Thanks for all your help Sergey, I can confirm that all worked and Kerberos Delegation is working as expected. On 04/02/2014 9:24 PM, "Sergey Beryozkin" <[email protected]> wrote:
> Hi Paul > On 04/02/14 04:18, Paul O'Brien wrote: > >> Thanks Sergey, >> >> That's helped a lot, I've been able to get it working properly with this >> code you provided: >> SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org. >> apache.cxf.security.SecurityContext.class); >> >> However using the context object isn't working: >> SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext. >> class); >> >> The context version won't compile due to a type mismatch as Get works with >> object type only. Using a cast to SecurityContext didn't work for me, it >> seemed to fail but the logging isn't providing details. I used the below >> for testing: >> >> SecurityContext sc = (SecurityContext) context.get(org.apache.cxf. >> security.SecurityContext.class); >> >> I think the context version would make the example easier to understand >> but >> I'm not able to get it to work at this point in time. >> >> yes, you are right, I forgot MessageContext interface has no typed put & > get methods. > > SecurityContext sc = (SecurityContext) context.get(org.apache.cxf. > security.SecurityContext.class.getName()); > > will do it > > Thanks, Sergey > > Regards, Paul >> >> On Monday, 3 February 2014, Sergey Beryozkin <[email protected]> >> wrote: >> >> Hi >>> >>> Right, it is indeed a thread-safe proxy which is injected. >>> It is a pity a cast does not translate to a thread local get in this >>> case. >>> One way to do it is this then: >>> >>> @Context org.apache.cxf.jaxrs.ext.MessageContext context; >>> >>> SecurityContext sc = context.get(org.apache.cxf. >>> security.SecurityContext. >>> class); >>> >>> or simply >>> >>> SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org. >>> apache.cxf.security.SecurityContext.class); >>> >>> >>> and then check if the cast is possible >>> >>> Give it a try please, I will update the docs >>> >>> Thanks, Sergey >>> >>> >>> >>> On 03/02/14 01:06, Paul O'Brien wrote: >>> >>> Using the sample delegation code from the CXF Site: >>>> http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos- >>>> CredentialDelegation >>>> >>>> I have protected my JAX-RS endpoint with the filter below: >>>> >>>> <!-- Apache CXF Kerberos Filter Registration --> >>>> <bean id="kerberosFilter" >>>> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"> >>>> <property name="loginContextName" value="KerberosServer" /> >>>> </bean> >>>> >>>> And I can confirm that Kerberos is working, a call to >>>> securityContext.getUserPrincipal().getName() returns the Windows >>>> username >>>> as passed by the web browser and the authentication scheme is definitely >>>> "negotiate". >>>> >>>> However when I try and use the returned SecurityContext to pass onto a >>>> HTTPConduit I find that the SecurityContext is actually a >>>> ThreadLocalSecurityContext object. >>>> >>>> Specifically if I do this: >>>> KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext; >>>> GSSCredential cred = ksc.getGSSContext().getDelegCred(); >>>> >>>> I get the following exception: >>>> org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast >>>> to >>>> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$ >>>> KerberosSecurityContext >>>> >>>> The note on that page says that I should get a KerberosSecurityContext >>>> returned instead: >>>> "Note that if you have a JAX-RS KerberosAuthenticationFilter protecting >>>> the >>>> endpoints, then the filter will have an org.ietf.jgss.GSSContext >>>> instance >>>> available in the current CXF SecurityContext, via its >>>> KerberosAuthenticationFilter$KerberosSecurityContext implementation, >>>> which >>>> can be used to get to org.ietf.jgss.GSSCredential if the credential >>>> delegation is supported for a given source principal" >>>> >>>> Any ideas? >>>> >>>> Thanks in advance. >>>> >>>> >>>> >>> -- >>> Sergey Beryozkin >>> >>> Talend Community Coders >>> http://coders.talend.com/ >>> >>> Blog: http://sberyozkin.blogspot.com >>> >>> >> >
