Il giorno 25/mar/2014, alle ore 14:47, Andrei Shakirin <[email protected]>
ha scritto:
> Hi Marco,
>
> Curios, does distilled java JAAS Kerberos call throw the same error?
Login works for both.
The problem is in the next step, when it has to delegate.
>
> URL conf =
> JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
> System.setProperty("java.security.auth.login.config", conf.toString());
>
> try {
> LoginContext lc = new LoginContext("myContext", callbackHandler);
> lc.login();
> Subject subject = lc.getSubject();
> Set<Principal> principals = subject.getPrincipals();
> Set<Object> credentials = subject.getPrivateCredentials();
> System.out.println("OK: " + principals);
> System.out.println("OK: " + credentials);
> } catch (LoginException e) {
> e.printStackTrace();
> }
> }
>
> Jaas.conf:
>
> myContext {
> com.sun.security.auth.module.Krb5LoginModule required
> debug=true
> refreshKrb5Config=true
> useKeyTab=true
> storeKey=true
> keyTab="my.keytab"
> principal="my/services.example.com";
> };
>
> Regards,
> Andrei.
Regards
Marco
>
>> -----Original Message-----
>> From: Marco Di Sabatino Di Diodoro [mailto:[email protected]]
>> Sent: Dienstag, 25. März 2014 10:04
>> To: [email protected]
>> Subject: Re: CXF and kerberos authentication
>>
>> Hi Sergey,
>>
>> Il giorno 19/mar/2014, alle ore 10:57, Sergey Beryozkin
>> <[email protected]> ha scritto:
>>
>>> Hi Marco
>>> On 19/03/14 08:44, Marco Di Sabatino Di Diodoro wrote:
>>>> Hi Sergey
>>>>
>>>> thanks for your support.
>>>> We asked the FreeIPA community to see if there are some incorrect
>> configurations[1].
>>>>
>>>> I'll let you know when we have news.
>>>>
>>> Sounds good, thanks.
>>>
>>> What concerns me is the fact that using CURL to send Kerberos tokens to
>> FreeIPA works, while using WebClient and Kerberos interceptor does not.
>>> I suspect that something in the CXF code might need to be tweaked or may be
>> it needs to be reconfigured a bit.
>>> The logs you sent last time show that CXF manages to obtain a token but it
>>> is
>> really a server which does not accept it. So I think CXF does correctly
>> interacts
>> with the Kerberos system, but what appears to be the case is that there is
>> some
>> difference in the way CXF and CURL send tokens.
>>>
>>> Can you please run CURL with -v option and see if you can spot something
>> obvious, compared to the way CXF sends it ?
>>
>> these days, we are investigating why the call does not work with the java
>> client.
>> Our goal is to call a jsonrpc api protected from Kerberos. So we trying to
>> call
>> apache httpd with mod_auth_kerb. This is our cxf example [1].
>>
>> After cxf call, I noticed that httpd log has
>>
>> [Mon Mar 24 19:03:29.402055 2014] [auth_kerb:debug] [pid 10029]
>> src/mod_auth_kerb.c(1724): [client 192.168.0.105:39499] Client didn't
>> delegate
>> us their credential, referer: https://olmo.tirasa.net/ipa [Mon Mar 24
>> 19:03:29.402084 2014] [auth_kerb:debug] [pid 10029]
>> src/mod_auth_kerb.c(1743): [client 192.168.0.105:39499] GSS-API token of
>> length 186 bytes will be sent back, referer: https://olmo.tirasa.net/ipa [Mon
>> Mar 24 19:03:29.402510 2014] [:info] [pid 10029] nss_hook_Auth [Mon Mar 24
>> 19:03:29.402577 2014] [authz_core:debug] [pid 10029] mod_authz_core.c(802):
>> [client 192.168.0.105:39499] AH01626: authorization result of Require valid-
>> user : granted, referer: https://olmo.tirasa.net/ipa [Mon Mar 24
>> 19:03:29.402676 2014] [authz_core:debug] [pid 10029] mod_authz_core.c(802):
>> [client 192.168.0.105:39499] AH01626: authorization result of <RequireAny>:
>> granted, referer: https://olmo.tirasa.net/ipa [Mon Mar 24 19:03:29.403068
>> 2014] [authz_core:debug] [pid 10029] mod_authz_core.c(802): [client
>> 192.168.0.105:39499] AH01626: authorization result of Require all granted:
>> granted, referer: https://olmo.tirasa.net/ipa [Mon Mar 24 19:03:29.403172
>> 2014] [authz_core:debug] [pid 10029] mod_authz_core.c(802): [client
>> 192.168.0.105:39499] AH01626: authorization result of <RequireAny>: granted,
>> referer: https://olmo.tirasa.net/ipa [Mon Mar 24 19:03:29.403908 2014]
>> [:error] [pid 10025] ipa: ERROR: 500 Internal Server Error:
>> jsonserver_kerb.__call__: KRB5CCNAME not defined in HTTP request
>> environment [Mon Mar 24 19:03:29.404844 2014] [headers:debug] [pid 10029]
>> mod_headers.c(845): AH01502: headers: ap_headers_output_filter()
>>
>> Whereas if I done the same call with curl on the httpd log there's
>>
>> [Mon Mar 24 19:14:43.329966 2014] [auth_kerb:debug] [pid 10032]
>> src/mod_auth_kerb.c(1724): [client 192.168.0.105:39504] Client delegated us
>> their credential, referer: https://olmo.tirasa.net/ipa [Mon Mar 24
>> 19:14:43.329977 2014] [auth_kerb:debug] [pid 10032]
>> src/mod_auth_kerb.c(1743): [client 192.168.0.105:39504] GSS-API token of
>> length 156 bytes will be sent back, referer: https://olmo.tirasa.net/ipa [Mon
>> Mar 24 19:14:43.338700 2014] [:info] [pid 10032] nss_hook_Auth [Mon Mar 24
>> 19:14:43.338721 2014] [authz_core:debug] [pid 10032] mod_authz_core.c(802):
>> [client 192.168.0.105:39504] AH01626: authorization result of Require valid-
>> user : granted, referer: https://olmo.tirasa.net/ipa [Mon Mar 24
>> 19:14:43.338726 2014] [authz_core:debug] [pid 10032] mod_authz_core.c(802):
>> [client 192.168.0.105:39504] AH01626: authorization result of <RequireAny>:
>> granted, referer: https://olmo.tirasa.net/ipa [Mon Mar 24 19:14:43.338878
>> 2014] [authz_core:debug] [pid 10032] mod_authz_core.c(802): [client
>> 192.168.0.105:39504] AH01626: authorization result of Require all granted:
>> granted, referer: https://olmo.tirasa.net/ipa [Mon Mar 24 19:14:43.338886
>> 2014] [authz_core:debug] [pid 10032] mod_authz_core.c(802): [client
>> 192.168.0.105:39504] AH01626: authorization result of <RequireAny>: granted,
>> referer: https://olmo.tirasa.net/ipa [Mon Mar 24 19:14:44.371738 2014]
>> [:error] [pid 10024] ipa: INFO: [email protected]: user_find(u'',
>> all=u'true'):
>> SUCCESS [Mon Mar 24 19:14:44.372957 2014] [headers:debug] [pid 10032]
>> mod_headers.c(845): AH01502: headers: ap_headers_output_filter() [Mon Mar
>> 24 19:14:44.375508 2014] [:info] [pid 10032] Connection to child 4 closed
>> (server olmo.tirasa.net:443, client 192.168.0.105)
>>
>> Curl with -v option log:
>>
>> curl -v -H referer:https://olmo.tirasa.net/ipa -H
>> "Content-Type:application/json"
>> -H "Accept:applicaton/json" --negotiate -u : --delegation always --cacert
>> /etc/ipa/ca.crt -d
>> '{"method":"user_find","params":[[""],{"all":"true"}],"id":0}' -
>> X POST https://olmo.tirasa.net/ipa/json
>>
>> * Adding handle: conn: 0xc24ec0
>> * Adding handle: send: 0
>> * Adding handle: recv: 0
>> * Curl_addHandleToPipeline: length: 1
>> * - Conn 0 (0xc24ec0) send_pipe: 1, recv_pipe: 0
>> * About to connect() to olmo.tirasa.net port 443 (#0)
>> * Trying 192.168.0.106...
>> * Connected to olmo.tirasa.net (192.168.0.106) port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> * CAfile: /etc/ipa/ca.crt
>> CApath: none
>> * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
>> * Server certificate:
>> * subject: CN=olmo.tirasa.net,O=TIRASA.NET
>> * start date: mar 13 13:48:58 2014 GMT
>> * expire date: mar 13 13:48:58 2016 GMT
>> * common name: olmo.tirasa.net
>> * issuer: CN=Certificate Authority,O=TIRASA.NET
>>> POST /ipa/json HTTP/1.1
>>> User-Agent: curl/7.32.0
>>> Host: olmo.tirasa.net
>>> referer:https://olmo.tirasa.net/ipa
>>> Content-Type:application/json
>>> Accept:applicaton/json
>>> Content-Length: 60
>>>
>> * upload completely sent off: 60 out of 60 bytes < HTTP/1.1 401 Unauthorized
>> <
>> Date: Tue, 25 Mar 2014 08:17:15 GMT
>> * Server Apache/2.4.7 (Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3
>> Basic ECC mod_wsgi/3.4 Python/2.7.5 is not blacklisted < Server: Apache/2.4.7
>> (Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC
>> mod_wsgi/3.4 Python/2.7.5 < WWW-Authenticate: Negotiate < Last-Modified:
>> Tue, 28 Jan 2014 08:12:54 GMT < Accept-Ranges: bytes < Content-Length: 1383
>> < Content-Type: text/html; charset=UTF-8 <
>> * Ignoring the response-body
>> * Connection #0 to host olmo.tirasa.net left intact
>> * Issue another request to this URL: 'https://olmo.tirasa.net/ipa/json'
>> * Found bundle for host olmo.tirasa.net: 0xc258a0
>> * Re-using existing connection! (#0) with host olmo.tirasa.net
>> * Connected to olmo.tirasa.net (192.168.0.106) port 443 (#0)
>> * Adding handle: conn: 0xc24ec0
>> * Adding handle: send: 0
>> * Adding handle: recv: 0
>> * Curl_addHandleToPipeline: length: 1
>> * - Conn 0 (0xc24ec0) send_pipe: 1, recv_pipe: 0
>> * Server auth using GSS-Negotiate with user ''
>>> POST /ipa/json HTTP/1.1
>>> Authorization: Negotiate
>>>
>> YIIE8QYJKoZIhvcSAQICAQBuggTgMIIE3KADAgEFoQMCAQ6iBwMFACAAAACjggF
>> VYYIBUT
>>>
>> CCAU2gAwIBBaEMGwpUSVJBU0EuTkVUoiIwIKADAgEBoRkwFxsESFRUUBsPb2xtb
>> y50aXJh
>>>
>> c2EubmV0o4IBEjCCAQ6gAwIBEqEDAgECooIBAASB/fM6eW0p4pD8wvFfwNLF5R
>> 5wq5jjmY
>>>
>> 4nSCij5Ijom2SFhtxB7GYHIHGmU7/obmkKG2zqW/a7Uw85fLh+lkZJ+z1WjBwNsw
>> AOBIQ7
>>>
>> +9NaHcOJXGttuyToiqCuUdfm6RndbrZ1e7heIsS9CajEACmOiY5T7hJa2Ld8chN6x
>> HLhbJ
>>>
>> lqTmcFcRRwHNDA/ehxgGe5xXQg7NZd4LSWbRjsDdS/NlmxY3EPVHZhLn0MCG/s
>> G+b2favQ
>>>
>> bn9tTfEOU3S5zK47eUNC39e25sN6WkGImGL2d90G0vgnpGFW/DXcqEWH8+wXa
>> VL4fzTR93
>>>
>> wkzk56hLhtYvxmjDxOer/6/kXR4z2kggNsMIIDaKADAgESooIDXwSCA1vo49R1NgV
>> JXKb4
>>>
>> nhEZAMggkNY+S2SmMgb3m/cc7Hkq6kb+Jz8ClM51SjV5eUYI70dYbp/e8FoZwq5i
>> rwfG+s
>>>
>> 4KKRkhCZX5y8t6cOewU2cp++7J8M8G6GHOw7sm+TOdAQfwsVPWqgHhw69Ih7
>> W48inYazDk
>>>
>> yJfr4k9+Vu3IZxjyJBlaF6idV5w8cFK0LuSVrUDtk74MJ+mM08jE0wWONqHcoWD/x
>> YklSh
>>>
>> avDb0bOvEm7TfvBKYuwsrsGl4ubgphvWcd+DnT/dFjtx583GbiqgSDSbHUEC93C9
>> DIcxnU
>>>
>> wqbsMWKDohtsG1dTZp/JfX3yQdoa/lfyn32fIPyP7ucwZWN/hy3JUgizI6WdVR+2z3
>> lqSC
>>>
>> G3WIzVAQLYek+SZbQ4gmhOl6SydF7sYlqAjSNoBHSTxB610+pIak/uR2qrqa2VPWl
>> sX8aA
>>>
>> KaYrlPSVyckxtTb1G/OFahIZJPA0m/CIYJjFF0E/TnhmkwdPaIHQ5miOVwxDMUL1d
>> BQXO9
>>>
>> w1gwCcvbLrt3N43Ogo6DlOGj3Ticst9gZMBXeDPwrnOufB5FZBWtksc9fonyZRyq7
>> 0c7GO
>>>
>> rShwVjqlpG4toZcLRba0kCpggjxmV45o+AedpV9I9fYP8tDV619e1EtDGGKnsSfiRzI
>> NqF
>>>
>> YA8jlKpSTjVPZNqTPh140bsmqDRQtvSRNfb7ftlLfF+lI7UmCeJB31d6CUQkqr4MV7
>> PO7z
>>>
>> AMjji8DSzPgzpjnYAi2Re+kzbJmllEzUQarFMKM9VEmpCO0Q3SKcM64Rw5qRajF
>> waduQ2o
>>>
>> PCe1Mrws++jtxHDvXtm77Rc0NM30uJcriauCj5XYbfMPHnbqHFa+iFB3OtedbU+H
>> Atth2S
>>>
>> 0IC/47LgoV0GnVLZWU18P0LTtQwiyJ6p/pRpUiMJB8LwjV8eKsZOSnJDFCXN3ulOu
>> C/xEV
>>>
>> 4/eumQPg9Eq/eYdQH8xoGCUVKiriEfJD9eilYe+fZWJOfwSgHGiddVZqBoAsALjr/s
>> nkF8
>>>
>> O0oCP2d0YxrBb/xpbLexXEhLw84FtKtthZGsIfEB5JLpeWj/7FDNj3AHWSYq2qg2ajB
>> 87p
>>>
>> 6VTw+eSEspdmPCbn/mzo/IrVr0Iv3RD3tIodcqKWY/sr/VU2YjBKGj/zVbYxOgRf8D
>> ohuq
>>> OZ4Qglo4dmUi
>>> User-Agent: curl/7.32.0
>>> Host: olmo.tirasa.net
>>> referer:https://olmo.tirasa.net/ipa
>>> Content-Type:application/json
>>> Accept:applicaton/json
>>> Content-Length: 60
>>>
>> * upload completely sent off: 60 out of 60 bytes < HTTP/1.1 200 Success <
>> Date:
>> Tue, 25 Mar 2014 08:17:15 GMT
>> * Server Apache/2.4.7 (Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3
>> Basic ECC mod_wsgi/3.4 Python/2.7.5 is not blacklisted < Server: Apache/2.4.7
>> (Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC
>> mod_wsgi/3.4 Python/2.7.5 < WWW-Authenticate: Negotiate
>> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvc4G
>> oDMzW+ZiPr3J9m2XX/cQl2kVjQBeSNfBy89lI/xnvdDcEArVUOTNJeaKKaGR4W/T
>> v0op0ZUsVw8M7UHu+tmndta9kYG4WAORN6RHGPL4ww8br/oFtCUAcretWQzkf
>> eOMMHrYjQfvFl3GkjUJs
>> < Vary: Accept-Encoding
>> < Transfer-Encoding: chunked
>> < Content-Type: application/json; charset=utf-8 < {
>> "error": null,
>> "id": 0,
>> "principal": "[email protected]",
>> "result": {
>> "count": 1,
>> "messages": [
>> {
>> "code": 13001,
>> "message": "API Version number was not sent, forward
>> compatibility
>> not guaranteed. Assuming server's API version, 2.65",
>> "name": "VersionMissing",
>> "type": "warning"
>> }
>> ],
>> "result": [
>> {
>> "cn": [
>> "Administrator"
>> ],
>> "dn": "uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net",
>> "gecos": [
>> "Administrator"
>> ],
>> "gidnumber": [
>> "163600000"
>> ],
>> "has_keytab": true,
>> "has_password": true,
>> "homedirectory": [
>> "/home/admin"
>> ],
>> "ipauniqueid": [
>> "a524777e-aab5-11e3-bd11-080027e7a744"
>> ],
>> "krbextradata": [
>> {
>> "__base64__":
>> "AALItyFTcm9vdC9hZG1pbkBUSVJBU0EuTkVUAA=="
>> }
>> ],
>> "krblastpwdchange": [
>> "20140313135104Z"
>> ],
>> "krblastsuccessfulauth": [
>> "20140325081717Z"
>> ],
>> "krbpasswordexpiration": [
>> "20140611135104Z"
>> ],
>> "krbprincipalname": [
>> "[email protected]"
>> ],
>> "loginshell": [
>> "/bin/bash"
>> ],
>> "memberof_group": [
>> "admins",
>> "trust admins"
>> ],
>> "nsaccountlock": false,
>> "objectclass": [
>> "top",
>> "person",
>> "posixaccount",
>> "krbprincipalaux",
>> "krbticketpolicyaux",
>> "inetuser",
>> "ipaobject",
>> "ipasshuser",
>> "ipaSshGroupOfPubKeys"
>> ],
>> "sn": [
>> "Administrator"
>> ],
>> "uid": [
>> "admin"
>> ],
>> "uidnumber": [
>> "163600000"
>> ]
>> }
>> ],
>> "summary": "1 user matched",
>> "truncated": false
>> },
>> "version": "3.3.4"
>> * Connection #0 to host olmo.tirasa.net left intact
>>
>> What do you think? Any suggestions?
>> M
>>
>> [1]
>> https://github.com/massx1/KerberosExample/blob/master/src/main/java/net/t
>> irasa/kerberosexample/CXFClient.java
>>
>>>
>>> Thanks, Sergey
>>>
>>>
>>>
>>>> Thanks
>>>> M
>>>>
>>>> [1]
>>>> https://www.redhat.com/archives/freeipa-devel/2014-
>> March/msg00296.htm
>>>> l
>>>>
>>>> Il giorno 17/mar/2014, alle ore 19:10, Sergey Beryozkin
>> <[email protected]> ha scritto:
>>>>
>>>>> Hi
>>>>> How do you configure it with curl ?
>>>>> In your opinion, what is the difference between the way you set it up in
>>>>> curl
>> and in CXF ?
>>>>>
>>>>> Cheers, Sergey
>>>>>
>>>>>
>>>>>
>>>>> On 17/03/14 15:53, Marco Di Sabatino Di Diodoro wrote:
>>>>>> Hi,
>>>>>>
>>>>>>
>>>>>> Il giorno 15/mar/2014, alle ore 13:38, Andrei Shakirin
>>>>>> <[email protected] <mailto:[email protected]>> ha scritto:
>>>>>>
>>>>>>> Hi Marco,
>>>>>>>
>>>>>>> I would suggest to try simple Kerberos login using JAAS directly
>>>>>>> (with debug=true), perhaps it helps to spot the problem:
>>>>>>>
>>>>>>> Test code:
>>>>>>> URL conf =
>>>>>>> JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
>>>>>>> System.setProperty("java.security.auth.login.config",
>>>>>>> conf.toString());
>>>>>>>
>>>>>>> // Only needed when not using the ticket cache
>>>>>>> CallbackHandler callbackHandler = new CallbackHandler() {
>>>>>>>
>>>>>>> @Override
>>>>>>> public void handle(Callback[] callbacks) throws
>>>>>>> IOException, UnsupportedCallbackException {
>>>>>>> for (Callback callback : callbacks) {
>>>>>>> if (callback instanceof NameCallback) {
>>>>>>> ((NameCallback)callback).setName("alice");
>>>>>>> }
>>>>>>> if (callback instanceof PasswordCallback) {
>>>>>>>
>> ((PasswordCallback)callback).setPassword("clarinet".toCharArray());
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>> }
>>>>>>> };
>>>>>>>
>>>>>>> try {
>>>>>>> LoginContext lc = new LoginContext("myContext",
>>>>>>> callbackHandler);
>>>>>>> lc.login();
>>>>>>> Subject subject = lc.getSubject();
>>>>>>> Set<Principal> principals = subject.getPrincipals();
>>>>>>> Set<Object> credentials = subject.getPrivateCredentials();
>>>>>>> System.out.println("OK: " + principals);
>>>>>>> System.out.println("OK: " + credentials);
>>>>>>> } catch (LoginException e) {
>>>>>>> e.printStackTrace();
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>> Jaas.conf:
>>>>>>>
>>>>>>> myContext {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> debug=true
>>>>>>> refreshKrb5Config=true
>>>>>>> useKeyTab=true
>>>>>>> storeKey=true
>>>>>>> keyTab="my.keytab"
>>>>>>> principal="my/services.example.com
>>>>>>> <http://services.example.com>"; };
>>>>>>>
>>>>>>> If the code works, you will be able to detect what is different
>>>>>>> with
>>>>>>> AbstractSpnegoAuthSupplier.getToken() code used from
>>>>>>> KerberosAuthOutInterceptor.java.
>>>>>>
>>>>>> this are krb5kdc.log when needs to connect with cxf to FreeIpa Server:
>>>>>>
>>>>>> mar 17 16:03:10 olmo.tirasa.net <http://olmo.tirasa.net>
>>>>>> krb5kdc[1423](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.176:
>>>>>> ISSUE: authtime 1395068590, etypes {rep=18 tkt=18 ses=18},
>>>>>> [email protected] <mailto:[email protected]> for
>>>>>> krbtgt/[email protected]
>> <mailto:krbtgt/[email protected]>
>>>>>> mar 17 16:03:10 olmo.tirasa.net <http://olmo.tirasa.net>
>>>>>> krb5kdc[1423](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.0.176:
>>>>>> ISSUE: authtime 1395068590, etypes {rep=18 tkt=18 ses=18},
>>>>>> [email protected] <mailto:[email protected]> for
>>>>>> ldap/[email protected]
>>>>>> <mailto:ldap/[email protected]>
>>>>>>
>>>>>> If we run with curl:
>>>>>>
>>>>>> mar 17 16:14:06 olmo.tirasa.net <http://olmo.tirasa.net>
>>>>>> krb5kdc[1423](info): TGS_REQ (1 etypes {18}) 192.168.0.106: ISSUE:
>>>>>> authtime 1395069156, etypes {rep=18 tkt=18 ses=18},
>>>>>> [email protected] <mailto:[email protected]> for
>>>>>> krbtgt/[email protected]
>> <mailto:krbtgt/[email protected]>
>>>>>> mar 17 16:14:06 olmo.tirasa.net <http://olmo.tirasa.net>
>>>>>> krb5kdc[1423](info): TGS_REQ (6 etypes {18 17 16 23 25 26})
>>>>>> 192.168.0.106: ISSUE: authtime 1395069156, etypes {rep=18 tkt=18
>>>>>> ses=18}, [email protected] <mailto:[email protected]> for
>>>>>> ldap/[email protected]
>>>>>> <mailto:ldap/[email protected]>
>>>>>>
>>>>>> I have attached the log file of the test connector. As you can see
>>>>>> from the log, at the beginning we make a login and after a request
>>>>>> to the service, but returns a 401.
>>>>>>
>>>>>> Thanks
>>>>>> M
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Andrei.
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Marco Di Sabatino Di Diodoro
>>>>>>>> [mailto:[email protected]]
>>>>>>>> Sent: Freitag, 14. März 2014 17:54
>>>>>>>> To: [email protected] <mailto:[email protected]>
>>>>>>>> Subject: CXF and kerberos authentication
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I'm an PMC member of Apache Syncope[1].
>>>>>>>> We are building a new connector bundle for Connid[2] that needs
>>>>>>>> to connect with FreeIpa server.
>>>>>>>>
>>>>>>>> The connector bundle use JSON-RPC to communicate with the server
>>>>>>>> that is protected by Kerberos.
>>>>>>>> We followed this guide
>>>>>>>> (http://cxf.apache.org/docs/jaxrs-kerberos.html) but the
>>>>>>>> connector not negotiate with Kerberos
>>>>>>>>
>>>>>>>> WebClient wc =
>>>>>>>> WebClient.create("https://olmo.example.com/ipa/json";);
>>>>>>>> WebClient.getConfig(wc).getHttpConduit().setTlsClientParameters(c
>>>>>>>> lientParam
>>>>>>>> eters());
>>>>>>>> AuthorizationPolicy policy = new AuthorizationPolicy();
>>>>>>>> policy.setAuthorizationType("Negotiate");
>>>>>>>> policy.setAuthorization(KEYTAB_CONF);
>>>>>>>> KerberosAuthOutInterceptor kbInterceptor = new
>>>>>>>> KerberosAuthOutInterceptor(); kbInterceptor.setPolicy(policy);
>>>>>>>> kbInterceptor.setRealm("EXAMPLE.COM <http://EXAMPLE.COM>");
>>>>>>>> kbInterceptor.setServicePrincipalName("ldap/olmo.example.com
>>>>>>>> <http://olmo.example.com>");
>>>>>>>> kbInterceptor.setCredDelegation(true);
>>>>>>>> WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
>>>>>>>>
>>>>>>>> I try a lot of other configuration without success, have you any
>>>>>>>> suggestion?
>>>>>>>>
>>>>>>>> If we run with curl it works.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> M
>>>>>>>>
>>>>>>>> [1] http://syncope.apache.org/
>>>>>>>> [2] http://tirasa.github.io/ConnId/
>>>>>>>>
>>>>>>>> --
>>>>>>>> Dott. Marco Di Sabatino Di Diodoro Tel. +39 3939065570
>>>>>>>>
>>>>>>>> Tirasa S.r.l.
>>>>>>>> Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39
>>>>>>>> 0859111173 http://www.tirasa.net
>>>>>>>>
>>>>>>>> Apache Syncope PMC Member
>>>>>>>> http://people.apache.org/~mdisabatino/
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Dott. Marco Di Sabatino Di Diodoro
>>>>>> Tel. +39 3939065570
>>>>>>
>>>>>> Tirasa S.r.l.
>>>>>> Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39
>>>>>> 0859111173 http://www.tirasa.net <http://www.tirasa.net/>
>>>>>>
>>>>>> Apache Syncope PMC Member
>>>>>> http://people.apache.org/~mdisabatino/
>>>>>>
>>>>>
>>>>
>>>
>>
>> --
>> Dott. Marco Di Sabatino Di Diodoro
>> Tel. +39 3939065570
>>
>> Tirasa S.r.l.
>> Viale D'Annunzio 267 - 65127 Pescara
>> Tel +39 0859116307 / FAX +39 0859111173
>> http://www.tirasa.net
>>
>> Apache Syncope PMC Member
>> http://people.apache.org/~mdisabatino/
>
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
