The client is a web browser and we can live with it, just wanted to ensure it wasn't an unexpected error.
On Monday, 13 January 2014, Sergey Beryozkin wrote: > Hi, > On 13/01/14 10:46, Paul O'Brien wrote: > >> Thanks Sergey, >> >> Your information was helpful and I narrowed the problem down to the >> -Djava.security.auth.login.config environment variable not being >> configured >> in my environment, setting this has got everything working. >> >> Note that I do get the same exception even though it's working, it appears >> to be generated as part of the Negotiate handshake process. When a client >> generates a service request the server raises a NotAuthorizedException in >> the tomcat server console while the retry attempt (with the token) >> succeeds. >> >> Given the way the negotiate protocol works I expect this to be the >> expected >> behavior, any reason to believe this isn't the case? >> > > I guess if it is possible to configure the client to immediately include a > token then it is avoidable, I think we can do it with CXF clients, do you > use CXF on the client side ? > > Cheers, Sergey > > > > On 13 January 2014 09:48, Sergey Beryozkin <[email protected]> wrote: > > FYI, this is how it is picked up in the test: > > String jaasConfig = JAXRSKerberosBookTest.class > > .getResource("/org/apache/cxf/systest/jaxrs/security/ > kerberos.cfg").toURI().getPath(); > System.setProperty("java.security.auth.login.config", > jaasConfig); > > You may want to try to move the config file to main resources, so that it > will end up in WEB-INF/classes, it must be something to do with the > resource location, > > Cheers, Sergey > > > On 12/01/14 19:22, Sergey Beryozkin wrote: > > Hi > > It does seem that a context configuration is not found, > It is unfortunate that only the LoginException handler loses the > exception info, the other handlers at least log the exception message, I > will fix it, in meantime I can only suggest to either > - try to debug with the CXF source, that would be the best option > - try to register javax.security.auth.login.Configuration implementation > (via the loginConfig property) instead of setting the loginContextName > property > > Give it a try please and let us know the result, we can try and narrow > the problem somehow if the above does not help > Cheers, Sergey > > On 08/01/14 10:00, Paul O'Brien wrote: > > Hi All, > > Trying to setup CXF JAXRS with Kerberos authentication (Active Directory > KDC), the CXF endpoint works fine however I'm unable to successfully > authenticate once the Kerberos Filter is activated. > > Using the sample code on the Apache CXF project homepage as a guide: > http://cxf.apache.org/docs/jaxrs-kerberos.html > > My project cxf-servlet.conf file has the Kerberos filter enabled as per > below: > > <bean id="kerberosFilter" > class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"> > <property name="loginContextName" value="KerberosServer"/> > </bean> > > <jaxrs:server> > <jaxrs:serviceBeans> > <bean class="org.mycompany.MyCompanyResource"/> > </jaxrs:serviceBeans> > <jaxrs:providers> > <ref bean="kerberosFilter"> > </jaxrs:providers> > </jaxrs:server> > > My jaas.conf file has been placed in the /src/main/webapp/WEB-INF > directory > and contains the following: > > KerberosServer { > com.sun.security.auth.module.Krb5LoginModule required storeKey=true; > }; > KerberosServerKeyTab { > com.sun.security.auth.module.Krb5LoginModule required > storeKey=true > refreshKrb5Config=true > useKeyTab=true > keyTab="/etc/tomcat.keytab" > principal="HTTP/<Hosting Workstation name>@<Valid REALM>"; > }; > > However the following exception is received when making a call against > the > protected service: > Jan 08, 2014 3:57:01 PM > org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse > WARNING: javax.ws.rs.NotAuthorizedException > at > org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter. > handleRequest(KerberosAuthenticationFilter.java:117) > > at > org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest( > JAXRSInInterceptor.java:208) > > at > org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage( > JAXRSInInterceptor.java:90) > > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept( > PhaseInterceptorChain.java:272) > > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage( > ChainInitiationObserver.java:121) > > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke( > AbstractHTTPDestination.java:239) > > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination( > ServletController.java:248) > > at > org.apache.cxf.transport.servlet.ServletController. > invoke(ServletController.java:222) > > at > org.apache.cxf.transport.servlet.ServletController. > invoke(ServletController.java:1 > >
