Thank you Colm.
I finally came up with a solution.
CXF provides KerberosAuthenticationFilter but it seems there is a bug in
CXF 3.0.1 raising a NullPointerException. Switching to CXF 3.0.8 fixed the
issue.
1) I declared this filter in beans.xml :
<bean id="kerberosFilter"
class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="mycontext"/>
<property name="servicePrincipalName"
value="HTTP/[email protected]"/></bean>
2) and added a reference in the endpoint definition (still in beans.xml) :
<jaxrs:server address="/">
<jaxrs:serviceBeans>
<ref bean="bean1" />
<ref bean="bean2" />
<ref bean="bean3" />
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="someProvider" />
<ref bean="someExceptionMappper" />
<ref bean="kerberosFilter" />
</jaxrs:providers></jaxrs:server>
3) Add JAAS configuration file jaas.conf in Tomcat configuration path
($CATALINA_HOME/conf/) :
mycontext {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/[email protected]"
useKeyTab=true
keyTab="/path/to/keytab/HTTP-serviceprincipal.keytab"
debug=true
storeKey=true;};
I hope it helps.
Regards,
Ramzi
2016-02-11 17:49 GMT+01:00 Colm O hEigeartaigh <[email protected]>:
> There is a system test available here that might help:
>
>
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=systests/kerberos;h=0e112288e0238456ed6f3a6a8154442c0a56070e;hb=HEAD
>
> Specifically:
>
>
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/jaxrs/kerberos;h=1b250c35ff03adaa506d1544a2aaaf06620325bc;hb=HEAD
>
> Colm.
>
> On Thu, Feb 11, 2016 at 4:45 PM, Ramzi Oueslati <[email protected]>
> wrote:
>
> > Having a hard time trying to protect an existing CXF JAX-RS service with
> > Kerberos authentication.
> >
> > I went through what seems to be the reference documentation :
> > http://cxf.apache.org/docs/jaxrs-kerberos.html but it did not help much.
> >
> > I'm actually trying to configure Tomcat+CXF to reproduce this kind of
> > Apache configuration (which works) :
> >
> > <Directory /var/www/>
> > AuthType Kerberos
> > KrbServiceName HTTP/fqdn@realm
> > Krb5Keytab /path/to/file.keytab
> > Require valid-user</Directory>
> >
> > *jaas.conf* and *krb5.conf* were configured. The
> > *KerberosAuthenticationFilter* was declared and referenced in CXF
> > configuration as well. But I could not even reach the point where I get a
> > 401 Forbidden status code.
> >
> > I am stuck. Any help would be very much appreciated.
> > Ramzi
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
