No problems, thanks for validating Kerberos filter and HTTPConduit work
well together, nice.
Cheers, Sergey
On 05/02/14 09:04, Paul O'Brien wrote:
Thanks for all your help Sergey, I can confirm that all worked and Kerberos
Delegation is working as expected.
On 04/02/2014 9:24 PM, "Sergey Beryozkin" <[email protected]> wrote:
Hi Paul
On 04/02/14 04:18, Paul O'Brien wrote:
Thanks Sergey,
That's helped a lot, I've been able to get it working properly with this
code you provided:
SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.
apache.cxf.security.SecurityContext.class);
However using the context object isn't working:
SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext.
class);
The context version won't compile due to a type mismatch as Get works with
object type only. Using a cast to SecurityContext didn't work for me, it
seemed to fail but the logging isn't providing details. I used the below
for testing:
SecurityContext sc = (SecurityContext) context.get(org.apache.cxf.
security.SecurityContext.class);
I think the context version would make the example easier to understand
but
I'm not able to get it to work at this point in time.
yes, you are right, I forgot MessageContext interface has no typed put &
get methods.
SecurityContext sc = (SecurityContext) context.get(org.apache.cxf.
security.SecurityContext.class.getName());
will do it
Thanks, Sergey
Regards, Paul
On Monday, 3 February 2014, Sergey Beryozkin <[email protected]>
wrote:
Hi
Right, it is indeed a thread-safe proxy which is injected.
It is a pity a cast does not translate to a thread local get in this
case.
One way to do it is this then:
@Context org.apache.cxf.jaxrs.ext.MessageContext context;
SecurityContext sc = context.get(org.apache.cxf.
security.SecurityContext.
class);
or simply
SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.
apache.cxf.security.SecurityContext.class);
and then check if the cast is possible
Give it a try please, I will update the docs
Thanks, Sergey
On 03/02/14 01:06, Paul O'Brien wrote:
Using the sample delegation code from the CXF Site:
http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-
CredentialDelegation
I have protected my JAX-RS endpoint with the filter below:
<!-- Apache CXF Kerberos Filter Registration -->
<bean id="kerberosFilter"
class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="KerberosServer" />
</bean>
And I can confirm that Kerberos is working, a call to
securityContext.getUserPrincipal().getName() returns the Windows
username
as passed by the web browser and the authentication scheme is definitely
"negotiate".
However when I try and use the returned SecurityContext to pass onto a
HTTPConduit I find that the SecurityContext is actually a
ThreadLocalSecurityContext object.
Specifically if I do this:
KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
GSSCredential cred = ksc.getGSSContext().getDelegCred();
I get the following exception:
org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast
to
org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$
KerberosSecurityContext
The note on that page says that I should get a KerberosSecurityContext
returned instead:
"Note that if you have a JAX-RS KerberosAuthenticationFilter protecting
the
endpoints, then the filter will have an org.ietf.jgss.GSSContext
instance
available in the current CXF SecurityContext, via its
KerberosAuthenticationFilter$KerberosSecurityContext implementation,
which
can be used to get to org.ietf.jgss.GSSCredential if the credential
delegation is supported for a given source principal"
Any ideas?
Thanks in advance.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
