Thanks Sergey, That's helped a lot, I've been able to get it working properly with this code you provided: SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org. apache.cxf.security.SecurityContext.class);
However using the context object isn't working: SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext. class); The context version won't compile due to a type mismatch as Get works with object type only. Using a cast to SecurityContext didn't work for me, it seemed to fail but the logging isn't providing details. I used the below for testing: SecurityContext sc = (SecurityContext) context.get(org.apache.cxf. security.SecurityContext.class); I think the context version would make the example easier to understand but I'm not able to get it to work at this point in time. Regards, Paul On Monday, 3 February 2014, Sergey Beryozkin <[email protected]> wrote: > Hi > > Right, it is indeed a thread-safe proxy which is injected. > It is a pity a cast does not translate to a thread local get in this case. > One way to do it is this then: > > @Context org.apache.cxf.jaxrs.ext.MessageContext context; > > SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext. > class); > > or simply > > SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org. > apache.cxf.security.SecurityContext.class); > > > and then check if the cast is possible > > Give it a try please, I will update the docs > > Thanks, Sergey > > > > On 03/02/14 01:06, Paul O'Brien wrote: > >> Using the sample delegation code from the CXF Site: >> http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos- >> CredentialDelegation >> >> I have protected my JAX-RS endpoint with the filter below: >> >> <!-- Apache CXF Kerberos Filter Registration --> >> <bean id="kerberosFilter" >> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"> >> <property name="loginContextName" value="KerberosServer" /> >> </bean> >> >> And I can confirm that Kerberos is working, a call to >> securityContext.getUserPrincipal().getName() returns the Windows username >> as passed by the web browser and the authentication scheme is definitely >> "negotiate". >> >> However when I try and use the returned SecurityContext to pass onto a >> HTTPConduit I find that the SecurityContext is actually a >> ThreadLocalSecurityContext object. >> >> Specifically if I do this: >> KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext; >> GSSCredential cred = ksc.getGSSContext().getDelegCred(); >> >> I get the following exception: >> org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast to >> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$ >> KerberosSecurityContext >> >> The note on that page says that I should get a KerberosSecurityContext >> returned instead: >> "Note that if you have a JAX-RS KerberosAuthenticationFilter protecting >> the >> endpoints, then the filter will have an org.ietf.jgss.GSSContext instance >> available in the current CXF SecurityContext, via its >> KerberosAuthenticationFilter$KerberosSecurityContext implementation, >> which >> can be used to get to org.ietf.jgss.GSSCredential if the credential >> delegation is supported for a given source principal" >> >> Any ideas? >> >> Thanks in advance. >> >> > > -- > Sergey Beryozkin > > Talend Community Coders > http://coders.talend.com/ > > Blog: http://sberyozkin.blogspot.com >
