Great, thank you very much! For CXF < 3.3, is there something like a NOOP action or an action one can "misuse" to get around this?
Regards Stephan -----Ursprüngliche Nachricht----- Von: Colm O hEigeartaigh <[email protected]> Gesendet: Mittwoch, 9. Januar 2019 12:58 An: Burkard Stephan <[email protected]> Cc: [email protected] Betreff: Re: Validate Kerberos token in CXF webservice Sorry for the delay on this. I fixed this in https://issues.apache.org/jira/browse/CXF-7939 so that you can omit the "action" String in WSS4JInInterceptor, when the "ignoreActions" property is true. You can take a look at the test-case I added here to see how it works: https://github.com/apache/cxf/commit/976ecb5f43bd873d01e07078194636a99e812906 Colm. On Mon, Dec 17, 2018 at 4:12 PM Burkard Stephan <[email protected]> wrote: > Thanks for the hints! > > Currently there is no token at all. As a first step I want the service > to reject the request because it has no authentication info. > > I tried to set setIgnoreActions(true) as well as the validatorMap, but > I still get (as before) <faultstring>No security action was > defined!</faultstring> > > > I found the reason for that in WSS4JInInterceptor, in the method > "handleMessageInternal". There is a method call to > "getAction(SoapMessage msg, SoapVersion version)" and this method does > not respect the "ignoreActions" flag. > > Is this there something like a NOOP action I can define for such a case? > Or do you mean in your answer that I have to extend WSS4JInInterceptor > to get this working? > > Thanks > Stephan > > > -----Ursprüngliche Nachricht----- > Von: Colm O hEigeartaigh <[email protected]> > Gesendet: Montag, 17. Dezember 2018 15:04 > An: [email protected] > Betreff: Re: Validate Kerberos token in CXF webservice > > Is it the case that only a KerberosToken encoded as a > BinarySecurityToken is in the security header? Or are there signatures etc. > in there as well? > If (a), then you could try specifying setIgnoreActions(true) on > WSS4JInInterceptor. It should process the security header, but won't > actually verify that any action was performed. So in this case you'd > need to write a custom interceptor to make sure that you actually > processed a Kerberos Token. > > You'll also need to set the "validatorMap" property on the > WSS4JInInterceptor properties object, so that the > kerberosTokenValidator validates the BinarySecurityToken. > > Colm. > > On Mon, Dec 10, 2018 at 1:23 PM Burkard Stephan > <[email protected] > > > wrote: > > > Hi CXF users > > > > I want to implement a CXF webservice that validates a Kerberos token > > with plain WS-Security (not Policy) from the client. > > > > I found the following article, but it is done with WS-SecurityPolicy: > > > > http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-service > > s- > > part-i.html > > > > > > > > However, I was able to adapt some things from it. I have a > "kerberos.jaas" > > file that is passed to the webservice (Spring-Boot) as > > "java.security.auth.login.config" and has the following content > > > > myContext { > > com.sun.security.auth.module.Krb5LoginModule required > > refreshKrb5Config=true useKeyTab=true storeKey=true > > keyTab="path\to\keytab\file.keytab" > > principal="HTTP/myService@Realm"; }; > > > > In the Spring configuration I have this Bean > > > > @Bean > > public KerberosTokenValidator kerberosTokenValidator() { > > KerberosTokenValidator validator = new KerberosTokenValidator(); > > validator.setContextName("myContext"); > > validator.setServiceName("myService"); > > return validator; > > } > > > > And the webservice endpoint is configured with the validator and the > > JAAS context name: > > > > > > factory.getProperties().put(SecurityConstants.BST_TOKEN_VALIDATOR, > > kerberosTokenValidator); > > > > > factory.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, " > > myContext "); > > > > > > > > All this has of course no effect at all because there is no WSS4J > > In-Interceptor that triggers the WS-Security processing. > > > > @Bean > > public WSS4JInInterceptor wss4JInInterceptor() { > > Map<String, Object> properties = new HashMap<>(); > > properties.put(WSHandlerConstants.ACTION, >>> ??? <<<); > > return new WSS4JInInterceptor(properties); > > } > > > > But I did not found what WSS4J action is needed to configure the > > Kerberos validation. The action "KERBEROS_TOKEN" seems to add a > > token, so it is the opposite of what I want. > > > > Thanks for any help > > Stephan > > > > > > > > > > > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
