cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > JAXRS Kerberos
Date Wed, 01 Aug 2012 14:47:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAXRS+Kerberos">JAXRS
Kerberos</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~sergey_beryozkin">Sergey
Beryozkin</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h1. Credential Delegation
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>Please see this [section|http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-CredentialDelegation]
on the way client-side credential delegation can be both enabled and implemented at the HTTP
conduit level. <br> <br>Note that if you have a JAX-RS KerberosAuthenticationFilter
protecting the endpoints, then the filter will have an  org.ietf.jgss.GSSContext instance
available in the current CXF SecurityContext, via its KerberosAuthenticationFilter$KerberosSecurityContext
implementation, which can be used to get to  org.ietf.jgss.GSSCredential if the credential
delegation is supported for a given source principal. The current credential if any can be
set as a client property next, for example: <br> <br>{code:java} <br> <br>import
org.ietf.jgss.GSSCredential; <br> <br>import org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter;
<br>import org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext;
<br> <br>@Path(&quot;service&quot;) <br>public class MyResource
{ <br> <br>   @Context  <br>   private javax.ws.rs.core.SecurityContext
securityContext; <br> <br>   @GET <br>   public Book getBookFromKerberosProtectedStore()
{ <br>       WebClient wc = webClient.create(&quot;http://internal.com/store&quot;);
<br>       if (securityContext instanceof KerberosSecurityContext) { <br>    
      KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext; <br> 
         GSSCredential cred = ksc.getGSSContext().getDelegCred(); <br>           if
(cred != null) { <br>               WebClient.getConfig(wc).getRequestContext().put(GSSCredential.class.getName(),
cred); <br>           }  <br>       } <br>       return wc.get(Book.class);
 <br>   } <br> <br>} <br>{code} <br> <br>The HTTPConduit
or KerberosAuthOutInterceptor handler will use the available GSSCredential. <br> <br>
<br>Also note that KerberosAuthOutInterceptor can have its &quot;credDelegation&quot;
property set to &quot;true&quot; if it is used instead of HTTPConduit on the client
side, when enabling the delegation initially. <br> <br> <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><span style="font-size:2em;font-weight:bold"> JAX-RS Kerberos Support
</span></p>

<div>
<ul>
    <li><a href='#JAXRSKerberos-Introduction'>Introduction</a></li>
<ul>
    <li><a href='#JAXRSKerberos-Kerberos'>Kerberos</a></li>
    <li><a href='#JAXRSKerberos-HTTPNegotiatescheme'>HTTP Negotiate scheme</a></li>
    <li><a href='#JAXRSKerberos-GSSAPI'>GSS API</a></li>
</ul>
    <li><a href='#JAXRSKerberos-Clientconfiguration'>Client configuration</a></li>
<ul>
    <li><a href='#JAXRSKerberos-HTTPConduit'>HTTPConduit</a></li>
    <li><a href='#JAXRSKerberos-Interceptor'>Interceptor</a></li>
<ul>
    <li><a href='#JAXRSKerberos-AuthorizationPolicy'>Authorization Policy</a></li>
    <li><a href='#JAXRSKerberos-Configuringtheserviceprincipalname'>Configuring
the service principal name</a></li>
    <li><a href='#JAXRSKerberos-UsingJAASConfiguration'>Using JAAS Configuration</a></li>
</ul>
</ul>
    <li><a href='#JAXRSKerberos-Serverconfiguration'>Server configuration</a></li>
<ul>
    <li><a href='#JAXRSKerberos-ServiceprincipalnameandJAASConfiguration'>Service
principal name and JAAS Configuration</a></li>
    <li><a href='#JAXRSKerberos-CallbackHandler'>CallbackHandler</a></li>
</ul>
    <li><a href='#JAXRSKerberos-CredentialDelegation'>Credential Delegation</a></li>
</ul></div>

<h1><a name="JAXRSKerberos-Introduction"></a>Introduction</h1>
<h2><a name="JAXRSKerberos-Kerberos"></a>Kerberos</h2>
<h2><a name="JAXRSKerberos-HTTPNegotiatescheme"></a>HTTP Negotiate scheme
</h2>
<h2><a name="JAXRSKerberos-GSSAPI"></a>GSS API</h2>

<h1><a name="JAXRSKerberos-Clientconfiguration"></a>Client configuration</h1>

<h2><a name="JAXRSKerberos-HTTPConduit"></a>HTTPConduit</h2>

<p>Please see <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29"
class="external-link" rel="nofollow">this page</a> for the information about Spnego/Kerberos
HTTPConduit client support. </p>

<h2><a name="JAXRSKerberos-Interceptor"></a>Interceptor</h2>

<p>org.apache.cxf.jaxrs.security.KerberosAuthOutInterceptor can be used as an alternative
to configuring HTTPConduit.</p>

<p>KerberosAuthOutInterceptor and the HTTPConduit Spnego handler share the same base
code. Having HTTPConduit configuration can be enough in many cases<br/>
especially when SSL is also being setup at the conduit level. Using the interceptor can be
handy when testing as well as when setting few extra properties which is not easy to set up
at the generic HTTP Conduit Authorization Policy level. </p>

<p>The interceptor properties are explained in the following sub-sections</p>

<h3><a name="JAXRSKerberos-AuthorizationPolicy"></a>Authorization Policy</h3>

<p>As explained on <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29"
class="external-link" rel="nofollow">this page</a>, Authorization Policy typically
needs to have its type set to "Negotiate" and its "authorization" property set to the name
of the JAAS context. AuthorizationPolicy is set as a "policy" property on the interceptor,
example:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
WebClient wc = WebClient.create(<span class="code-quote">"http:<span class="code-comment">//localhost:"</span>
+ PORT + <span class="code-quote">"/bookstore/books/123"</span>);
</span>        
KerberosAuthOutInterceptor kbInterceptor = <span class="code-keyword">new</span>
KerberosAuthOutInterceptor();
        
AuthorizationPolicy policy = <span class="code-keyword">new</span> AuthorizationPolicy();
policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
policy.setAuthorization(<span class="code-quote">"KerberosClientKeyTab"</span>);
        
kbInterceptor.setPolicy(policy);
WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
        
Book b = wc.get(Book.class);
</pre>
</div></div>


<h3><a name="JAXRSKerberos-Configuringtheserviceprincipalname"></a>Configuring
the service principal name</h3>

<p>By default, the service principal name is calculated by concatenating "HTTP", "/"
and the name of the target host, example, when invoking on "http://localhost:8080/services",
the service principal name is set to "HTTP/localhost".</p>

<p>The "servicePrincipalName" and "realm" properties can be used to customize it, example,
setting "servicePrincipalName" to "HTTP/www.mycompany.com" and realm to "services.org" will
result in the "HTTP/www.mycompany.com@services.org" service principal name being used. </p>

<h3><a name="JAXRSKerberos-UsingJAASConfiguration"></a>Using JAAS Configuration</h3>

<p>Both HTTPConduit and interceptor handlers need a "java.security.auth.login.config"
system property set up. This property needs to point to the file containing the configuration
of the specific Kerberos login module.</p>

<p>Instead of setting this system property and maintaining a configuration file, one
might want to use an implementation of javax.security.auth.login.Configuration and set it
on the interceptor as a "loginConfig" property.    </p>

<h1><a name="JAXRSKerberos-Serverconfiguration"></a>Server configuration</h1>

<p>org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter can be used to protected
JAX-RS endpoints and enforce that a Negotiate authentication scheme is used by clients, example:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">

<span class="code-tag">&lt;bean id=<span class="code-quote">"kerberosFilter"</span>
class=<span class="code-quote">"org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"</span>&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"loginContextName"</span>
value=<span class="code-quote">"KerberosServiceKeyTab"</span>/&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>

<span class="code-tag">&lt;jaxrs:server&gt;</span>
  <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
    <span class="code-tag">&lt;bean class=<span class="code-quote">"org.mycompany.MyCompanyResource"</span>/&gt;</span>
  <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
  <span class="code-tag">&lt;jaxrs:providers&gt;</span>
    <span class="code-tag">&lt;ref bean=<span class="code-quote">"kerberosFilter"</span>&gt;</span>
  <span class="code-tag">&lt;/jaxrs:providers&gt;</span>
<span class="code-tag">&lt;/jaxrs:server&gt;</span>
</pre>
</div></div>

<p>KerberosAuthenticationFilter will set a CXF <a href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/SecurityContext.java"
class="external-link" rel="nofollow">SecurityContext</a> on the current message if
the authentication has been successful. This SecurityContext will return an instance of KerberosAuthenticationFilter$KerberosPrincipal,
this Principal will return a 'simple' and 'kerberos' source principal names, example, given
"HTTP/localhost@myrealm.com", Principal#getName will return "HTTP/localhost", and KerberosPrincipal#getKerberosName
will return "HTTP/localhost@myrealm.com".</p>

<h2><a name="JAXRSKerberos-ServiceprincipalnameandJAASConfiguration"></a>Service
principal name and JAAS Configuration</h2>

<p>Service principal name and JAAS Configuration can be optionally set up the same way
they can be with KerberosAuthOutInterceptor, using 'servicePrincipalName' + 'realm' and "loginConfig"
properties. </p>

<h2><a name="JAXRSKerberos-CallbackHandler"></a>CallbackHandler</h2>

<p>javax.security.auth.callback.CallbackHandler needs to be registered if no Kerberos
key tabs are used, here is an example of setting it up from Java:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">public</span> class TestResource {
 <span class="code-keyword">public</span> <span class="code-keyword">static</span>
void main(<span class="code-object">String</span>[] args) {
   JAXRSServerFactoryBean sf = <span class="code-keyword">new</span> JAXRSServerFactoryBean();
   sf.setResourceClasses(BookStore.class);
   KerberosAuthenticationFilter filter = <span class="code-keyword">new</span>
KerberosAuthenticationFilter();
   filter.setLoginContextName(<span class="code-quote">"KerberosServer"</span>);
   
   CallbackHandler handler = 
     <span class="code-keyword">new</span> org.apache.cxf.interceptor.security.NamePasswordCallbackHandler(<span
class="code-quote">"HTTP/localhost"</span>, <span class="code-quote">"http"</span>);

   filter.setCallbackHandler(handler);

   <span class="code-comment">//filter.setLoginContextName(<span class="code-quote">"KerberosServerKeyTab"</span>);
</span>   <span class="code-comment">//filter.setServicePrincipalName(<span
class="code-quote">"HTTP/ktab"</span>);
</span>   sf.setProvider(filter);
   sf.setAddress(<span class="code-quote">"http:<span class="code-comment">//localhost:"</span>
+ PORT + <span class="code-quote">"/"</span>);
</span>      
   sf.create();
 }
}
</pre>
</div></div> 


<h1><a name="JAXRSKerberos-CredentialDelegation"></a>Credential Delegation</h1>

<p>Please see this <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-CredentialDelegation"
class="external-link" rel="nofollow">section</a> on the way client-side credential
delegation can be both enabled and implemented at the HTTP conduit level.</p>

<p>Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the endpoints,
then the filter will have an  org.ietf.jgss.GSSContext instance available in the current CXF
SecurityContext, via its KerberosAuthenticationFilter$KerberosSecurityContext implementation,
which can be used to get to  org.ietf.jgss.GSSCredential if the credential delegation is supported
for a given source principal. The current credential if any can be set as a client property
next, for example:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<span class="code-keyword">import</span> org.ietf.jgss.GSSCredential;

<span class="code-keyword">import</span> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter;
<span class="code-keyword">import</span> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext;

@Path(<span class="code-quote">"service"</span>)
<span class="code-keyword">public</span> class MyResource {

   @Context 
   <span class="code-keyword">private</span> javax.ws.rs.core.SecurityContext
securityContext;

   @GET
   <span class="code-keyword">public</span> Book getBookFromKerberosProtectedStore()
{
       WebClient wc = webClient.create(<span class="code-quote">"http:<span class="code-comment">//internal.com/store"</span>);
</span>       <span class="code-keyword">if</span> (securityContext <span
class="code-keyword">instanceof</span> KerberosSecurityContext) {
           KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
           GSSCredential cred = ksc.getGSSContext().getDelegCred();
           <span class="code-keyword">if</span> (cred != <span class="code-keyword">null</span>)
{
               WebClient.getConfig(wc).getRequestContext().put(GSSCredential.class.getName(),
cred);
           } 
       }
       <span class="code-keyword">return</span> wc.get(Book.class); 
   }

}
</pre>
</div></div>

<p>The HTTPConduit or KerberosAuthOutInterceptor handler will use the available GSSCredential.</p>


<p>Also note that KerberosAuthOutInterceptor can have its "credDelegation" property
set to "true" if it is used instead of HTTPConduit on the client side, when enabling the delegation
initially.</p>


    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAXRS+Kerberos">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=30146619&revisedVersion=4&originalVersion=3">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAXRS+Kerberos?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message