Hi Marco
On 19/03/14 08:44, Marco Di Sabatino Di Diodoro wrote:
Hi Sergey
thanks for your support.
We asked the FreeIPA community to see if there are some incorrect
configurations[1].
I'll let you know when we have news.
Sounds good, thanks.
What concerns me is the fact that using CURL to send Kerberos tokens to
FreeIPA works, while using WebClient and Kerberos interceptor does not.
I suspect that something in the CXF code might need to be tweaked or may
be it needs to be reconfigured a bit.
The logs you sent last time show that CXF manages to obtain a token but
it is really a server which does not accept it. So I think CXF does
correctly interacts with the Kerberos system, but what appears to be the
case is that there is some difference in the way CXF and CURL send tokens.
Can you please run CURL with -v option and see if you can spot something
obvious, compared to the way CXF sends it ?
Thanks, Sergey
Thanks
M
[1] https://www.redhat.com/archives/freeipa-devel/2014-March/msg00296.html
Il giorno 17/mar/2014, alle ore 19:10, Sergey Beryozkin <[email protected]>
ha scritto:
Hi
How do you configure it with curl ?
In your opinion, what is the difference between the way you set it up in curl
and in CXF ?
Cheers, Sergey
On 17/03/14 15:53, Marco Di Sabatino Di Diodoro wrote:
Hi,
Il giorno 15/mar/2014, alle ore 13:38, Andrei Shakirin
<[email protected] <mailto:[email protected]>> ha scritto:
Hi Marco,
I would suggest to try simple Kerberos login using JAAS directly (with
debug=true), perhaps it helps to spot the problem:
Test code:
URL conf =
JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
System.setProperty("java.security.auth.login.config",
conf.toString());
// Only needed when not using the ticket cache
CallbackHandler callbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws
IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
((NameCallback)callback).setName("alice");
}
if (callback instanceof PasswordCallback) {
((PasswordCallback)callback).setPassword("clarinet".toCharArray());
}
}
}
};
try {
LoginContext lc = new LoginContext("myContext",
callbackHandler);
lc.login();
Subject subject = lc.getSubject();
Set<Principal> principals = subject.getPrincipals();
Set<Object> credentials = subject.getPrivateCredentials();
System.out.println("OK: " + principals);
System.out.println("OK: " + credentials);
} catch (LoginException e) {
e.printStackTrace();
}
}
Jaas.conf:
myContext {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="my.keytab"
principal="my/services.example.com <http://services.example.com>";
};
If the code works, you will be able to detect what is different with
AbstractSpnegoAuthSupplier.getToken() code used from
KerberosAuthOutInterceptor.java.
this are krb5kdc.log when needs to connect with cxf to FreeIpa Server:
mar 17 16:03:10 olmo.tirasa.net <http://olmo.tirasa.net>
krb5kdc[1423](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.176:
ISSUE: authtime 1395068590, etypes {rep=18 tkt=18 ses=18},
[email protected] <mailto:[email protected]> for
krbtgt/[email protected] <mailto:krbtgt/[email protected]>
mar 17 16:03:10 olmo.tirasa.net <http://olmo.tirasa.net>
krb5kdc[1423](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.0.176:
ISSUE: authtime 1395068590, etypes {rep=18 tkt=18 ses=18},
[email protected] <mailto:[email protected]> for
ldap/[email protected] <mailto:ldap/[email protected]>
If we run with curl:
mar 17 16:14:06 olmo.tirasa.net <http://olmo.tirasa.net>
krb5kdc[1423](info): TGS_REQ (1 etypes {18}) 192.168.0.106: ISSUE:
authtime 1395069156, etypes {rep=18 tkt=18 ses=18}, [email protected]
<mailto:[email protected]> for krbtgt/[email protected]
<mailto:krbtgt/[email protected]>
mar 17 16:14:06 olmo.tirasa.net <http://olmo.tirasa.net>
krb5kdc[1423](info): TGS_REQ (6 etypes {18 17 16 23 25 26})
192.168.0.106: ISSUE: authtime 1395069156, etypes {rep=18 tkt=18
ses=18}, [email protected] <mailto:[email protected]> for
ldap/[email protected] <mailto:ldap/[email protected]>
I have attached the log file of the test connector. As you can see from
the log, at the beginning we make a login and after a request to the
service, but returns a 401.
Thanks
M
Regards,
Andrei.
-----Original Message-----
From: Marco Di Sabatino Di Diodoro [mailto:[email protected]]
Sent: Freitag, 14. März 2014 17:54
To: [email protected] <mailto:[email protected]>
Subject: CXF and kerberos authentication
Hi,
I'm an PMC member of Apache Syncope[1].
We are building a new connector bundle for Connid[2] that needs to
connect
with FreeIpa server.
The connector bundle use JSON-RPC to communicate with the server that is
protected by Kerberos.
We followed this guide
(http://cxf.apache.org/docs/jaxrs-kerberos.html) but the
connector not negotiate with Kerberos
WebClient wc = WebClient.create("https://olmo.example.com/ipa/json";);
WebClient.getConfig(wc).getHttpConduit().setTlsClientParameters(clientParam
eters());
AuthorizationPolicy policy = new AuthorizationPolicy();
policy.setAuthorizationType("Negotiate");
policy.setAuthorization(KEYTAB_CONF);
KerberosAuthOutInterceptor kbInterceptor = new
KerberosAuthOutInterceptor(); kbInterceptor.setPolicy(policy);
kbInterceptor.setRealm("EXAMPLE.COM <http://EXAMPLE.COM>");
kbInterceptor.setServicePrincipalName("ldap/olmo.example.com
<http://olmo.example.com>");
kbInterceptor.setCredDelegation(true);
WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
I try a lot of other configuration without success, have you any
suggestion?
If we run with curl it works.
Regards
M
[1] http://syncope.apache.org/
[2] http://tirasa.github.io/ConnId/
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net <http://www.tirasa.net/>
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
