cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > JAXRS Kerberos
Date Wed, 01 Aug 2012 13:37:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAXRS+Kerberos">JAXRS
Kerberos</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~sergey_beryozkin">Sergey
Beryozkin</a>
    </h4>
        <br/>
                         <h4>Changes (8)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h1. Introduction <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h2.
Kerberos <br>h2. HTTP Negotiate scheme  <br>h2. GSS API <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-changed-words">h<span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">2</span><span
class="diff-added-chars"style="background-color: #dfd;">1</span>.</span> Client
configuration <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-changed-words">h<span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">3</span><span
class="diff-added-chars"style="background-color: #dfd;">2</span>.</span> HTTPConduit
<br></td></tr>
            <tr><td class="diff-unchanged" > <br>Please see [this page|http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29]
for the information about Spnego/Kerberos HTTPConduit client support.  <br> <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-changed-words">h<span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">3</span><span
class="diff-added-chars"style="background-color: #dfd;">2</span>.</span> Interceptor
<br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">org.apache.cxf.jaxrs.security.KerberosAuthOutInterceptor
can be used as an alternative to configuring HTTPConduit. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">KerberosAuthOutInterceptor
and the HTTPConduit Spnego handler share the same base code. Having HTTPConduit configuration
can be enough in many cases <br>especially when SSL is also being setup at the conduit
level. Using the interceptor can be handy when testing as well as when setting few extra properties
which is not easy to set up at the generic HTTP Conduit Authorization Policy level.  <br>
<br>The interceptor properties are explained in the following sub-sections <br>
<br>h3. Authorization Policy <br> <br>As explained on [this page|http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29],
Authorization Policy typically needs to have its type set to &quot;Negotiate&quot;
and its &quot;authorization&quot; property set to the name of the JAAS context. AuthorizationPolicy
is set as a &quot;policy&quot; property on the interceptor, example: <br> <br>{code:java}
<br>WebClient wc = WebClient.create(&quot;http://localhost:&quot; + PORT + &quot;/bookstore/books/123&quot;);
<br> <br>KerberosAuthOutInterceptor kbInterceptor = new KerberosAuthOutInterceptor();
<br> <br>AuthorizationPolicy policy = new AuthorizationPolicy(); <br>policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
<br>policy.setAuthorization(&quot;KerberosClientKeyTab&quot;); <br> <br>kbInterceptor.setPolicy(policy);
<br>WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor); <br> <br>Book
b = wc.get(Book.class); <br>{code} <br> <br> <br>h3. Configuring the
service principal name <br> <br>By default, the service principal name is calculated
by concatenating &quot;HTTP&quot;, &quot;/&quot; and the name of the target
host, example, when invoking on &quot;http://localhost:8080/services&quot;, the service
principal name is set to &quot;HTTP/localhost&quot;. <br> <br>The &quot;servicePrincipalName&quot;
and &quot;realm&quot; properties can be used to customize it, example, setting &quot;servicePrincipalName&quot;
to &quot;HTTP/www.mycompany.com&quot; and realm to &quot;services.org&quot;
will result in the &quot;HTTP/www.mycompany.com@services.org&quot; service principal
name being used.  <br> <br>h3. Using JAAS Configuration <br> <br>Both
HTTPConduit and interceptor handlers need a &quot;java.security.auth.login.config&quot;
system property set up. This property needs to point to the file containing the configuration
of the specific Kerberos login module. <br> <br>Instead of setting this system
property and maintaining a configuration file, one might want to use an implementation of
javax.security.auth.login.Configuration and set it on the interceptor as a &quot;loginConfig&quot;
property.     <br> <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-changed-words">h<span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">2</span><span
class="diff-added-chars"style="background-color: #dfd;">1</span>.</span> Server
configuration <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>h1. Credential Delegation <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><span style="font-size:2em;font-weight:bold"> JAX-RS Kerberos Support
</span></p>

<div>
<ul>
    <li><a href='#JAXRSKerberos-Introduction'>Introduction</a></li>
<ul>
    <li><a href='#JAXRSKerberos-Kerberos'>Kerberos</a></li>
    <li><a href='#JAXRSKerberos-HTTPNegotiatescheme'>HTTP Negotiate scheme</a></li>
    <li><a href='#JAXRSKerberos-GSSAPI'>GSS API</a></li>
</ul>
    <li><a href='#JAXRSKerberos-Clientconfiguration'>Client configuration</a></li>
<ul>
    <li><a href='#JAXRSKerberos-HTTPConduit'>HTTPConduit</a></li>
    <li><a href='#JAXRSKerberos-Interceptor'>Interceptor</a></li>
<ul>
    <li><a href='#JAXRSKerberos-AuthorizationPolicy'>Authorization Policy</a></li>
    <li><a href='#JAXRSKerberos-Configuringtheserviceprincipalname'>Configuring
the service principal name</a></li>
    <li><a href='#JAXRSKerberos-UsingJAASConfiguration'>Using JAAS Configuration</a></li>
</ul>
</ul>
    <li><a href='#JAXRSKerberos-Serverconfiguration'>Server configuration</a></li>
    <li><a href='#JAXRSKerberos-CredentialDelegation'>Credential Delegation</a></li>
</ul></div>

<h1><a name="JAXRSKerberos-Introduction"></a>Introduction</h1>
<h2><a name="JAXRSKerberos-Kerberos"></a>Kerberos</h2>
<h2><a name="JAXRSKerberos-HTTPNegotiatescheme"></a>HTTP Negotiate scheme
</h2>
<h2><a name="JAXRSKerberos-GSSAPI"></a>GSS API</h2>

<h1><a name="JAXRSKerberos-Clientconfiguration"></a>Client configuration</h1>

<h2><a name="JAXRSKerberos-HTTPConduit"></a>HTTPConduit</h2>

<p>Please see <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29"
class="external-link" rel="nofollow">this page</a> for the information about Spnego/Kerberos
HTTPConduit client support. </p>

<h2><a name="JAXRSKerberos-Interceptor"></a>Interceptor</h2>

<p>org.apache.cxf.jaxrs.security.KerberosAuthOutInterceptor can be used as an alternative
to configuring HTTPConduit.</p>

<p>KerberosAuthOutInterceptor and the HTTPConduit Spnego handler share the same base
code. Having HTTPConduit configuration can be enough in many cases<br/>
especially when SSL is also being setup at the conduit level. Using the interceptor can be
handy when testing as well as when setting few extra properties which is not easy to set up
at the generic HTTP Conduit Authorization Policy level. </p>

<p>The interceptor properties are explained in the following sub-sections</p>

<h3><a name="JAXRSKerberos-AuthorizationPolicy"></a>Authorization Policy</h3>

<p>As explained on <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29"
class="external-link" rel="nofollow">this page</a>, Authorization Policy typically
needs to have its type set to "Negotiate" and its "authorization" property set to the name
of the JAAS context. AuthorizationPolicy is set as a "policy" property on the interceptor,
example:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
WebClient wc = WebClient.create(<span class="code-quote">"http:<span class="code-comment">//localhost:"</span>
+ PORT + <span class="code-quote">"/bookstore/books/123"</span>);
</span>        
KerberosAuthOutInterceptor kbInterceptor = <span class="code-keyword">new</span>
KerberosAuthOutInterceptor();
        
AuthorizationPolicy policy = <span class="code-keyword">new</span> AuthorizationPolicy();
policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
policy.setAuthorization(<span class="code-quote">"KerberosClientKeyTab"</span>);
        
kbInterceptor.setPolicy(policy);
WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
        
Book b = wc.get(Book.class);
</pre>
</div></div>


<h3><a name="JAXRSKerberos-Configuringtheserviceprincipalname"></a>Configuring
the service principal name</h3>

<p>By default, the service principal name is calculated by concatenating "HTTP", "/"
and the name of the target host, example, when invoking on "http://localhost:8080/services",
the service principal name is set to "HTTP/localhost".</p>

<p>The "servicePrincipalName" and "realm" properties can be used to customize it, example,
setting "servicePrincipalName" to "HTTP/www.mycompany.com" and realm to "services.org" will
result in the "HTTP/www.mycompany.com@services.org" service principal name being used. </p>

<h3><a name="JAXRSKerberos-UsingJAASConfiguration"></a>Using JAAS Configuration</h3>

<p>Both HTTPConduit and interceptor handlers need a "java.security.auth.login.config"
system property set up. This property needs to point to the file containing the configuration
of the specific Kerberos login module.</p>

<p>Instead of setting this system property and maintaining a configuration file, one
might want to use an implementation of javax.security.auth.login.Configuration and set it
on the interceptor as a "loginConfig" property.    </p>

<h1><a name="JAXRSKerberos-Serverconfiguration"></a>Server configuration</h1>

<h1><a name="JAXRSKerberos-CredentialDelegation"></a>Credential Delegation</h1>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAXRS+Kerberos">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=30146619&revisedVersion=2&originalVersion=1">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAXRS+Kerberos?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message