Thanks Sergey,
Your information was helpful and I narrowed the problem down to the
-Djava.security.auth.login.config environment variable not being configured
in my environment, setting this has got everything working.
Note that I do get the same exception even though it's working, it appears
to be generated as part of the Negotiate handshake process. When a client
generates a service request the server raises a NotAuthorizedException in
the tomcat server console while the retry attempt (with the token) succeeds.
Given the way the negotiate protocol works I expect this to be the expected
behavior, any reason to believe this isn't the case?
On 13 January 2014 09:48, Sergey Beryozkin <sberyoz...@gmail.com> wrote:
> FYI, this is how it is picked up in the test:
>
> String jaasConfig = JAXRSKerberosBookTest.class
>
> .getResource("/org/apache/cxf/systest/jaxrs/security/
> kerberos.cfg").toURI().getPath();
> System.setProperty("java.security.auth.login.config", jaasConfig);
>
> You may want to try to move the config file to main resources, so that it
> will end up in WEB-INF/classes, it must be something to do with the
> resource location,
>
> Cheers, Sergey
>
>
> On 12/01/14 19:22, Sergey Beryozkin wrote:
>
>> Hi
>>
>> It does seem that a context configuration is not found,
>> It is unfortunate that only the LoginException handler loses the
>> exception info, the other handlers at least log the exception message, I
>> will fix it, in meantime I can only suggest to either
>> - try to debug with the CXF source, that would be the best option
>> - try to register javax.security.auth.login.Configuration implementation
>> (via the loginConfig property) instead of setting the loginContextName
>> property
>>
>> Give it a try please and let us know the result, we can try and narrow
>> the problem somehow if the above does not help
>> Cheers, Sergey
>>
>> On 08/01/14 10:00, Paul O'Brien wrote:
>>
>>> Hi All,
>>>
>>> Trying to setup CXF JAXRS with Kerberos authentication (Active Directory
>>> KDC), the CXF endpoint works fine however I'm unable to successfully
>>> authenticate once the Kerberos Filter is activated.
>>>
>>> Using the sample code on the Apache CXF project homepage as a guide:
>>> http://cxf.apache.org/docs/jaxrs-kerberos.html
>>>
>>> My project cxf-servlet.conf file has the Kerberos filter enabled as per
>>> below:
>>>
>>> <bean id="kerberosFilter"
>>> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
>>> <property name="loginContextName" value="KerberosServer"/>
>>> </bean>
>>>
>>> <jaxrs:server>
>>> <jaxrs:serviceBeans>
>>> <bean class="org.mycompany.MyCompanyResource"/>
>>> </jaxrs:serviceBeans>
>>> <jaxrs:providers>
>>> <ref bean="kerberosFilter">
>>> </jaxrs:providers>
>>> </jaxrs:server>
>>>
>>> My jaas.conf file has been placed in the /src/main/webapp/WEB-INF
>>> directory
>>> and contains the following:
>>>
>>> KerberosServer {
>>> com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
>>> };
>>> KerberosServerKeyTab {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> storeKey=true
>>> refreshKrb5Config=true
>>> useKeyTab=true
>>> keyTab="/etc/tomcat.keytab"
>>> principal="HTTP/<Hosting Workstation name>@<Valid REALM>";
>>> };
>>>
>>> However the following exception is received when making a call against
>>> the
>>> protected service:
>>> Jan 08, 2014 3:57:01 PM
>>> org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse
>>> WARNING: javax.ws.rs.NotAuthorizedException
>>> at
>>> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.
>>> handleRequest(KerberosAuthenticationFilter.java:117)
>>>
>>> at
>>> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(
>>> JAXRSInInterceptor.java:208)
>>>
>>> at
>>> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(
>>> JAXRSInInterceptor.java:90)
>>>
>>> at
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
>>> PhaseInterceptorChain.java:272)
>>>
>>> at
>>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(
>>> ChainInitiationObserver.java:121)
>>>
>>> at
>>> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(
>>> AbstractHTTPDestination.java:239)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.ServletController.invokeDestination(
>>> ServletController.java:248)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.ServletController.
>>> invoke(ServletController.java:222)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.ServletController.
>>> invoke(ServletController.java:153)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.CXFNonSpringServlet.
>>> invoke(CXFNonSpringServlet.java:167)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(
>>> AbstractHTTPServlet.java:286)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.
>>> doGet(AbstractHTTPServlet.java:211)
>>>
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
>>> at
>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.
>>> service(AbstractHTTPServlet.java:262)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
>>> ApplicationFilterChain.java:305)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(
>>> ApplicationFilterChain.java:210)
>>>
>>> at
>>> org.apache.catalina.core.StandardWrapperValve.invoke(
>>> StandardWrapperValve.java:222)
>>>
>>> at
>>> org.apache.catalina.core.StandardContextValve.invoke(
>>> StandardContextValve.java:123)
>>>
>>> at
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(
>>> AuthenticatorBase.java:472)
>>>
>>> at
>>> org.apache.catalina.core.StandardHostValve.invoke(
>>> StandardHostValve.java:171)
>>>
>>> at
>>> org.apache.catalina.valves.ErrorReportValve.invoke(
>>> ErrorReportValve.java:99)
>>>
>>> at
>>> org.apache.catalina.valves.AccessLogValve.invoke(
>>> AccessLogValve.java:953)
>>> at
>>> org.apache.catalina.core.StandardEngineValve.invoke(
>>> StandardEngineValve.java:118)
>>>
>>> at
>>> org.apache.catalina.connector.CoyoteAdapter.service(
>>> CoyoteAdapter.java:408)
>>>
>>> at
>>> org.apache.coyote.http11.AbstractHttp11Processor.process(
>>> AbstractHttp11Processor.java:1023)
>>>
>>> at
>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.
>>> process(AbstractProtocol.java:589)
>>>
>>> at
>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.
>>> run(JIoEndpoint.java:312)
>>>
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
>>> ThreadPoolExecutor.java:1145)
>>>
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>> ThreadPoolExecutor.java:615)
>>>
>>> at java.lang.Thread.run(Thread.java:724)
>>>
>>> My initial thought was that the jaas.conf wasn't being read and
>>> applied but
>>> even setting the java.security.auth.login.config variable in the tomcat
>>> setenv.sh script seemingly hasn't worked.
>>>
>>> Any ideas on why the above isn't working or how I can debug further?
>>>
>>> Thanks in advance.
>>>
>>>
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
