Re: Kerberos Delegation Issue

Mon, 03 Feb 2014 01:49:46 -0800 

Hi

Right, it is indeed a thread-safe proxy which is injected.
It is a pity a cast does not translate to a thread local get in this case.
One way to do it is this then:

@Context org.apache.cxf.jaxrs.ext.MessageContext context;
SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext.class); 

or simply
SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.apache.cxf.security.SecurityContext.class); 


and then check if the cast is possible

Give it a try please, I will update the docs

Thanks, Sergey



On 03/02/14 01:06, Paul O'Brien wrote:

Using the sample delegation code from the CXF Site:
http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-CredentialDelegation

I have protected my JAX-RS endpoint with the filter below:

<!-- Apache CXF Kerberos Filter Registration -->
<bean id="kerberosFilter"
class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="KerberosServer" />
</bean>

And I can confirm that Kerberos is working, a call to
securityContext.getUserPrincipal().getName() returns the Windows username
as passed by the web browser and the authentication scheme is definitely
"negotiate".

However when I try and use the returned SecurityContext to pass onto a
HTTPConduit I find that the SecurityContext is actually a
ThreadLocalSecurityContext object.

Specifically if I do this:
KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
GSSCredential cred = ksc.getGSSContext().getDelegCred();

I get the following exception:
org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast to
org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$KerberosSecurityContext

The note on that page says that I should get a KerberosSecurityContext
returned instead:
"Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the
endpoints, then the filter will have an org.ietf.jgss.GSSContext instance
available in the current CXF SecurityContext, via its
KerberosAuthenticationFilter$KerberosSecurityContext implementation, which
can be used to get to org.ietf.jgss.GSSCredential if the credential
delegation is supported for a given source principal"

Any ideas?

Thanks in advance.




--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Reply via email to