Thanks for the hints! Currently there is no token at all. As a first step I want the service to reject the request because it has no authentication info.
I tried to set setIgnoreActions(true) as well as the validatorMap, but I still get (as before) <faultstring>No security action was defined!</faultstring> I found the reason for that in WSS4JInInterceptor, in the method "handleMessageInternal". There is a method call to "getAction(SoapMessage msg, SoapVersion version)" and this method does not respect the "ignoreActions" flag. Is this there something like a NOOP action I can define for such a case? Or do you mean in your answer that I have to extend WSS4JInInterceptor to get this working? Thanks Stephan -----Ursprüngliche Nachricht----- Von: Colm O hEigeartaigh <[email protected]> Gesendet: Montag, 17. Dezember 2018 15:04 An: [email protected] Betreff: Re: Validate Kerberos token in CXF webservice Is it the case that only a KerberosToken encoded as a BinarySecurityToken is in the security header? Or are there signatures etc. in there as well? If (a), then you could try specifying setIgnoreActions(true) on WSS4JInInterceptor. It should process the security header, but won't actually verify that any action was performed. So in this case you'd need to write a custom interceptor to make sure that you actually processed a Kerberos Token. You'll also need to set the "validatorMap" property on the WSS4JInInterceptor properties object, so that the kerberosTokenValidator validates the BinarySecurityToken. Colm. On Mon, Dec 10, 2018 at 1:23 PM Burkard Stephan <[email protected]> wrote: > Hi CXF users > > I want to implement a CXF webservice that validates a Kerberos token > with plain WS-Security (not Policy) from the client. > > I found the following article, but it is done with WS-SecurityPolicy: > > http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services- > part-i.html > > > > However, I was able to adapt some things from it. I have a "kerberos.jaas" > file that is passed to the webservice (Spring-Boot) as > "java.security.auth.login.config" and has the following content > > myContext { > com.sun.security.auth.module.Krb5LoginModule required > refreshKrb5Config=true useKeyTab=true storeKey=true > keyTab="path\to\keytab\file.keytab" > principal="HTTP/myService@Realm"; }; > > In the Spring configuration I have this Bean > > @Bean > public KerberosTokenValidator kerberosTokenValidator() { > KerberosTokenValidator validator = new KerberosTokenValidator(); > validator.setContextName("myContext"); > validator.setServiceName("myService"); > return validator; > } > > And the webservice endpoint is configured with the validator and the > JAAS context name: > > factory.getProperties().put(SecurityConstants.BST_TOKEN_VALIDATOR, > kerberosTokenValidator); > > factory.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, " > myContext "); > > > > All this has of course no effect at all because there is no WSS4J > In-Interceptor that triggers the WS-Security processing. > > @Bean > public WSS4JInInterceptor wss4JInInterceptor() { > Map<String, Object> properties = new HashMap<>(); > properties.put(WSHandlerConstants.ACTION, >>> ??? <<<); > return new WSS4JInInterceptor(properties); > } > > But I did not found what WSS4J action is needed to configure the > Kerberos validation. The action "KERBEROS_TOKEN" seems to add a token, > so it is the opposite of what I want. > > Thanks for any help > Stephan > > > > > > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
