Hi,
Il giorno 15/mar/2014, alle ore 13:38, Andrei Shakirin < [email protected]> ha scritto: Hi Marco,
I would suggest to try simple Kerberos login using JAAS directly (with debug=true), perhaps it helps to spot the problem:
Test code:
URL conf = JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
System.setProperty("java.security.auth.login.config", conf.toString());
// Only needed when not using the ticket cache
CallbackHandler callbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
((NameCallback)callback).setName("alice");
}
if (callback instanceof PasswordCallback) {
((PasswordCallback)callback).setPassword("clarinet".toCharArray());
}
}
}
};
try {
LoginContext lc = new LoginContext("myContext", callbackHandler);
lc.login();
Subject subject = lc.getSubject();
Set<Principal> principals = subject.getPrincipals();
Set<Object> credentials = subject.getPrivateCredentials();
System.out.println("OK: " + principals);
System.out.println("OK: " + credentials);
} catch (LoginException e) {
e.printStackTrace();
}
}
Jaas.conf:
myContext {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="my.keytab"
principal="my/services.example.com";
};
If the code works, you will be able to detect what is different with AbstractSpnegoAuthSupplier.getToken() code used from KerberosAuthOutInterceptor.java.
this are krb5kdc.log when needs to connect with cxf to FreeIpa Server:
If we run with curl:
I have attached the log file of the test connector. As you can see from the log, at the beginning we make a login and after a request to the service, but returns a 401.
Thanks M
|
cfx.log
Description: Binary data
Regards,
Andrei.
-----Original Message-----
From: Marco Di Sabatino Di Diodoro [mailto:[email protected]]
Sent: Freitag, 14. März 2014 17:54
To: [email protected]
Subject: CXF and kerberos authentication
Hi,
I'm an PMC member of Apache Syncope[1].
We are building a new connector bundle for Connid[2] that needs to connect
with FreeIpa server.
The connector bundle use JSON-RPC to communicate with the server that is
protected by Kerberos.
We followed this guide (http://cxf.apache.org/docs/jaxrs-kerberos.html) but the
connector not negotiate with Kerberos
WebClient wc = WebClient.create("https://olmo.example.com/ipa/json");
WebClient.getConfig(wc).getHttpConduit().setTlsClientParameters(clientParam
eters());
AuthorizationPolicy policy = new AuthorizationPolicy();
policy.setAuthorizationType("Negotiate");
policy.setAuthorization(KEYTAB_CONF);
KerberosAuthOutInterceptor kbInterceptor = new
KerberosAuthOutInterceptor(); kbInterceptor.setPolicy(policy);
kbInterceptor.setRealm("EXAMPLE.COM");
kbInterceptor.setServicePrincipalName("ldap/olmo.example.com");
kbInterceptor.setCredDelegation(true);
WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
I try a lot of other configuration without success, have you any suggestion?
If we run with curl it works.
Regards
M
[1] http://syncope.apache.org/
[2] http://tirasa.github.io/ConnId/
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
|
