Hi Christian,
I tested the latest changes against a JBoss and they work fine. Afaik Microsoft
uses SpnegoOID as default OID.
Here is a working code for switching to KerberosOID:
Dms3SystemWebServiceService systemWebService;
systemWebService = new Dms3SystemWebServiceService(null);
systemWebService.addPort(Dms3SystemWebServiceService.Dms3SystemWebService,
SOAPBinding.SOAP11HTTP_BINDING, systemEndpoint);
Dms3SystemWebService systemPort = systemWebService.getDms3SystemWebService();
((BindingProvider) systemPort).getRequestContext().put(
"auth.spnego.useKerberosOid", "true");
Client systemClient = ClientProxy.getClient(systemPort);
systemClient.getInInterceptors().add(new LoggingInInterceptor());
systemClient.getOutInterceptors().add(new LoggingOutInterceptor());
HTTPConduit systemConduit = (HTTPConduit) systemClient.getConduit();
AuthorizationPolicy systemAuthPol = new AuthorizationPolicy();
systemAuthPol.setAuthorizationType("Negotiate");
systemConduit.setAuthorization(systemAuthPol);)
One small thing that striked me. At the SpnegoAuthSupplier you used:
private static final String PROPERTY_USE_KERBEROS_OID =
"auth.spnego.useKerberosOid";
Can you make it public. And use it here:
String userKerbOidSt =
(String)message.getContextualProperty(PROPERTY_USE_KERBEROS_OID);
It's "prettier" to use the static in the code:
((BindingProvider) systemPort).getRequestContext().put(
SpnegoAuthSupplier.PROPERTY_USE_KERBEROS_OID ,
"true");
Cheers,
Aris
-------- Original-Nachricht --------
> Datum: Fri, 06 May 2011 16:33:15 +0200
> Von: Christian Schneider <[email protected]>
> An: [email protected]
> Betreff: Re: CXF 2.4 - Kerberos SpnegoAuthSupplier - Message content from
> Soap Response is null
> Hi Aris,
>
> I would not like to change the AuthorizationPolicy for this as we have a
> quite special case here. Most other authorizations do not use oids. So I
> asked on the irc what is a good way to do this and Sergey pointed me to
> the message properties. These can be set in spring using
> jaxws:properties on e.g. the jaxws:client and also programmatically so
> this sounds like a good solution.
>
> I have committed the change. I you have the chance it would be great if
> you could test this against a Microsoft IIS and tell me which OID it
> wants. In any case as we have positive feedback I will document the
> feature on the website now.
>
> Christian
>
> Am 06.05.2011 14:51, schrieb Aris Tsaklidis:
> > Hi Christian,
> >
> > I cannot comfirm that the change will work with every server. My Jboss
> 4.5.1 (+jboss negotiation module) uses SPNEGO as application-policy.
> Therefore I need the SPNEGO_OID.
> >
> > I would go with your suggestion to use an option for swithcing between
> kerberos and spnego uid.
> >
> > Maybe something like this:
> >
> > public class AuthorizationPolicy {
> >
> > @XmlElement(name = "UserName")
> > protected String userName;
> > @XmlElement(name = "Password")
> > protected String password;
> > @XmlElement(name = "AuthorizationType")
> > protected String authorizationType;
> > @XmlElement(name = "Authorization")
> > protected String authorization;
> > @XmlElement(name = "AuthorizationOid")
> > protected String authorizationOid;
> > ...
> > }
> >
> > public class SpnegoAuthSupplier implements HttpAuthSupplier {
> > public static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
> > public static final String SPNEGO_OID = "1.3.6.1.5.5.2";
> >
> > ....
> >
> > private byte[] getToken(AuthorizationPolicy proxyAuthPolicy, String
> spn) throws GSSException,
> > LoginException {
> > GSSManager manager = GSSManager.getInstance();
> > GSSName serverName = manager.createName(spn, null);
> >
> > // TODO Is it correct to use kerberos oid instead of spnego
> here?
> > Oid oid = new Oid(proxyAuthPolicy.getAuthorizationOid);
> > ...
> > }
> > }
> >
> > and then use:
> >
> > HTTPConduit systemConduit = (HTTPConduit) systemClient.getConduit();
> >
> > AuthorizationPolicy systemAuthPol = new AuthorizationPolicy();
> > systemAuthPol.setAuthorizationType("Negotiate");
> > systemAuthPol.setAuthorizationOid(SpnegoAuthSupplier.SPNEGO_OID);
> >
> > systemConduit.setAuthorization(systemAuthPol);
> >
> >
> > Aris
> >
> > -------- Original-Nachricht --------
> >> Datum: Fri, 06 May 2011 13:31:03 +0200
> >> Von: Christian Schneider<[email protected]>
> >> An: [email protected]
> >> Betreff: Re: CXF 2.4 - Kerberos SpnegoAuthSupplier - Message content
> from Soap Response is null
> >> Hi Aris,
> >>
> >> thanks for the hard work.
> >>
> >> A question. Can you confirm that the current cxf 2.4.0 code does not
> >> work and that the change to Spnego OID works?
> >>
> >> When I did the code I read that some servers work with OID spengo and
> >> others with OID kerberos. So I am not sure if the change is good for
> >> everyone.
> >>
> >> In case we need both we will have to create an option to toggle it.
> >>
> >> Christian
> >>
> >>
> >> Am 06.05.2011 12:08, schrieb Aris Tsaklidis:
> >>> Found the problem.
> >>>
> >>> I already mentioned that my old code was similiar to the cxf 2.4 code.
> I
> >>> kinda realized that with adding the AuthorizationType in my code I
> made
> >>> HTTPConduit call SpnegoAuthSupplier in the send process. So my
> kerberos
> >>> ticket was overwritten by the SpnegoAuthSupplier. So basically there
> had
> >> to
> >>> be some error in the SpnegoAuthSupplier.
> >>>
> >>> So i kinda compared my code with the SpnegoAuthSupplier and realized
> >> that I
> >>> used the SPNEGO OID and cxf 2.4 used KERBEROS OID. I changed the
> >>> SpnegoAuthSupplier and buildet the transport project. Updated my
> >> workbench
> >>> and it worked.
> >>>
> >>> created a ticket with the working source code attached
> >>>
> >>> https://issues.apache.org/jira/browse/CXF-3496
> >>>
> >> --
> >> Christian Schneider
> >> http://www.liquid-reality.de
> >>
> >> CXF and Camel Architect
> >>
>
> --
> Christian Schneider
> http://www.liquid-reality.de
>
> CXF and Camel Architect
>
