Hi
Sorry I got distracted when you asked on IRC.
As I said, I can only point at this stage to
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSKerberosBookTest.java;h=1a05eaa17ce405e2448efe952bd0c6e25d64ffc0;hb=HEAD
though I'd say your code is very similar.
Does the client fail immediately or you have a negotiate request
rejected at the server ?
Can you post more info about the actual exception ?
It is always a bit challenging to set it up correctly. It is also
possible that there's something in your environment that requires the
additional changes to the interceptor, something that 'curl' does
correctly.
Any chance you can compare say the complete service principal name, the
way it is produced by curl and by CXF ?
Let us know please how you progress
Thanks, Sergey
On 14/03/14 16:53, Marco Di Sabatino Di Diodoro wrote:
Hi,
I’m an PMC member of Apache Syncope[1].
We are building a new connector bundle for Connid[2] that needs to connect with
FreeIpa server.
The connector bundle use JSON-RPC to communicate with the server that is
protected by Kerberos.
We followed this guide (http://cxf.apache.org/docs/jaxrs-kerberos.html) but the
connector not negotiate with Kerberos
WebClient wc = WebClient.create("https://olmo.example.com/ipa/json";);
WebClient.getConfig(wc).getHttpConduit().setTlsClientParameters(clientParameters());
AuthorizationPolicy policy = new AuthorizationPolicy();
policy.setAuthorizationType("Negotiate");
policy.setAuthorization(KEYTAB_CONF);
KerberosAuthOutInterceptor kbInterceptor = new KerberosAuthOutInterceptor();
kbInterceptor.setPolicy(policy);
kbInterceptor.setRealm(“EXAMPLE.COM");
kbInterceptor.setServicePrincipalName("ldap/olmo.example.com");
kbInterceptor.setCredDelegation(true);
WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
I try a lot of other configuration without success, have you any suggestion?
If we run with curl it works.
Regards
M
[1] http://syncope.apache.org/
[2] http://tirasa.github.io/ConnId/
