Is it the case that only a KerberosToken encoded as a BinarySecurityToken is in the security header? Or are there signatures etc. in there as well? If (a), then you could try specifying setIgnoreActions(true) on WSS4JInInterceptor. It should process the security header, but won't actually verify that any action was performed. So in this case you'd need to write a custom interceptor to make sure that you actually processed a Kerberos Token.
You'll also need to set the "validatorMap" property on the WSS4JInInterceptor properties object, so that the kerberosTokenValidator validates the BinarySecurityToken. Colm. On Mon, Dec 10, 2018 at 1:23 PM Burkard Stephan <[email protected]> wrote: > Hi CXF users > > I want to implement a CXF webservice that validates a Kerberos token with > plain WS-Security (not Policy) from the client. > > I found the following article, but it is done with WS-SecurityPolicy: > > http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html > > > > However, I was able to adapt some things from it. I have a "kerberos.jaas" > file that is passed to the webservice (Spring-Boot) as > "java.security.auth.login.config" and has the following content > > myContext { > com.sun.security.auth.module.Krb5LoginModule required > refreshKrb5Config=true useKeyTab=true storeKey=true > keyTab="path\to\keytab\file.keytab" principal="HTTP/myService@Realm"; > }; > > In the Spring configuration I have this Bean > > @Bean > public KerberosTokenValidator kerberosTokenValidator() { > KerberosTokenValidator validator = new KerberosTokenValidator(); > validator.setContextName("myContext"); > validator.setServiceName("myService"); > return validator; > } > > And the webservice endpoint is configured with the validator and the JAAS > context name: > > factory.getProperties().put(SecurityConstants.BST_TOKEN_VALIDATOR, > kerberosTokenValidator); > > factory.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, " > myContext "); > > > > All this has of course no effect at all because there is no WSS4J > In-Interceptor that triggers the WS-Security processing. > > @Bean > public WSS4JInInterceptor wss4JInInterceptor() { > Map<String, Object> properties = new HashMap<>(); > properties.put(WSHandlerConstants.ACTION, >>> ??? <<<); > return new WSS4JInInterceptor(properties); > } > > But I did not found what WSS4J action is needed to configure the Kerberos > validation. The action "KERBEROS_TOKEN" seems to add a token, so it is the > opposite of what I want. > > Thanks for any help > Stephan > > > > > > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
