cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r827609 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html
Date Wed, 01 Aug 2012 13:47:27 GMT
Author: buildbot
Date: Wed Aug  1 13:47:27 2012
New Revision: 827609

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jaxrs-kerberos.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug  1 13:47:27 2012
@@ -124,20 +124,66 @@ Apache CXF -- JAXRS Kerberos
 <div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">
JAX-RS Kerberos Support </span></p>
 
 <div>
-<ul><li><a shape="rect" href="#JAXRSKerberos-Introduction">Introduction</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-Clientconfiguration">Client configuration</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-HTTPConduit">HTTPConduit</a></li><li><a
shape="rect" href="#JAXRSKerberos-Interceptor">Interceptor</a></li></ul><li><a
shape="rect" href="#JAXRSKerberos-Serverconfiguration">Server configuration</a></li></ul></ul></div>
+<ul><li><a shape="rect" href="#JAXRSKerberos-Introduction">Introduction</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-Kerberos">Kerberos</a></li><li><a
shape="rect" href="#JAXRSKerberos-HTTPNegotiatescheme">HTTP Negotiate scheme</a></li><li><a
shape="rect" href="#JAXRSKerberos-GSSAPI">GSS API</a></li></ul><li><a
shape="rect" href="#JAXRSKerberos-Clientconfiguration">Client configuration</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-HTTPConduit">HTTPConduit</a></li><li><a
shape="rect" href="#JAXRSKerberos-Interceptor">Interceptor</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-AuthorizationPolicy">Authorization Policy</a></li><li><a
shape="rect" href="#JAXRSKerberos-Configuringtheserviceprincipalname">Configuring the service
principal name</a></li><li><a shape="rect" href="#JAXRSKerberos-UsingJAASConfiguration">Using
JAAS Configuration</a></li></ul></ul><li><a shape="rect"
href="#JAXRSKerberos-Serverconfiguration">Server configuration</a></li><li><a
shape="
 rect" href="#JAXRSKerberos-CredentialDelegation">Credential Delegation</a></li></ul></div>
 
 <h1><a shape="rect" name="JAXRSKerberos-Introduction"></a>Introduction</h1>
+<h2><a shape="rect" name="JAXRSKerberos-Kerberos"></a>Kerberos</h2>
+<h2><a shape="rect" name="JAXRSKerberos-HTTPNegotiatescheme"></a>HTTP Negotiate
scheme </h2>
+<h2><a shape="rect" name="JAXRSKerberos-GSSAPI"></a>GSS API</h2>
 
-<h2><a shape="rect" name="JAXRSKerberos-Clientconfiguration"></a>Client
configuration</h2>
+<h1><a shape="rect" name="JAXRSKerberos-Clientconfiguration"></a>Client
configuration</h1>
 
-<h3><a shape="rect" name="JAXRSKerberos-HTTPConduit"></a>HTTPConduit</h3>
+<h2><a shape="rect" name="JAXRSKerberos-HTTPConduit"></a>HTTPConduit</h2>
 
 <p>Please see <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29">this
page</a> for the information about Spnego/Kerberos HTTPConduit client support. </p>
 
-<h3><a shape="rect" name="JAXRSKerberos-Interceptor"></a>Interceptor</h3>
+<h2><a shape="rect" name="JAXRSKerberos-Interceptor"></a>Interceptor</h2>
 
+<p>org.apache.cxf.jaxrs.security.KerberosAuthOutInterceptor can be used as an alternative
to configuring HTTPConduit.</p>
 
-<h2><a shape="rect" name="JAXRSKerberos-Serverconfiguration"></a>Server
configuration</h2></div>
+<p>KerberosAuthOutInterceptor and the HTTPConduit Spnego handler share the same base
code. Having HTTPConduit configuration can be enough in many cases<br clear="none">
+especially when SSL is also being setup at the conduit level. Using the interceptor can be
handy when testing as well as when setting few extra properties which is not easy to set up
at the generic HTTP Conduit Authorization Policy level. </p>
+
+<p>The interceptor properties are explained in the following sub-sections</p>
+
+<h3><a shape="rect" name="JAXRSKerberos-AuthorizationPolicy"></a>Authorization
Policy</h3>
+
+<p>As explained on <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29">this
page</a>, Authorization Policy typically needs to have its type set to "Negotiate" and
its "authorization" property set to the name of the JAAS context. AuthorizationPolicy is set
as a "policy" property on the interceptor, example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+WebClient wc = WebClient.create(<span class="code-quote">"http:<span class="code-comment">//localhost:"</span>
+ PORT + <span class="code-quote">"/bookstore/books/123"</span>);
+</span>        
+KerberosAuthOutInterceptor kbInterceptor = <span class="code-keyword">new</span>
KerberosAuthOutInterceptor();
+        
+AuthorizationPolicy policy = <span class="code-keyword">new</span> AuthorizationPolicy();
+policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
+policy.setAuthorization(<span class="code-quote">"KerberosClientKeyTab"</span>);
+        
+kbInterceptor.setPolicy(policy);
+WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
+        
+Book b = wc.get(Book.class);
+</pre>
+</div></div>
+
+
+<h3><a shape="rect" name="JAXRSKerberos-Configuringtheserviceprincipalname"></a>Configuring
the service principal name</h3>
+
+<p>By default, the service principal name is calculated by concatenating "HTTP", "/"
and the name of the target host, example, when invoking on "http://localhost:8080/services",
the service principal name is set to "HTTP/localhost".</p>
+
+<p>The "servicePrincipalName" and "realm" properties can be used to customize it, example,
setting "servicePrincipalName" to "HTTP/www.mycompany.com" and realm to "services.org" will
result in the "HTTP/www.mycompany.com@services.org" service principal name being used. </p>
+
+<h3><a shape="rect" name="JAXRSKerberos-UsingJAASConfiguration"></a>Using
JAAS Configuration</h3>
+
+<p>Both HTTPConduit and interceptor handlers need a "java.security.auth.login.config"
system property set up. This property needs to point to the file containing the configuration
of the specific Kerberos login module.</p>
+
+<p>Instead of setting this system property and maintaining a configuration file, one
might want to use an implementation of javax.security.auth.login.Configuration and set it
on the interceptor as a "loginConfig" property.    </p>
+
+<h1><a shape="rect" name="JAXRSKerberos-Serverconfiguration"></a>Server
configuration</h1>
+
+<h1><a shape="rect" name="JAXRSKerberos-CredentialDelegation"></a>Credential
Delegation</h1>
+</div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message