Re: Client HTTP transport with Kerberos/SPNEGO

[Freeman Fang]

On 2011-9-12, at 下午9:29, Michael Sliwak wrote:

Ok, this did the trick.

The following steps are necessary:

1) make sure that krb5.conf/krb5.ini is configured correctly for the Kerberos realm you want to authenticate against and supply it to your application by setting the java.security.krb5.conf system property

2) supply a login.conf to your application by setting the java.security.auth.login.config system property, e.g.:

MyConfig {

com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;

};

3) set up spnego using xml configuration or through code: (e.g. in cxf.xml)

<http:conduit name="*.http-conduit">
   <http:authorization>
     <sec:UserName>username</sec:UserName>
     <sec:Password>password</sec:Password>
     <sec:AuthorizationType>Negotiate</sec:AuthorizationType>
     <sec:Authorization>MyConfig</sec:Authorization>
   </http:authorization>
 </http:conduit>

Now Kerberos authentication works when supplying username and password. However using an existing TGT still does not work for me.

Maybe the documentation should be updated accordingly.

Another issue using authentication with the http transport is that it is not possible for me to point the wsdl location for my client directly to the server as it seems that CXF is completely ignoring the authentication challenge when trying to download the wsdl. So I have to download the wsdl manually and place it somewhere local to my application.

Hi,

In this case the "{WSDL Namespace}portName" would never work for
downloading the wsdl as the portName is unknown at that point.
You need change your http:conduit like
<http-conf:conduit name="https://server_ip:port/.*";>
  the "https" prefix here is important.

Freeman

On Monday 12 September 2011 15:03:45 Michael Sliwak wrote:

I successfully logged in with Kerberos using httpcomponents-client as
described here http://hc.apache.org/httpcomponents-client-
ga/tutorial/html/authentication.html#spnego

After a debugging run it seems that you have to set

<sec:Authorization/>

when using <sec:UserName /> and <sec:Password /> in cxf.xml.
Line 104 in SpnegoAuthSupplier.java creates a new LoginContext with

authPolicy.getAuthorization() as the first constructor argument. Currently this method returns null as I did not set <sec:Authorization/> in cxf.xml. Maybe this sets the name for the login.conf section. SampleClient in your

example. I'll give it a try.

On Monday 12 September 2011 14:50:54 Christian Schneider wrote:

I am not sure if it is the login.conf but you need to specify that you

want to use the tgt cache like this:

SampleClient {

    com.sun.security.auth.module.Krb5LoginModule

required*useTicketCache=true* };

I am not sure about the name SampleClient above and what you should
write
there but the *useTicketCache=true*  is important.

I currently have no kerberos environment else I would do a test and let

you know what is necessary.

Btw. Have you tried to do a kerberos login without CXF? The config you

need there should be the same as for cxf.

Christian

Am 12.09.2011 14:38, schrieb Michael Sliwak:

Hi Christian!

Setting the corresponding registry key on windows does not have any
effect.

Just one quick question before I dive more in to the code of CXF. Do

I
have to specify a login.conf for JGSS when using CXF?

The Javadoc for the LoginContext states

(http://download.oracle.com/javase/1,5.0/docs/api/javax/security/ aut

h/lo gin/LoginContext.html#LoginContext(java.lang.String,
%20javax.security.auth.callback.CallbackHandler):

Throws:

LoginException - if the caller-specified name does not appear in the

Configuration and there is no Configuration entry for "other", if
the
caller- specified subject is null, or if the

auth.login.defaultCallbackHandler security property was set, but the

implementation class could not be loaded.

I have a slight suspicion that I'm still missing some configuration.

Michael

On Monday 12 September 2011 13:19:16 Christian Schneider wrote:

I am not sure about the first exception. Could you debug into the
code
and try to find out more about the point where the exception
happens?

About the second problem when using no username and password on
windows.
Can you check if you have the registry setting that allows java to
use
the tgt?
See: http://www.javaactivedirectory.com/?page_id=93

Christian

Am 12.09.2011 13:07, schrieb Michael Sliwak:

Hello everyone!

According to
http://cxf.apache.org/docs/client-http-transport-including-ssl-
support.html#ClientHTTPTransport%28includingSSLsupport%29-
SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
Kerberos/SPNEGO authentication when accessing web services.

I'm trying to access an ASP.NET Web Service that is secured by
Kerberos
(Integrated Windows authentication) using CXF.

I have configured everything as stated in the documentation.
Here's
my
cxf.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans";

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xmlns:sec="http://cxf.apache.org/configuration/security";

   xmlns:http="http://cxf.apache.org/transports/http/config
   urat
   ion"
   xmlns:jaxws="http://cxf.apache.org/jaxws";
   xsi:schemaLocation="

            http://cxf.apache.org/configuration/se
            curi
            ty
            http://cxf.apache.org/schemas/configur
            atio
            n/secu
            rity.xsd
            http://cxf.apache.org/transports/http/
            conf
            igurat
            ion
            http://cxf.apache.org/schemas/configur
            atio
            n/http
            -conf.xsd
            http://cxf.apache.org/jaxws
            http://cxf.apache.org/schemas/jaxws.xs
            d
            http://www.springframework.org/schema/
            bean
            s
            http://www.springframework.org/schema/
            bean
            s/spri
            ng-beans.xsd">>

   <http:conduit
   name="{http://some.name.space/}SoapPort.http-conduit";>

     <http:client AllowChunking="false" />
     <http:authorization>

       <sec:UserName>username</sec:UserName>
       <sec:Password>password</sec:Password>
       <sec:AuthorizationType>Negotiate</sec:Authorizat
       ionT
       ype>

     </http:authorization>

   </http:conduit>

</beans>

Whenever i run my code, i get the following exception:

Caused by: java.lang.RuntimeException: Invalid null input: name

        at

org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
zati
on(S pnegoAuthSupplier.java:80)>

        at

org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizat
ionP
olic y(HTTPConduit.java:771)>

        at
        org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.
        java
        
        :54
        
        1) at

org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessag
e(Me
ssag eSenderInterceptor.java:46)>

        at

org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
rcep
torC hain.java:263)>

        at
        org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:51
        9)
        at
        org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449
        )
        at
        org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352
        )
        at
        org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304
        )
        at
        org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.jav
        a:8
        8)
        at
        org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.
        java
        
        :13
        
        4) ... 2 more

Caused by: javax.security.auth.login.LoginException: Invalid
null
input: name>

        at
        javax.security.auth.login.LoginContext.init(LoginContext.java:
        229
        )
        at
        javax.security.auth.login.LoginContext.<init>(LoginContext.jav
        a:40
        3)
        at

org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
pneg
oAut hSupplier.java:104)>

        at

org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
pneg
oAut hSupplier.java:144)>

        at

org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
zati
on(S pnegoAuthSupplier.java:77)>

        ... 12 more

This happens on both Windows and Linux.

krb5.conf/krb5.ini is present and found by Java.

On the other hand, when I leave the Username and password blank
i
get an exception that no TGT could be aquired. Anyhow 'klist' on
both Windows and Linux states that there is a TGT available in
the
cache.

Caused by: java.lang.RuntimeException: No valid credentials
provided
(Mechanism level: No valid credentials provided (Mechanism
level:
Failed to find any Kerberos tgt))

        at

org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
zati
on(S pnegoAuthSupplier.java:82)>

        at

org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizat
ionP
olic y(HTTPConduit.java:771)>

        at
        org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.
        java
        
        :54
        
        1) at

org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessag
e(Me
ssag eSenderInterceptor.java:46)>

        at

org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
rcep
torC hain.java:263)>

        at
        org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:51
        9)
        at
        org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449
        )
        at
        org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352
        )
        at
        org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304
        )
        at
        org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.jav
        a:8
        8)
        at
        org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.
        java
        
        :13
        
        4) ... 2 more

Caused by: GSSException: No valid credentials provided
(Mechanism
level: No valid credentials provided (Mechanism level: Failed to
find any Kerberos tgt))>

        at

sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoCont
ext.
java>>>

:450)>
:
        at
        sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
        .jav
        a:2
        30) at
        sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
        .jav
        a:1
        62) at

org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
pneg
oAut hSupplier.java:100)>

        at

org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
pneg
oAut hSupplier.java:144)>

        at

org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
zati
on(S pnegoAuthSupplier.java:77)>

        ... 12 more

Caused by: GSSException: No valid credentials provided
(Mechanism
level: Failed to find any Kerberos tgt)

        at

sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCr
eden
tial .java:130)>

        at

sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5
Mech
Fact ory.java:106)>

        at

sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5M
echF
acto ry.java:172)>

        at

sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerI
mpl.
java>>>

:209)>
:
        at
        sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
        .jav
        a:1
        95) at
        sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
        .jav
        a:1
        62) at

sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNego
Cont
ext. java:851)>

        at

sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoCont
ext.
java>>>

:309)>
:
        ... 17 more

Did I miss anything in my configuration?

Thanks in advance!

--
Michael Sliwak, M.Sc.

Raytion GmbH
Kaiser-Friedrich-Ring 74
40547 Düsseldorf

Fon +49-211-550266-0
Fax +49-211-550266-19

michael.sli...@raytion.com
http://www.raytion.com

---------------------------------------------
Freeman Fang

FuseSource
Email:ff...@fusesource.com
Web: fusesource.com
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com