Re: Client HTTP transport with Kerberos/SPNEGO

Mon, 12 Sep 2011 08:43:57 -0700 

I have updated the documentation in the Wiki:
https://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+%28including+SSL+support%29
Btw. if you want to help with documentation we can give you access to the Wiki.
It should be possbile to use authentication when retrieving the WSDL. I donĀ“t know you can use Spnego though.
Anyway I would not recommand to use the WSDL from a server directly. Better store the WSDL somewhere and version it separately. So I think it is not so bad to store it with the code. It allows you to see how the WSDL looked like when you compiled. If it changes later and you did not store it then how do you prove that you used the correct WSDL if someone says your client is incorrectly calling the server. 

Christian


Am 12.09.2011 15:29, schrieb Michael Sliwak:

Ok, this did the trick.

The following steps are necessary:

1) make sure that krb5.conf/krb5.ini is configured correctly for the Kerberos 
realm you want to authenticate against
and supply it to your application by setting the java.security.krb5.conf system 
property

2) supply a login.conf to your application by setting the 
java.security.auth.login.config system property, e.g.:

MyConfig {
     com.sun.security.auth.module.Krb5LoginModule required client=TRUE 
useTicketCache=true;
};

3) set up spnego using xml configuration or through code: (e.g. in cxf.xml)

<http:conduit name="*.http-conduit">
     <http:authorization>
       <sec:UserName>username</sec:UserName>
       <sec:Password>password</sec:Password>
       <sec:AuthorizationType>Negotiate</sec:AuthorizationType>
       <sec:Authorization>MyConfig</sec:Authorization>
     </http:authorization>
   </http:conduit>

Now Kerberos authentication works when supplying username and password. However 
using an existing TGT still does not work for me.

Maybe the documentation should be updated accordingly.

Another issue using authentication with the http transport is that it is not 
possible for me to point the wsdl location for my client
directly to the server as it seems that CXF is completely ignoring the 
authentication challenge when trying to download the wsdl.
So I have to download the wsdl manually and place it somewhere local to my 
application.




--
--
Christian Schneider
http://www.liquid-reality.de

Open Source Architect
Talend Application Integration Division http://www.talend.com

Reply via email to