I'm not sure to be honest, probably you will need to subclass WSS4JInInterceptor to get it to work. 3.3.0 should be out soon if you can wait for that,
Colm. On Tue, Jan 15, 2019 at 8:24 AM Burkard Stephan <[email protected]> wrote: > Great, thank you very much! > > For CXF < 3.3, is there something like a NOOP action or an action one can > "misuse" to get around this? > > Regards > Stephan > > > -----Ursprüngliche Nachricht----- > Von: Colm O hEigeartaigh <[email protected]> > Gesendet: Mittwoch, 9. Januar 2019 12:58 > An: Burkard Stephan <[email protected]> > Cc: [email protected] > Betreff: Re: Validate Kerberos token in CXF webservice > > Sorry for the delay on this. I fixed this in > https://issues.apache.org/jira/browse/CXF-7939 so that you can omit the > "action" String in WSS4JInInterceptor, when the "ignoreActions" property is > true. You can take a look at the test-case I added here to see how it works: > > > https://github.com/apache/cxf/commit/976ecb5f43bd873d01e07078194636a99e812906 > > Colm. > > On Mon, Dec 17, 2018 at 4:12 PM Burkard Stephan <[email protected] > > > wrote: > > > Thanks for the hints! > > > > Currently there is no token at all. As a first step I want the service > > to reject the request because it has no authentication info. > > > > I tried to set setIgnoreActions(true) as well as the validatorMap, but > > I still get (as before) <faultstring>No security action was > > defined!</faultstring> > > > > > > I found the reason for that in WSS4JInInterceptor, in the method > > "handleMessageInternal". There is a method call to > > "getAction(SoapMessage msg, SoapVersion version)" and this method does > > not respect the "ignoreActions" flag. > > > > Is this there something like a NOOP action I can define for such a case? > > Or do you mean in your answer that I have to extend WSS4JInInterceptor > > to get this working? > > > > Thanks > > Stephan > > > > > > -----Ursprüngliche Nachricht----- > > Von: Colm O hEigeartaigh <[email protected]> > > Gesendet: Montag, 17. Dezember 2018 15:04 > > An: [email protected] > > Betreff: Re: Validate Kerberos token in CXF webservice > > > > Is it the case that only a KerberosToken encoded as a > > BinarySecurityToken is in the security header? Or are there signatures > etc. in there as well? > > If (a), then you could try specifying setIgnoreActions(true) on > > WSS4JInInterceptor. It should process the security header, but won't > > actually verify that any action was performed. So in this case you'd > > need to write a custom interceptor to make sure that you actually > > processed a Kerberos Token. > > > > You'll also need to set the "validatorMap" property on the > > WSS4JInInterceptor properties object, so that the > > kerberosTokenValidator validates the BinarySecurityToken. > > > > Colm. > > > > On Mon, Dec 10, 2018 at 1:23 PM Burkard Stephan > > <[email protected] > > > > > wrote: > > > > > Hi CXF users > > > > > > I want to implement a CXF webservice that validates a Kerberos token > > > with plain WS-Security (not Policy) from the client. > > > > > > I found the following article, but it is done with WS-SecurityPolicy: > > > > > > http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-service > > > s- > > > part-i.html > > > > > > > > > > > > However, I was able to adapt some things from it. I have a > > "kerberos.jaas" > > > file that is passed to the webservice (Spring-Boot) as > > > "java.security.auth.login.config" and has the following content > > > > > > myContext { > > > com.sun.security.auth.module.Krb5LoginModule required > > > refreshKrb5Config=true useKeyTab=true storeKey=true > > > keyTab="path\to\keytab\file.keytab" > > > principal="HTTP/myService@Realm"; }; > > > > > > In the Spring configuration I have this Bean > > > > > > @Bean > > > public KerberosTokenValidator kerberosTokenValidator() { > > > KerberosTokenValidator validator = new > KerberosTokenValidator(); > > > validator.setContextName("myContext"); > > > validator.setServiceName("myService"); > > > return validator; > > > } > > > > > > And the webservice endpoint is configured with the validator and the > > > JAAS context name: > > > > > > > > > factory.getProperties().put(SecurityConstants.BST_TOKEN_VALIDATOR, > > > kerberosTokenValidator); > > > > > > > > > factory.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, " > > > myContext "); > > > > > > > > > > > > All this has of course no effect at all because there is no WSS4J > > > In-Interceptor that triggers the WS-Security processing. > > > > > > @Bean > > > public WSS4JInInterceptor wss4JInInterceptor() { > > > Map<String, Object> properties = new HashMap<>(); > > > properties.put(WSHandlerConstants.ACTION, >>> ??? <<<); > > > return new WSS4JInInterceptor(properties); > > > } > > > > > > But I did not found what WSS4J action is needed to configure the > > > Kerberos validation. The action "KERBEROS_TOKEN" seems to add a > > > token, so it is the opposite of what I want. > > > > > > Thanks for any help > > > Stephan > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
