Thanks Sergey, Your information was helpful and I narrowed the problem down to the -Djava.security.auth.login.config environment variable not being configured in my environment, setting this has got everything working.
Note that I do get the same exception even though it's working, it appears to be generated as part of the Negotiate handshake process. When a client generates a service request the server raises a NotAuthorizedException in the tomcat server console while the retry attempt (with the token) succeeds. Given the way the negotiate protocol works I expect this to be the expected behavior, any reason to believe this isn't the case? On 13 January 2014 09:48, Sergey Beryozkin <sberyoz...@gmail.com> wrote: > FYI, this is how it is picked up in the test: > > String jaasConfig = JAXRSKerberosBookTest.class > > .getResource("/org/apache/cxf/systest/jaxrs/security/ > kerberos.cfg").toURI().getPath(); > System.setProperty("java.security.auth.login.config", jaasConfig); > > You may want to try to move the config file to main resources, so that it > will end up in WEB-INF/classes, it must be something to do with the > resource location, > > Cheers, Sergey > > > On 12/01/14 19:22, Sergey Beryozkin wrote: > >> Hi >> >> It does seem that a context configuration is not found, >> It is unfortunate that only the LoginException handler loses the >> exception info, the other handlers at least log the exception message, I >> will fix it, in meantime I can only suggest to either >> - try to debug with the CXF source, that would be the best option >> - try to register javax.security.auth.login.Configuration implementation >> (via the loginConfig property) instead of setting the loginContextName >> property >> >> Give it a try please and let us know the result, we can try and narrow >> the problem somehow if the above does not help >> Cheers, Sergey >> >> On 08/01/14 10:00, Paul O'Brien wrote: >> >>> Hi All, >>> >>> Trying to setup CXF JAXRS with Kerberos authentication (Active Directory >>> KDC), the CXF endpoint works fine however I'm unable to successfully >>> authenticate once the Kerberos Filter is activated. >>> >>> Using the sample code on the Apache CXF project homepage as a guide: >>> http://cxf.apache.org/docs/jaxrs-kerberos.html >>> >>> My project cxf-servlet.conf file has the Kerberos filter enabled as per >>> below: >>> >>> <bean id="kerberosFilter" >>> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"> >>> <property name="loginContextName" value="KerberosServer"/> >>> </bean> >>> >>> <jaxrs:server> >>> <jaxrs:serviceBeans> >>> <bean class="org.mycompany.MyCompanyResource"/> >>> </jaxrs:serviceBeans> >>> <jaxrs:providers> >>> <ref bean="kerberosFilter"> >>> </jaxrs:providers> >>> </jaxrs:server> >>> >>> My jaas.conf file has been placed in the /src/main/webapp/WEB-INF >>> directory >>> and contains the following: >>> >>> KerberosServer { >>> com.sun.security.auth.module.Krb5LoginModule required storeKey=true; >>> }; >>> KerberosServerKeyTab { >>> com.sun.security.auth.module.Krb5LoginModule required >>> storeKey=true >>> refreshKrb5Config=true >>> useKeyTab=true >>> keyTab="/etc/tomcat.keytab" >>> principal="HTTP/<Hosting Workstation name>@<Valid REALM>"; >>> }; >>> >>> However the following exception is received when making a call against >>> the >>> protected service: >>> Jan 08, 2014 3:57:01 PM >>> org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse >>> WARNING: javax.ws.rs.NotAuthorizedException >>> at >>> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter. >>> handleRequest(KerberosAuthenticationFilter.java:117) >>> >>> at >>> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest( >>> JAXRSInInterceptor.java:208) >>> >>> at >>> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage( >>> JAXRSInInterceptor.java:90) >>> >>> at >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept( >>> PhaseInterceptorChain.java:272) >>> >>> at >>> org.apache.cxf.transport.ChainInitiationObserver.onMessage( >>> ChainInitiationObserver.java:121) >>> >>> at >>> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke( >>> AbstractHTTPDestination.java:239) >>> >>> at >>> org.apache.cxf.transport.servlet.ServletController.invokeDestination( >>> ServletController.java:248) >>> >>> at >>> org.apache.cxf.transport.servlet.ServletController. >>> invoke(ServletController.java:222) >>> >>> at >>> org.apache.cxf.transport.servlet.ServletController. >>> invoke(ServletController.java:153) >>> >>> at >>> org.apache.cxf.transport.servlet.CXFNonSpringServlet. >>> invoke(CXFNonSpringServlet.java:167) >>> >>> at >>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest( >>> AbstractHTTPServlet.java:286) >>> >>> at >>> org.apache.cxf.transport.servlet.AbstractHTTPServlet. >>> doGet(AbstractHTTPServlet.java:211) >>> >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) >>> at >>> org.apache.cxf.transport.servlet.AbstractHTTPServlet. >>> service(AbstractHTTPServlet.java:262) >>> >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:305) >>> >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:210) >>> >>> at >>> org.apache.catalina.core.StandardWrapperValve.invoke( >>> StandardWrapperValve.java:222) >>> >>> at >>> org.apache.catalina.core.StandardContextValve.invoke( >>> StandardContextValve.java:123) >>> >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke( >>> AuthenticatorBase.java:472) >>> >>> at >>> org.apache.catalina.core.StandardHostValve.invoke( >>> StandardHostValve.java:171) >>> >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke( >>> ErrorReportValve.java:99) >>> >>> at >>> org.apache.catalina.valves.AccessLogValve.invoke( >>> AccessLogValve.java:953) >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke( >>> StandardEngineValve.java:118) >>> >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service( >>> CoyoteAdapter.java:408) >>> >>> at >>> org.apache.coyote.http11.AbstractHttp11Processor.process( >>> AbstractHttp11Processor.java:1023) >>> >>> at >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler. >>> process(AbstractProtocol.java:589) >>> >>> at >>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor. >>> run(JIoEndpoint.java:312) >>> >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>> ThreadPoolExecutor.java:1145) >>> >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>> ThreadPoolExecutor.java:615) >>> >>> at java.lang.Thread.run(Thread.java:724) >>> >>> My initial thought was that the jaas.conf wasn't being read and >>> applied but >>> even setting the java.security.auth.login.config variable in the tomcat >>> setenv.sh script seemingly hasn't worked. >>> >>> Any ideas on why the above isn't working or how I can debug further? >>> >>> Thanks in advance. >>> >>> >> >> > > -- > Sergey Beryozkin > > Talend Community Coders > http://coders.talend.com/ > > Blog: http://sberyozkin.blogspot.com >