Ok, this did the trick.
The following steps are necessary:
1) make sure that krb5.conf/krb5.ini is configured correctly for the Kerberos
realm you want to authenticate against
and supply it to your application by setting the java.security.krb5.conf system
property
2) supply a login.conf to your application by setting the
java.security.auth.login.config system property, e.g.:
MyConfig {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE
useTicketCache=true;
};
3) set up spnego using xml configuration or through code: (e.g. in cxf.xml)
<http:conduit name="*.http-conduit">
<http:authorization>
<sec:UserName>username</sec:UserName>
<sec:Password>password</sec:Password>
<sec:AuthorizationType>Negotiate</sec:AuthorizationType>
<sec:Authorization>MyConfig</sec:Authorization>
</http:authorization>
</http:conduit>
Now Kerberos authentication works when supplying username and password. However
using an existing TGT still does not work for me.
Maybe the documentation should be updated accordingly.
Another issue using authentication with the http transport is that it is not
possible for me to point the wsdl location for my client
directly to the server as it seems that CXF is completely ignoring the
authentication challenge when trying to download the wsdl.
So I have to download the wsdl manually and place it somewhere local to my
application.
On Monday 12 September 2011 15:03:45 Michael Sliwak wrote:
> I successfully logged in with Kerberos using httpcomponents-client as
> described here http://hc.apache.org/httpcomponents-client-
> ga/tutorial/html/authentication.html#spnego
>
> After a debugging run it seems that you have to set
>
> <sec:Authorization/>
>
> when using <sec:UserName /> and <sec:Password /> in cxf.xml.
> Line 104 in SpnegoAuthSupplier.java creates a new LoginContext with
> authPolicy.getAuthorization() as the first constructor argument. Currently
> this method returns null as I did not set <sec:Authorization/> in cxf.xml.
> Maybe this sets the name for the login.conf section. SampleClient in your
> example. I'll give it a try.
>
> On Monday 12 September 2011 14:50:54 Christian Schneider wrote:
> > I am not sure if it is the login.conf but you need to specify that you
> > want to use the tgt cache like this:
> >
> > SampleClient {
> >
> > com.sun.security.auth.module.Krb5LoginModule
> >
> > required*useTicketCache=true* };
> >
> > I am not sure about the name SampleClient above and what you should
> > write
> > there but the *useTicketCache=true* is important.
> > I currently have no kerberos environment else I would do a test and let
> > you know what is necessary.
> >
> > Btw. Have you tried to do a kerberos login without CXF? The config you
> > need there should be the same as for cxf.
> >
> > Christian
> >
> > Am 12.09.2011 14:38, schrieb Michael Sliwak:
> > > Hi Christian!
> > >
> > > Setting the corresponding registry key on windows does not have any
> > > effect.
> > >
> > > Just one quick question before I dive more in to the code of CXF. Do
> > > I
> > > have to specify a login.conf for JGSS when using CXF?
> > >
> > > The Javadoc for the LoginContext states
> > > (http://download.oracle.com/javase/1,5.0/docs/api/javax/security/aut
> > > h/lo gin/LoginContext.html#LoginContext(java.lang.String,
> > > %20javax.security.auth.callback.CallbackHandler):
> > >
> > > Throws:
> > > LoginException - if the caller-specified name does not appear in the
> > > Configuration and there is no Configuration entry for "other", if
> > > the
> > > caller- specified subject is null, or if the
> > > auth.login.defaultCallbackHandler security property was set, but the
> > > implementation class could not be loaded.
> > >
> > > I have a slight suspicion that I'm still missing some configuration.
> > >
> > > Michael
> > >
> > > On Monday 12 September 2011 13:19:16 Christian Schneider wrote:
> > >> I am not sure about the first exception. Could you debug into the
> > >> code
> > >> and try to find out more about the point where the exception
> > >> happens?
> > >>
> > >> About the second problem when using no username and password on
> > >> windows.
> > >> Can you check if you have the registry setting that allows java to
> > >> use
> > >> the tgt?
> > >> See: http://www.javaactivedirectory.com/?page_id=93
> > >>
> > >> Christian
> > >>
> > >> Am 12.09.2011 13:07, schrieb Michael Sliwak:
> > >>> Hello everyone!
> > >>>
> > >>> According to
> > >>> http://cxf.apache.org/docs/client-http-transport-including-ssl-
> > >>> support.html#ClientHTTPTransport%28includingSSLsupport%29-
> > >>> SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
> > >>> Kerberos/SPNEGO authentication when accessing web services.
> > >>>
> > >>> I'm trying to access an ASP.NET Web Service that is secured by
> > >>> Kerberos
> > >>> (Integrated Windows authentication) using CXF.
> > >>>
> > >>> I have configured everything as stated in the documentation.
> > >>> Here's
> > >>> my
> > >>> cxf.xml
> > >>>
> > >>> <?xml version="1.0" encoding="UTF-8"?>
> > >>>
> > >>> <beans xmlns="http://www.springframework.org/schema/beans";
> > >>>
> > >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > >>>
> > >>> xmlns:sec="http://cxf.apache.org/configuration/security";
> > >>>
> > >>> xmlns:http="http://cxf.apache.org/transports/http/config
> > >>> urat
> > >>> ion"
> > >>> xmlns:jaxws="http://cxf.apache.org/jaxws";
> > >>> xsi:schemaLocation="
> > >>>
> > >>> http://cxf.apache.org/configuration/se
> > >>> curi
> > >>> ty
> > >>> http://cxf.apache.org/schemas/configur
> > >>> atio
> > >>> n/secu
> > >>> rity.xsd
> > >>> http://cxf.apache.org/transports/http/
> > >>> conf
> > >>> igurat
> > >>> ion
> > >>> http://cxf.apache.org/schemas/configur
> > >>> atio
> > >>> n/http
> > >>> -conf.xsd
> > >>> http://cxf.apache.org/jaxws
> > >>> http://cxf.apache.org/schemas/jaxws.xs
> > >>> d
> > >>> http://www.springframework.org/schema/
> > >>> bean
> > >>> s
> > >>> http://www.springframework.org/schema/
> > >>> bean
> > >>> s/spri
> > >>> ng-beans.xsd">>
> > >>>
> > >>> <http:conduit
> > >>> name="{http://some.name.space/}SoapPort.http-conduit";>
> > >>>
> > >>> <http:client AllowChunking="false" />
> > >>> <http:authorization>
> > >>>
> > >>> <sec:UserName>username</sec:UserName>
> > >>> <sec:Password>password</sec:Password>
> > >>> <sec:AuthorizationType>Negotiate</sec:Authorizat
> > >>> ionT
> > >>> ype>
> > >>>
> > >>> </http:authorization>
> > >>>
> > >>> </http:conduit>
> > >>>
> > >>> </beans>
> > >>>
> > >>> Whenever i run my code, i get the following exception:
> > >>>
> > >>> Caused by: java.lang.RuntimeException: Invalid null input: name
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
> > >>> zati
> > >>> on(S pnegoAuthSupplier.java:80)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizat
> > >>> ionP
> > >>> olic y(HTTPConduit.java:771)>
> > >>>
> > >>> at
> > >>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.
> > >>> java
> > >>>
> > >>> :54
> > >>>
> > >>> 1) at
> > >>>
> > >>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessag
> > >>> e(Me
> > >>> ssag eSenderInterceptor.java:46)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
> > >>> rcep
> > >>> torC hain.java:263)>
> > >>>
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:51
> > >>> 9)
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449
> > >>> )
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352
> > >>> )
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304
> > >>> )
> > >>> at
> > >>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.jav
> > >>> a:8
> > >>> 8)
> > >>> at
> > >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.
> > >>> java
> > >>>
> > >>> :13
> > >>>
> > >>> 4) ... 2 more
> > >>>
> > >>> Caused by: javax.security.auth.login.LoginException: Invalid
> > >>> null
> > >>> input: name>
> > >>>
> > >>> at
> > >>> javax.security.auth.login.LoginContext.init(LoginContext.java:
> > >>> 229
> > >>> )
> > >>> at
> > >>> javax.security.auth.login.LoginContext.<init>(LoginContext.jav
> > >>> a:40
> > >>> 3)
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
> > >>> pneg
> > >>> oAut hSupplier.java:104)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
> > >>> pneg
> > >>> oAut hSupplier.java:144)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
> > >>> zati
> > >>> on(S pnegoAuthSupplier.java:77)>
> > >>>
> > >>> ... 12 more
> > >>>
> > >>> This happens on both Windows and Linux.
> > >>>
> > >>> krb5.conf/krb5.ini is present and found by Java.
> > >>>
> > >>> On the other hand, when I leave the Username and password blank
> > >>> i
> > >>> get an exception that no TGT could be aquired. Anyhow 'klist' on
> > >>> both Windows and Linux states that there is a TGT available in
> > >>> the
> > >>> cache.
> > >>>
> > >>> Caused by: java.lang.RuntimeException: No valid credentials
> > >>> provided
> > >>> (Mechanism level: No valid credentials provided (Mechanism
> > >>> level:
> > >>> Failed to find any Kerberos tgt))
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
> > >>> zati
> > >>> on(S pnegoAuthSupplier.java:82)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizat
> > >>> ionP
> > >>> olic y(HTTPConduit.java:771)>
> > >>>
> > >>> at
> > >>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.
> > >>> java
> > >>>
> > >>> :54
> > >>>
> > >>> 1) at
> > >>>
> > >>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessag
> > >>> e(Me
> > >>> ssag eSenderInterceptor.java:46)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
> > >>> rcep
> > >>> torC hain.java:263)>
> > >>>
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:51
> > >>> 9)
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449
> > >>> )
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352
> > >>> )
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304
> > >>> )
> > >>> at
> > >>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.jav
> > >>> a:8
> > >>> 8)
> > >>> at
> > >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.
> > >>> java
> > >>>
> > >>> :13
> > >>>
> > >>> 4) ... 2 more
> > >>>
> > >>> Caused by: GSSException: No valid credentials provided
> > >>> (Mechanism
> > >>> level: No valid credentials provided (Mechanism level: Failed to
> > >>> find any Kerberos tgt))>
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoCont
> > >>> ext.
> > >>> java>>>
> > >>>
> > >>> :450)>
> > >>> :
> > >>> at
> > >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
> > >>> .jav
> > >>> a:2
> > >>> 30) at
> > >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
> > >>> .jav
> > >>> a:1
> > >>> 62) at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
> > >>> pneg
> > >>> oAut hSupplier.java:100)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
> > >>> pneg
> > >>> oAut hSupplier.java:144)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
> > >>> zati
> > >>> on(S pnegoAuthSupplier.java:77)>
> > >>>
> > >>> ... 12 more
> > >>>
> > >>> Caused by: GSSException: No valid credentials provided
> > >>> (Mechanism
> > >>> level: Failed to find any Kerberos tgt)
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCr
> > >>> eden
> > >>> tial .java:130)>
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5
> > >>> Mech
> > >>> Fact ory.java:106)>
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5M
> > >>> echF
> > >>> acto ry.java:172)>
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerI
> > >>> mpl.
> > >>> java>>>
> > >>>
> > >>> :209)>
> > >>> :
> > >>> at
> > >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
> > >>> .jav
> > >>> a:1
> > >>> 95) at
> > >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
> > >>> .jav
> > >>> a:1
> > >>> 62) at
> > >>>
> > >>> sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNego
> > >>> Cont
> > >>> ext. java:851)>
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoCont
> > >>> ext.
> > >>> java>>>
> > >>>
> > >>> :309)>
> > >>> :
> > >>> ... 17 more
> > >>>
> > >>> Did I miss anything in my configuration?
> > >>>
> > >>> Thanks in advance!
--
Michael Sliwak, M.Sc.
Raytion GmbH
Kaiser-Friedrich-Ring 74
40547 Düsseldorf
Fon +49-211-550266-0
Fax +49-211-550266-19
[email protected]
http://www.raytion.com
