40
> >>> 3)
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(Spneg
> >>> oAut hSupplier.java:104)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(Spneg
> >>> oAut hSupplier.java:144)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorizati
> >>> on(S pnegoAuthSupplier.java:77)>
> >>>
> >>> ... 12 more
> >>>
> >>> This happens on both Windows and Linux.
> >>>
> >>> krb5.conf/krb5.ini is present and found by Java.
> >>>
> >>> On the other hand, when I leave the Username and password blank i
> >>> get an exception that no TGT could be aquired. Anyhow 'klist' on
> >>> both Windows and Linux states that there is a TGT available in the
> >>> cache.
> >>>
> >>> Caused by: java.lang.RuntimeException: No valid credentials provided
> >>> (Mechanism level: No valid credentials provided (Mechanism level:
> >>> Failed to find any Kerberos tgt))
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorizati
> >>> on(S pnegoAuthSupplier.java:82)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationP
> >>> olic y(HTTPConduit.java:771)>
> >>>
> >>> at
> >>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java
> >>> :54
> >>> 1) at
> >>>
> >>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(Me
> >>> ssag eSenderInterceptor.java:46)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercep
> >>> torC hain.java:263)>
> >>>
> >>> at
> >>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
> >>> at
> >>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:8
> >>> 8)
> >>> at
> >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java
> >>> :13
> >>> 4) ... 2 more
> >>>
> >>> Caused by: GSSException: No valid credentials provided (Mechanism
> >>> level: No valid credentials provided (Mechanism level: Failed to
> >>> find any Kerberos tgt))>
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.
> >>> java>>>
> >>> :450)>
> >>> :
> >>> at
> >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.jav
> >>> a:2
> >>> 30) at
> >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.jav
> >>> a:1
> >>> 62) at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(Spneg
> >>> oAut hSupplier.java:100)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(Spneg
> >>> oAut hSupplier.java:144)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorizati
> >>> on(S pnegoAuthSupplier.java:77)>
> >>>
> >>> ... 12 more
> >>>
> >>> Caused by: GSSException: No valid credentials provided (Mechanism
> >>> level: Failed to find any Kerberos tgt)
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCreden
> >>> tial .java:130)>
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5Mech
> >>> Fact ory.java:106)>
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechF
> >>> acto ry.java:172)>
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.
> >>> java>>>
> >>> :209)>
> >>> :
> >>> at
> >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.jav
> >>> a:1
> >>> 95) at
> >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.jav
> >>> a:1
> >>> 62) at
> >>>
> >>> sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoCont
> >>> ext. java:851)>
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.
> >>> java>>>
> >>> :309)>
> >>> :
> >>> ... 17 more
> >>>
> >>> Did I miss anything in my configuration?
> >>>
> >>> Thanks in advance!
--
Michael Sliwak, M.Sc.
Raytion GmbH
Kaiser-Friedrich-Ring 74
40547 Düsseldorf
Fon +49-211-550266-0
Fax +49-211-550266-19
[email protected]
http://www.raytion.com
