Hi Christian,
I cannot comfirm that the change will work with every server. My Jboss 4.5.1
(+jboss negotiation module) uses SPNEGO as application-policy. Therefore I need
the SPNEGO_OID.
I would go with your suggestion to use an option for swithcing between kerberos
and spnego uid.
Maybe something like this:
public class AuthorizationPolicy {
@XmlElement(name = "UserName")
protected String userName;
@XmlElement(name = "Password")
protected String password;
@XmlElement(name = "AuthorizationType")
protected String authorizationType;
@XmlElement(name = "Authorization")
protected String authorization;
@XmlElement(name = "AuthorizationOid")
protected String authorizationOid;
...
}
public class SpnegoAuthSupplier implements HttpAuthSupplier {
public static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
public static final String SPNEGO_OID = "1.3.6.1.5.5.2";
....
private byte[] getToken(AuthorizationPolicy proxyAuthPolicy, String spn)
throws GSSException,
LoginException {
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName(spn, null);
// TODO Is it correct to use kerberos oid instead of spnego here?
Oid oid = new Oid(proxyAuthPolicy.getAuthorizationOid);
...
}
}
and then use:
HTTPConduit systemConduit = (HTTPConduit) systemClient.getConduit();
AuthorizationPolicy systemAuthPol = new AuthorizationPolicy();
systemAuthPol.setAuthorizationType("Negotiate");
systemAuthPol.setAuthorizationOid(SpnegoAuthSupplier.SPNEGO_OID);
systemConduit.setAuthorization(systemAuthPol);
Aris
-------- Original-Nachricht --------
> Datum: Fri, 06 May 2011 13:31:03 +0200
> Von: Christian Schneider <[email protected]>
> An: [email protected]
> Betreff: Re: CXF 2.4 - Kerberos SpnegoAuthSupplier - Message content from
> Soap Response is null
> Hi Aris,
>
> thanks for the hard work.
>
> A question. Can you confirm that the current cxf 2.4.0 code does not
> work and that the change to Spnego OID works?
>
> When I did the code I read that some servers work with OID spengo and
> others with OID kerberos. So I am not sure if the change is good for
> everyone.
>
> In case we need both we will have to create an option to toggle it.
>
> Christian
>
>
> Am 06.05.2011 12:08, schrieb Aris Tsaklidis:
> > Found the problem.
> >
> > I already mentioned that my old code was similiar to the cxf 2.4 code. I
> > kinda realized that with adding the AuthorizationType in my code I made
> > HTTPConduit call SpnegoAuthSupplier in the send process. So my kerberos
> > ticket was overwritten by the SpnegoAuthSupplier. So basically there had
> to
> > be some error in the SpnegoAuthSupplier.
> >
> > So i kinda compared my code with the SpnegoAuthSupplier and realized
> that I
> > used the SPNEGO OID and cxf 2.4 used KERBEROS OID. I changed the
> > SpnegoAuthSupplier and buildet the transport project. Updated my
> workbench
> > and it worked.
> >
> > created a ticket with the working source code attached
> >
> > https://issues.apache.org/jira/browse/CXF-3496
> >
>
> --
> Christian Schneider
> http://www.liquid-reality.de
>
> CXF and Camel Architect
>
