You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Unknown macro: {span}

JAX-RS Kerberos Support

Introduction

Kerberos

HTTP Negotiate scheme

GSS API

Client configuration

HTTPConduit

Please see this page for the information about Spnego/Kerberos HTTPConduit client support.

Interceptor

org.apache.cxf.jaxrs.security.KerberosAuthOutInterceptor can be used as an alternative to configuring HTTPConduit.

KerberosAuthOutInterceptor and the HTTPConduit Spnego handler share the same base code. Having HTTPConduit configuration can be enough in many cases
especially when SSL is also being setup at the conduit level. Using the interceptor can be handy when testing as well as when setting few extra properties which is not easy to set up at the generic HTTP Conduit Authorization Policy level.

The interceptor properties are explained in the following sub-sections

Authorization Policy

As explained on this page, Authorization Policy typically needs to have its type set to "Negotiate" and its "authorization" property set to the name of the JAAS context. AuthorizationPolicy is set as a "policy" property on the interceptor, example:

WebClient wc = WebClient.create("http://localhost:" + PORT + "/bookstore/books/123");
        
KerberosAuthOutInterceptor kbInterceptor = new KerberosAuthOutInterceptor();
        
AuthorizationPolicy policy = new AuthorizationPolicy();
policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
policy.setAuthorization("KerberosClientKeyTab");
        
kbInterceptor.setPolicy(policy);
WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
        
Book b = wc.get(Book.class);

Configuring the service principal name

By default, the service principal name is calculated by concatenating "HTTP", "/" and the name of the target host, example, when invoking on "http://localhost:8080/services", the service principal name is set to "HTTP/localhost".

The "servicePrincipalName" and "realm" properties can be used to customize it, example, setting "servicePrincipalName" to "HTTP/www.mycompany.com" and realm to "services.org" will result in the "HTTP/www.mycompany.com@services.org" service principal name being used.

Using JAAS Configuration

Both HTTPConduit and interceptor handlers need a "java.security.auth.login.config" system property set up. This property needs to point to the file containing the configuration of the specific Kerberos login module.

Instead of setting this system property and maintaining a configuration file, one might want to use an implementation of javax.security.auth.login.Configuration and set it on the interceptor as a "loginConfig" property.

Server configuration

org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter can be used to protected JAX-RS endpoints and enforce that a Negotiate authentication scheme is used by clients, example:


<bean id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
   <property name="loginContextName" value="KerberosServiceKeyTab"/>
</bean>

<jaxrs:server>
  <jaxrs:serviceBeans>
    <bean class="org.mycompany.MyCompanyResource"/>
  </jaxrs:serviceBeans>
  <jaxrs:providers>
    <ref bean="kerberosFilter">
  </jaxrs:providers>
</jaxrs:server>

KerberosAuthenticationFilter will set a CXF SecurityContext on the current message if the authentication has been successful. This SecurityContext will return an instance of KerberosAuthenticationFilter$KerberosPrincipal, this Principal will return a 'simple' and 'kerberos' source principal names, example, given "HTTP/localhost@myrealm.com", Principal#getName will return "HTTP/localhost", and KerberosPrincipal#getKerberosName will return "HTTP/localhost@myrealm.com".

Service principal name and JAAS Configuration

Service principal name and JAAS Configuration can be optionally set up the same way they can be with KerberosAuthOutInterceptor, using 'servicePrincipalName' + 'realm' and "loginConfig" properties.

CallbackHandler

javax.security.auth.callback.CallbackHandler needs to be registered if no Kerberos key tabs are used, here is an example of setting it up from Java:

public class TestResource {
 public static void main(String[] args) {
   JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
   sf.setResourceClasses(BookStore.class);
   KerberosAuthenticationFilter filter = new KerberosAuthenticationFilter();
   filter.setLoginContextName("KerberosServer");
   
   CallbackHandler handler = 
     new org.apache.cxf.interceptor.security.NamePasswordCallbackHandler("HTTP/localhost", "http"); 
   filter.setCallbackHandler(handler);

   //filter.setLoginContextName("KerberosServerKeyTab");
   //filter.setServicePrincipalName("HTTP/ktab");
   sf.setProvider(filter);
   sf.setAddress("http://localhost:" + PORT + "/");
      
   sf.create();
 }
}

Credential Delegation

  • No labels