FYI, this is how it is picked up in the test:
String jaasConfig = JAXRSKerberosBookTest.class
.getResource("/org/apache/cxf/systest/jaxrs/security/kerberos.cfg").toURI().getPath();
System.setProperty("java.security.auth.login.config", jaasConfig);
You may want to try to move the config file to main resources, so that
it will end up in WEB-INF/classes, it must be something to do with the
resource location,
Cheers, Sergey
On 12/01/14 19:22, Sergey Beryozkin wrote:
Hi
It does seem that a context configuration is not found,
It is unfortunate that only the LoginException handler loses the
exception info, the other handlers at least log the exception message, I
will fix it, in meantime I can only suggest to either
- try to debug with the CXF source, that would be the best option
- try to register javax.security.auth.login.Configuration implementation
(via the loginConfig property) instead of setting the loginContextName
property
Give it a try please and let us know the result, we can try and narrow
the problem somehow if the above does not help
Cheers, Sergey
On 08/01/14 10:00, Paul O'Brien wrote:
Hi All,
Trying to setup CXF JAXRS with Kerberos authentication (Active Directory
KDC), the CXF endpoint works fine however I'm unable to successfully
authenticate once the Kerberos Filter is activated.
Using the sample code on the Apache CXF project homepage as a guide:
http://cxf.apache.org/docs/jaxrs-kerberos.html
My project cxf-servlet.conf file has the Kerberos filter enabled as per
below:
<bean id="kerberosFilter"
class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="KerberosServer"/>
</bean>
<jaxrs:server>
<jaxrs:serviceBeans>
<bean class="org.mycompany.MyCompanyResource"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="kerberosFilter">
</jaxrs:providers>
</jaxrs:server>
My jaas.conf file has been placed in the /src/main/webapp/WEB-INF
directory
and contains the following:
KerberosServer {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
};
KerberosServerKeyTab {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
refreshKrb5Config=true
useKeyTab=true
keyTab="/etc/tomcat.keytab"
principal="HTTP/<Hosting Workstation name>@<Valid REALM>";
};
However the following exception is received when making a call against
the
protected service:
Jan 08, 2014 3:57:01 PM
org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse
WARNING: javax.ws.rs.NotAuthorizedException
at
org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.handleRequest(KerberosAuthenticationFilter.java:117)
at
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:208)
at
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:90)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:211)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
My initial thought was that the jaas.conf wasn't being read and
applied but
even setting the java.security.auth.login.config variable in the tomcat
setenv.sh script seemingly hasn't worked.
Any ideas on why the above isn't working or how I can debug further?
Thanks in advance.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
