...
By default the SpnegoAuthSupplier uses the OID for Spnego. Some servers require the OID for Kerberos. This can be activated by setting the contextual property auth.spnego.useKerberosOid to 'true'.
Kerberos Config:
Make sure that krb5.conf/krb5.ini is configured correctly for the Kerberos realm you want to authenticate against
and supply it to your application by setting the java.security.krb5.conf system property
Login Config:
Create a file login.conf and supply it to CXF using the System property java.security.auth.login.config.
The file should contain:
Code Block |
---|
CXFClient {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;
};
|
Sample config:
Make sure the Authorization element contains the same name as the Section in the login.conf (here: CXFClient).Sample config:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
...
<conduit name="{http://example.com/}HelloWorldServicePort.http-conduit" xmlns="http://cxf.apache.org/transports/http/configuration">
<authorization>
<AuthorizationType>Negotiate</AuthorizationType>
<Authorization>CXFClient</Authorization>
</authorization>
</conduit>
...
|
You can use UserName and Password in the above xml config if you want to log in explicitly. If you want to use the cached Ticket Granting Ticket then do not supply them.
On windows you will also have to make sure you allow the TGT to be used in Java. See: http://www.javaactivedirectory.com/?page_id=93
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
... <jaxws:client> <jaxws:properties> <entry key="auth.spnego.useKerberosOid" value="true"/> </jaxws:properties> </jaxws:client> ... |
...