Using the sample delegation code from the CXF Site: http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-CredentialDelegation
I have protected my JAX-RS endpoint with the filter below: <!-- Apache CXF Kerberos Filter Registration --> <bean id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"> <property name="loginContextName" value="KerberosServer" /> </bean> And I can confirm that Kerberos is working, a call to securityContext.getUserPrincipal().getName() returns the Windows username as passed by the web browser and the authentication scheme is definitely "negotiate". However when I try and use the returned SecurityContext to pass onto a HTTPConduit I find that the SecurityContext is actually a ThreadLocalSecurityContext object. Specifically if I do this: KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext; GSSCredential cred = ksc.getGSSContext().getDelegCred(); I get the following exception: org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast to org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$KerberosSecurityContext The note on that page says that I should get a KerberosSecurityContext returned instead: "Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the endpoints, then the filter will have an org.ietf.jgss.GSSContext instance available in the current CXF SecurityContext, via its KerberosAuthenticationFilter$KerberosSecurityContext implementation, which can be used to get to org.ietf.jgss.GSSCredential if the credential delegation is supported for a given source principal" Any ideas? Thanks in advance.
