The problem is that CXF currently doesn't support a security policy that contains a KerberosToken SupportingToken without a security binding. I've just merged a fix (details here):
https://issues.apache.org/jira/browse/CXF-4786 So your options are to either try it with the latest CXF SNAPSHOT version or else to use a security binding with your SupportingToken policy (some examples are here: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/DoubleItKerberos.wsdl?view=markup ) Colm. On Mon, Jan 28, 2013 at 7:43 AM, Florin Pop <[email protected]> wrote: > Hello! > My name is Florin, I'm from Romania and i'm currently involved in a > project where I have to implement Kerberos Authentication in WebServices. > Therefore, i started to develop using Apache CXF a ws-client. You can see > the configuration below. > > <jaxws:client name="{http://ws.ebs.com/}HelloWorldImplPort"; > createdFromAPI="true"> > <jaxws:properties> > <entry key="ws-security.kerberos.client"> > <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient"> > <constructor-arg ref="cxf" /> > <property name="contextName" value="client" /> > <property name="serviceName" value="webserver" /> > <property name="callbackHandler" ref="fasole2" /> > </bean> > </entry> > </jaxws:properties> > > <bean name="fasole2" > class="com.ebs.kerberos.apacheCXF.KerberosCallbackHandler" /> > > > *Then, I added a policy to my wsdl (which was also referenced like below - > I wrote all with by hand)* > > <wsp:Policy wsu:Id="*Politica*"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SupportingTokens> > <wsp:Policy> > <sp:KerberosToken > sp:IncludeToken=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssGssKerberosV5ApReqToken11 /> > </wsp:Policy> > </sp:KerberosToken> > </wsp:Policy> > </sp:SupportingTokens> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > <binding name="HelloWorldImplPortBinding" type="tns:HelloWorld"> > > <wsp:PolicyReference URI="#*Politica*" /> > > <soap:binding transport="http://schemas.xmlsoap.org/soap/http"; > style="rpc" /> > <operation name="authenticateUser"> > <soap:operation soapAction="" /> > <input> > <soap:body use="literal" namespace="http://ws.ebs.com/"; /> > </input> > <output> > <soap:body use="literal" namespace="http://ws.ebs.com/"; /> > </output> > </operation> > </binding> > <service name="HelloWorldImplService"> > <port name="HelloWorldImplPort" binding="tns:HelloWorldImplPortBinding"> > <soap:address location="http://localhost:9000/external/service/soap"; /> > </port> > </service> > > *And finally, I used something like this to call the web service. * > SpringBusFactory bf = new SpringBusFactory(); > URL busFile = KerberosTokenTest.class.getResource("client5.xml"); > Bus bus = bf.createBus(busFile.toString()); > SpringBusFactory.setDefaultBus(bus); > SpringBusFactory.setThreadDefaultBus(bus); > > URL wsdl = new URL("http://localhost:9000/ws/hello?wsdl";); > QName serviceName = new QName("http://ws.ebs.com/";, > "HelloWorldImplService"); > Service service = Service.create(wsdl, serviceName); > HelloWorld hello = service.getPort(HelloWorld.class); > hello.authenticateUser(); > ((java.io.Closeable)hello).close(); > bus.shutdown(true); > > > *The problem is that the service is created, it authenticates with the > Apache Directory Server, it receives a kerberos ticket, but the security > token is not added to the SOAP Header. Below is all i have listed on the > console. * > * > * > *Thank you in advance!! Please help me to understand why the envelope is > not constructed although the client gets the ticket.* > * > * > Jan 25, 2013 9:14:29 AM > org.springframework.context.support.AbstractApplicationContext > prepareRefresh > INFO: Refreshing org.apache.cxf.bus.spring.BusApplicationContext@68f1e723: > startup date [Fri Jan 25 09:14:29 EET 2013]; root of context hierarchy > Jan 25, 2013 9:14:29 AM org.apache.cxf.bus.spring.BusApplicationContext > getConfigResources > INFO: Loaded configuration file > > file:/D:/workspace/ZMaven/aplicatieMvn/target/classes/com/ebs/kerberos/apacheCXF/client5.xml. > Jan 25, 2013 9:14:29 AM > org.springframework.beans.factory.xml.XmlBeanDefinitionReader > loadBeanDefinitions > INFO: Loading XML bean definitions from class path resource > [META-INF/cxf/cxf.xml] > Jan 25, 2013 9:14:29 AM > org.springframework.beans.factory.xml.XmlBeanDefinitionReader > loadBeanDefinitions > INFO: Loading XML bean definitions from class path resource > [META-INF/cxf/cxf-extension-wstx-msv-validation.xml] > Jan 25, 2013 9:14:29 AM > org.springframework.beans.factory.xml.XmlBeanDefinitionReader > loadBeanDefinitions > INFO: Loading XML bean definitions from URL > > [file:/D:/workspace/ZMaven/aplicatieMvn/target/classes/com/ebs/kerberos/apacheCXF/client5.xml] > Jan 25, 2013 9:14:29 AM > org.springframework.beans.factory.xml.XmlBeanDefinitionReader > loadBeanDefinitions > INFO: Loading XML bean definitions from class path resource > [META-INF/cxf/cxf.xml] > Jan 25, 2013 9:14:29 AM > org.springframework.beans.factory.support.DefaultListableBeanFactory > registerBeanDefinition > INFO: Overriding bean definition for bean 'cxf': replacing [Generic bean: > class [org.apache.cxf.bus.spring.SpringBus]; scope=; abstract=false; > lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; > primary=false; factoryBeanName=null; factoryMethodName=null; > initMethodName=null; destroyMethodName=shutdown; defined in class path > resource [META-INF/cxf/cxf.xml]] with [Generic bean: class > [org.apache.cxf.bus.spring.SpringBus]; scope=; abstract=false; > lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; > primary=false; factoryBeanName=null; factoryMethodName=null; > initMethodName=null; destroyMethodName=shutdown; defined in class path > resource [META-INF/cxf/cxf.xml]] > Jan 25, 2013 9:14:29 AM > org.springframework.beans.factory.support.DefaultListableBeanFactory > registerBeanDefinition > INFO: Overriding bean definition for bean > 'org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor': replacing > [Generic bean: class > [org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor]; scope=; > abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; > autowireCandidate=true; primary=false; factoryBeanName=null; > factoryMethodName=null; initMethodName=null; destroyMethodName=null; > defined in class path resource [META-INF/cxf/cxf.xml]] with [Generic bean: > class [org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor]; > scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; > autowireCandidate=true; primary=false; factoryBeanName=null; > factoryMethodName=null; initMethodName=null; destroyMethodName=null; > defined in class path resource [META-INF/cxf/cxf.xml]] > Jan 25, 2013 9:14:29 AM > org.springframework.beans.factory.support.DefaultListableBeanFactory > registerBeanDefinition > INFO: Overriding bean definition for bean > 'org.apache.cxf.bus.spring.Jsr250BeanPostProcessor': replacing [Generic > bean: class [org.apache.cxf.bus.spring.Jsr250BeanPostProcessor]; scope=; > abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; > autowireCandidate=true; primary=false; factoryBeanName=null; > factoryMethodName=null; initMethodName=null; destroyMethodName=null; > defined in class path resource [META-INF/cxf/cxf.xml]] with [Generic bean: > class [org.apache.cxf.bus.spring.Jsr250BeanPostProcessor]; scope=; > abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; > autowireCandidate=true; primary=false; factoryBeanName=null; > factoryMethodName=null; initMethodName=null; destroyMethodName=null; > defined in class path resource [META-INF/cxf/cxf.xml]] > Jan 25, 2013 9:14:29 AM > org.springframework.beans.factory.support.DefaultListableBeanFactory > registerBeanDefinition > INFO: Overriding bean definition for bean > 'org.apache.cxf.bus.spring.BusExtensionPostProcessor': replacing [Generic > bean: class [org.apache.cxf.bus.spring.BusExtensionPostProcessor]; scope=; > abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; > autowireCandidate=true; primary=false; factoryBeanName=null; > factoryMethodName=null; initMethodName=null; destroyMethodName=null; > defined in class path resource [META-INF/cxf/cxf.xml]] with [Generic bean: > class [org.apache.cxf.bus.spring.BusExtensionPostProcessor]; scope=; > abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; > autowireCandidate=true; primary=false; factoryBeanName=null; > factoryMethodName=null; initMethodName=null; destroyMethodName=null; > defined in class path resource [META-INF/cxf/cxf.xml]] > Jan 25, 2013 9:14:29 AM > org.springframework.beans.factory.support.DefaultListableBeanFactory > preInstantiateSingletons > INFO: Pre-instantiating singletons in > > org.springframework.beans.factory.support.DefaultListableBeanFactory@5a05fffe > : > defining beans > > [cxf,org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor,org.apache.cxf.wstx_msv_validation.WoodstoxValidationImpl,cxf.config0,{ > > http://ws.ebs.com/}HelloWorldImplPort.jaxws-client.proxyFactory,{http://ws.ebs.com/}HelloWorldImplPort.jaxws-client,fasole2 > ]; > root of factory hierarchy > Jan 25, 2013 9:14:30 AM > org.apache.cxf.service.factory.ReflectionServiceFactoryBean > buildServiceFromWSDL > INFO: Creating Service {http://ws.ebs.com/}HelloWorldImplService from > WSDL: > http://localhost:9000/ws/hello?wsdl > Jan 25, 2013 9:14:31 AM > org.apache.cxf.service.factory.ReflectionServiceFactoryBean > buildServiceFromWSDL > INFO: Creating Service {http://ws.ebs.com/}HelloWorldImplService from > WSDL: > http://localhost:9000/ws/hello?wsdl > Config name: C:\Windows\krb5.ini > >>> KdcAccessibility: reset > Using builtin default etypes for default_tkt_enctypes > default etypes for default_tkt_enctypes: 17 16 23 1 3. > >>> KrbAsReq creating message > >>> KrbKdcReq send: kdc=127.0.0.1 UDP:88, timeout=30000, number of retries > =3, #bytes=145 > >>> KDCCommunication: kdc=127.0.0.1 UDP:88, timeout=30000,Attempt =1, > #bytes=145 > >>> KrbKdcReq send: #bytes read=173 > >>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP > >>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 3, salt = null > > >>> KdcAccessibility: remove 127.0.0.1 > >>> KDCRep: init() encoding tag is 126 req type is 11 > >>>KRBError: > sTime is Fri Jan 25 09:14:31 EET 2013 1359098071000 > suSec is 0 > error code is 25 > error Message is Additional pre-authentication required > realm is EXAMPLE.COM <http://example.com/> > sname is krbtgt/EXAMPLE.COM <http://example.com/> > eData provided. > msgType is 30 > >>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP > >>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 3, salt = null > > KRBError received: Additional pre-authentication required > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ > Using builtin default etypes for default_tkt_enctypes > default etypes for default_tkt_enctypes: 17 16 23 1 3. > Using builtin default etypes for default_tkt_enctypes > default etypes for default_tkt_enctypes: 17 16 23 1 3. > >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType > >>> KrbAsReq creating message > >>> KrbKdcReq send: kdc=127.0.0.1 UDP:88, timeout=30000, number of retries > =3, #bytes=227 > >>> KDCCommunication: kdc=127.0.0.1 UDP:88, timeout=30000,Attempt =1, > #bytes=227 > >>> KrbKdcReq send: #bytes read=495 > >>> KdcAccessibility: remove 127.0.0.1 > >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType > >>> KrbAsRep cons in KrbAsReq.getReply monkey > Found ticket for [email protected] to go to > krbtgt/[email protected] expiring > on Sat Jan 26 09:14:31 EET 2013 > Entered Krb5Context.initSecContext with state=STATE_NEW > Found ticket for [email protected] to go to > krbtgt/[email protected] expiring > on Sat Jan 26 09:14:31 EET 2013 > Service ticket not found in the subject > >>> Credentials acquireServiceCreds: same realm > Using builtin default etypes for default_tgs_enctypes > default etypes for default_tgs_enctypes: 17 16 23 1 3. > >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType > >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType > >>> KrbKdcReq send: kdc=127.0.0.1 UDP:88, timeout=30000, number of retries > =3, #bytes=562 > >>> KDCCommunication: kdc=127.0.0.1 UDP:88, timeout=30000,Attempt =1, > #bytes=562 > >>> KrbKdcReq send: #bytes read=542 > >>> KdcAccessibility: remove 127.0.0.1 > >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType > >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000 > >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType > Krb5Context setting mySeqNumber to: 246315490 > Krb5Context setting peerSeqNumber to: 0 > Created InitSecContextToken: > 0000: 01 00 6E 82 01 CF 30 82 01 CB A0 03 02 01 05 A1 ..n...0......... > 0010: 03 02 01 0E A2 07 03 05 00 00 00 00 00 A3 81 FC ................ > 0020: 61 81 F9 30 81 F6 A0 03 02 01 05 A1 0D 1B 0B 45 a..0...........E > 0030: 58 41 4D 50 4C 45 2E 43 4F 4D A2 27 30 25 A0 03 XAMPLE.COM.'0%.. > 0040: 02 01 00 A1 1E 30 1C 1B 09 77 65 62 73 65 72 76 .....0...webserv > 0050: 65 72 1B 0F 70 63 30 35 33 37 2E 65 62 73 2E 6D er..pc0537.ebs.m > 0060: 73 66 74 A3 81 B6 30 81 B3 A0 03 02 01 03 A2 81 sft...0......... > 0070: AB 04 81 A8 D8 3C BF AF 25 2B 5B 52 4C 73 65 BC .....<..%+[RLse. > 0080: 02 BE 53 61 F6 82 AC F6 EA 83 FD F1 D9 75 69 97 ..Sa.........ui. > 0090: 5D 68 1B C4 5F F6 2C E2 F1 CF 9D D6 E3 1C B1 B4 ]h.._.,......... > 00A0: 19 DD 37 19 36 96 2A 9E A7 CC 77 D7 EC 7C 23 59 ..7.6.*...w...#Y > 00B0: 90 F3 57 31 1E 7E 96 CE B7 74 F6 97 09 72 54 97 ..W1.....t...rT. > 00C0: 5B F6 E3 8B B6 C6 3C A8 48 10 6B 7F A1 63 05 0A [.....<.H.k..c.. > 00D0: 91 76 A3 2C 76 C9 93 64 35 22 47 F4 F5 0C 02 F3 .v.,v..d5"G..... > 00E0: 4D C0 00 9C CD C1 6F 2B 62 B1 18 28 18 56 96 0F M.....o+b..(.V.. > 00F0: 2C 26 59 DC 3D B7 13 C8 28 A3 2E 54 5F 2F 99 52 ,&Y.=...(..T_/.R > 0100: 2D 1E 89 51 20 B0 A5 85 01 83 F2 8D C9 08 07 16 -..Q ........... > 0110: 42 F7 B1 CC 2B A0 4B 1E AB 09 BF 8E A4 81 B6 30 B...+.K........0 > 0120: 81 B3 A0 03 02 01 03 A2 81 AB 04 81 A8 4D B8 4F .............M.O > 0130: DD 84 0E 71 B9 12 D2 1B 28 C7 95 E6 07 D2 56 E1 ...q....(.....V. > 0140: B7 7D 66 3E 33 25 BD 4A 13 FC 4A 5D 35 16 49 43 ..f>3%.J..J]5.IC > 0150: FD AB 5C 18 BB 54 25 60 1D 98 FE 49 69 5D 08 CF ..\..T%`...Ii].. > 0160: 44 8A 64 AE 1C 24 C0 0D 85 D5 DD A8 75 53 1E 0D D.d..$......uS.. > 0170: 3A 44 91 FF 8E 9E 0B 3F 73 A9 4C 1F 37 0C 6D A9 :D.....?s.L.7.m. > 0180: 66 39 F8 3E 97 78 37 17 01 68 CF 3C D5 59 A6 1A f9.>.x7..h.<.Y.. > 0190: C4 5C 7B 57 31 0E EF 27 CD 87 E8 A2 09 CE 8B CF .\.W1..'........ > 01A0: FB 44 0F A8 0A 8B 50 D7 61 FB 35 D5 3E FE DE 6C .D....P.a.5.>..l > 01B0: 9F E2 84 6E B9 88 3D 2E AA A1 8D AC A7 DD 74 2D ...n..=.......t- > 01C0: 02 C5 31 17 2A 71 DA 5E 9B F5 D8 E2 52 54 16 37 ..1.*q.^....RT.7 > 01D0: BE A8 82 F2 A9 ..... > > SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". > SLF4J: Defaulting to no-operation (NOP) logger implementation > SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further > details. > Jan 25, 2013 9:14:32 AM > org.apache.cxf.services.HelloWorldImplService.HelloWorldImplPort.HelloWorld > INFO: Outbound Message > --------------------------- > ID: 1 > Address: http://localhost:9000/external/service/soap > Encoding: UTF-8 > Content-Type: text/xml > Headers: {Accept=[*/*], SOAPAction=[""]} > Payload: <soap:Envelope xmlns:soap=" > http://schemas.xmlsoap.org/soap/envelope/ > "><soap:Header/><soap:Body><ns1:authenticateUser > xmlns:ns1="http://ws.ebs.com/"/></soap:Body></soap:Envelope> > -------------------------------------- > Jan 25, 2013 9:14:33 AM > org.apache.cxf.services.HelloWorldImplService.HelloWorldImplPort.HelloWorld > INFO: Inbound Message > ---------------------------- > ID: 1 > Response-Code: 200 > Encoding: ISO-8859-1 > Content-Type: text/xml > Headers: {Content-Length=[265], content-type=[text/xml]} > Payload: <?xml version="1.0" ?><S:Envelope xmlns:S=" > http://schemas.xmlsoap.org/soap/envelope/ > "><S:Body><ns2:authenticateUserResponse > xmlns:ns2="http://ws.ebs.com/";><return>Metoda authenticateUser() a fost > apelata</return></ns2:authenticateUserResponse></S:Body></S:Envelope> > -------------------------------------- > Jan 25, 2013 9:14:33 AM > org.springframework.context.support.AbstractApplicationContext doClose > INFO: Closing org.apache.cxf.bus.spring.BusApplicationContext@68f1e723: > startup date [Fri Jan 25 09:14:29 EET 2013]; root of context hierarchy > Jan 25, 2013 9:14:33 AM > org.springframework.beans.factory.support.DefaultSingletonBeanRegistry > destroySingletons > INFO: Destroying singletons in > > org.springframework.beans.factory.support.DefaultListableBeanFactory@5a05fffe > : > defining beans > > [cxf,org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor,org.apache.cxf.wstx_msv_validation.WoodstoxValidationImpl,cxf.config0,{ > > http://ws.ebs.com/}HelloWorldImplPort.jaxws-client.proxyFactory,{http://ws.ebs.com/}HelloWorldImplPort.jaxws-client,fasole2 > ]; > root of factory hierarchy > LSA: Found Ticket > LSA: Made NewWeakGlobalRef > LSA: Found PrincipalName > LSA: Made NewWeakGlobalRef > LSA: Found DerValue > LSA: Made NewWeakGlobalRef > LSA: Found EncryptionKey > LSA: Made NewWeakGlobalRef > LSA: Found TicketFlags > LSA: Made NewWeakGlobalRef > LSA: Found KerberosTime > LSA: Made NewWeakGlobalRef > LSA: Found String > LSA: Made NewWeakGlobalRef > LSA: Found DerValue constructor > LSA: Found Ticket constructor > LSA: Found PrincipalName constructor > LSA: Found EncryptionKey constructor > LSA: Found TicketFlags constructor > LSA: Found KerberosTime constructor > LSA: Finished OnLoad processing > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
