Hi Marco,
I would suggest to try simple Kerberos login using JAAS directly (with
debug=true), perhaps it helps to spot the problem:
Test code:
URL conf =
JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
System.setProperty("java.security.auth.login.config", conf.toString());
// Only needed when not using the ticket cache
CallbackHandler callbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
((NameCallback)callback).setName("alice");
}
if (callback instanceof PasswordCallback) {
((PasswordCallback)callback).setPassword("clarinet".toCharArray());
}
}
}
};
try {
LoginContext lc = new LoginContext("myContext", callbackHandler);
lc.login();
Subject subject = lc.getSubject();
Set<Principal> principals = subject.getPrincipals();
Set<Object> credentials = subject.getPrivateCredentials();
System.out.println("OK: " + principals);
System.out.println("OK: " + credentials);
} catch (LoginException e) {
e.printStackTrace();
}
}
Jaas.conf:
myContext {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="my.keytab"
principal="my/services.example.com";
};
If the code works, you will be able to detect what is different with
AbstractSpnegoAuthSupplier.getToken() code used from
KerberosAuthOutInterceptor.java.
Regards,
Andrei.
> -----Original Message-----
> From: Marco Di Sabatino Di Diodoro [mailto:[email protected]]
> Sent: Freitag, 14. März 2014 17:54
> To: [email protected]
> Subject: CXF and kerberos authentication
>
> Hi,
>
> I'm an PMC member of Apache Syncope[1].
> We are building a new connector bundle for Connid[2] that needs to connect
> with FreeIpa server.
>
> The connector bundle use JSON-RPC to communicate with the server that is
> protected by Kerberos.
> We followed this guide (http://cxf.apache.org/docs/jaxrs-kerberos.html) but
> the
> connector not negotiate with Kerberos
>
> WebClient wc = WebClient.create("https://olmo.example.com/ipa/json";);
> WebClient.getConfig(wc).getHttpConduit().setTlsClientParameters(clientParam
> eters());
> AuthorizationPolicy policy = new AuthorizationPolicy();
> policy.setAuthorizationType("Negotiate");
> policy.setAuthorization(KEYTAB_CONF);
> KerberosAuthOutInterceptor kbInterceptor = new
> KerberosAuthOutInterceptor(); kbInterceptor.setPolicy(policy);
> kbInterceptor.setRealm("EXAMPLE.COM");
> kbInterceptor.setServicePrincipalName("ldap/olmo.example.com");
> kbInterceptor.setCredDelegation(true);
> WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
>
> I try a lot of other configuration without success, have you any suggestion?
>
> If we run with curl it works.
>
> Regards
> M
>
> [1] http://syncope.apache.org/
> [2] http://tirasa.github.io/ConnId/
>
> --
> Dott. Marco Di Sabatino Di Diodoro
> Tel. +39 3939065570
>
> Tirasa S.r.l.
> Viale D'Annunzio 267 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net
>
> Apache Syncope PMC Member
> http://people.apache.org/~mdisabatino/
