Hi
How do you configure it with curl ?
In your opinion, what is the difference between the way you set it up in
curl and in CXF ?
Cheers, Sergey
On 17/03/14 15:53, Marco Di Sabatino Di Diodoro wrote:
Hi,
Il giorno 15/mar/2014, alle ore 13:38, Andrei Shakirin
<ashaki...@talend.com <mailto:ashaki...@talend.com>> ha scritto:
Hi Marco,
I would suggest to try simple Kerberos login using JAAS directly (with
debug=true), perhaps it helps to spot the problem:
Test code:
URL conf =
JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
System.setProperty("java.security.auth.login.config",
conf.toString());
// Only needed when not using the ticket cache
CallbackHandler callbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws
IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
((NameCallback)callback).setName("alice");
}
if (callback instanceof PasswordCallback) {
((PasswordCallback)callback).setPassword("clarinet".toCharArray());
}
}
}
};
try {
LoginContext lc = new LoginContext("myContext",
callbackHandler);
lc.login();
Subject subject = lc.getSubject();
Set<Principal> principals = subject.getPrincipals();
Set<Object> credentials = subject.getPrivateCredentials();
System.out.println("OK: " + principals);
System.out.println("OK: " + credentials);
} catch (LoginException e) {
e.printStackTrace();
}
}
Jaas.conf:
myContext {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="my.keytab"
principal="my/services.example.com <http://services.example.com>";
};
If the code works, you will be able to detect what is different with
AbstractSpnegoAuthSupplier.getToken() code used from
KerberosAuthOutInterceptor.java.
this are krb5kdc.log when needs to connect with cxf to FreeIpa Server:
mar 17 16:03:10 olmo.tirasa.net <http://olmo.tirasa.net>
krb5kdc[1423](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.176:
ISSUE: authtime 1395068590, etypes {rep=18 tkt=18 ses=18},
ad...@tirasa.net <mailto:ad...@tirasa.net> for
krbtgt/tirasa....@tirasa.net <mailto:krbtgt/tirasa....@tirasa.net>
mar 17 16:03:10 olmo.tirasa.net <http://olmo.tirasa.net>
krb5kdc[1423](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.0.176:
ISSUE: authtime 1395068590, etypes {rep=18 tkt=18 ses=18},
ad...@tirasa.net <mailto:ad...@tirasa.net> for
ldap/olmo.tirasa....@tirasa.net <mailto:ldap/olmo.tirasa....@tirasa.net>
If we run with curl:
mar 17 16:14:06 olmo.tirasa.net <http://olmo.tirasa.net>
krb5kdc[1423](info): TGS_REQ (1 etypes {18}) 192.168.0.106: ISSUE:
authtime 1395069156, etypes {rep=18 tkt=18 ses=18}, ad...@tirasa.net
<mailto:ad...@tirasa.net> for krbtgt/tirasa....@tirasa.net
<mailto:krbtgt/tirasa....@tirasa.net>
mar 17 16:14:06 olmo.tirasa.net <http://olmo.tirasa.net>
krb5kdc[1423](info): TGS_REQ (6 etypes {18 17 16 23 25 26})
192.168.0.106: ISSUE: authtime 1395069156, etypes {rep=18 tkt=18
ses=18}, ad...@tirasa.net <mailto:ad...@tirasa.net> for
ldap/olmo.tirasa....@tirasa.net <mailto:ldap/olmo.tirasa....@tirasa.net>
I have attached the log file of the test connector. As you can see from
the log, at the beginning we make a login and after a request to the
service, but returns a 401.
Thanks
M
Regards,
Andrei.
-----Original Message-----
From: Marco Di Sabatino Di Diodoro [mailto:marco.disabat...@tirasa.net]
Sent: Freitag, 14. März 2014 17:54
To: users@cxf.apache.org <mailto:users@cxf.apache.org>
Subject: CXF and kerberos authentication
Hi,
I'm an PMC member of Apache Syncope[1].
We are building a new connector bundle for Connid[2] that needs to
connect
with FreeIpa server.
The connector bundle use JSON-RPC to communicate with the server that is
protected by Kerberos.
We followed this guide
(http://cxf.apache.org/docs/jaxrs-kerberos.html) but the
connector not negotiate with Kerberos
WebClient wc = WebClient.create("https://olmo.example.com/ipa/json");
WebClient.getConfig(wc).getHttpConduit().setTlsClientParameters(clientParam
eters());
AuthorizationPolicy policy = new AuthorizationPolicy();
policy.setAuthorizationType("Negotiate");
policy.setAuthorization(KEYTAB_CONF);
KerberosAuthOutInterceptor kbInterceptor = new
KerberosAuthOutInterceptor(); kbInterceptor.setPolicy(policy);
kbInterceptor.setRealm("EXAMPLE.COM <http://EXAMPLE.COM>");
kbInterceptor.setServicePrincipalName("ldap/olmo.example.com
<http://olmo.example.com>");
kbInterceptor.setCredDelegation(true);
WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
I try a lot of other configuration without success, have you any
suggestion?
If we run with curl it works.
Regards
M
[1] http://syncope.apache.org/
[2] http://tirasa.github.io/ConnId/
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net <http://www.tirasa.net/>
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/