cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r964766 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html
Date Tue, 08 Sep 2015 14:47:35 GMT
Author: buildbot
Date: Tue Sep  8 14:47:35 2015
New Revision: 964766

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jaxrs-kerberos.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Tue Sep  8 14:47:35 2015
@@ -117,12 +117,12 @@ Apache CXF -- JAXRS Kerberos
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p><span
class="inline-first-p" style="font-size:2em;font-weight:bold"> JAX-RS Kerberos Support
</span></p><p>&#160;</p><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1435780188110 {padding: 0px;}
-div.rbtoc1435780188110 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1435780188110 li {margin-left: 0px;padding-left: 0px;}
+<div id="ConfluenceContent"><p>&#160;</p><p>&#160;<span
class="inline-first-p" style="font-size:2em;font-weight:bold">JAX-RS Kerberos Support</span>&#160;</p><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
+div.rbtoc1441723615900 {padding: 0px;}
+div.rbtoc1441723615900 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1441723615900 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1435780188110">
+/*]]>*/</style></p><div class="toc-macro rbtoc1441723615900">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSKerberos-Introduction">Introduction</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSKerberos-Setup">Setup</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSKerberos-Unix">Unix</a></li><li><a
shape="rect" href="#JAXRSKerberos-Windows">Windows</a></li></ul>
@@ -151,7 +151,7 @@ WebClient.getConfig(wc).getOutIntercepto
         
 Book b = wc.get(Book.class);
 </pre>
-</div></div><p>In this example, the <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg">KerberosClientKeyTab</a>
policy is used which links to the available keytab; otherwise AuthorizationPolicy 'UserName'
and 'Password' properties would most likely have to be set too (with the possible exceptions
on Windows)</p><h3 id="JAXRSKerberos-Configuringtheserviceprincipalname">Configuring
the service principal name</h3><p>Service principal identifies a target service.</p><p>By
default, the service principal name is calculated by concatenating "HTTP", "/" and the name
of the target host, example, when invoking on "http://localhost:8080/services", the service
principal name is set to "HTTP/localhost".</p><p>The "servicePrincipalName" and
"realm" properties can be used to customize it, example, setting "servicePrincipalName" to
"HTTP/www.mycompany.com" and realm to "services.org" 
 will result in the "HTTP/www.mycompany.com@services.org" service principal name being used.</p><h3
id="JAXRSKerberos-UsingJAASConfiguration">Using JAAS Configuration</h3><p>Both
HTTPConduit and interceptor handlers need a "java.security.auth.login.config" system property
set up. This property needs to point to the file containing the configuration of the specific
Kerberos login module.</p><p>Instead of setting this system property and maintaining
a configuration file, one might want to use an implementation of javax.security.auth.login.Configuration
and set it on the interceptor as a "loginConfig" property.</p><h3 id="JAXRSKerberos-Howtoavoidsettingusernameandpasswordproperties">How
to avoid setting username and password properties</h3><p>Typically, one may have
to set AuthorizationPolicy UserName and Password properties for the Kerberos login module
to authenticate the user.</p><p>The next option is to create a keytab as noted
in the Setup section, which will let one to avoid speci
 fying a password property.<br clear="none"> Finally, if the user actually owns the
Java process which runs the code then no username and password properties have to be provided,
assuming the Kerberos login configuration has 'useTicketCache' and possibly 'renewTGT' properties
set to "true"</p><h1 id="JAXRSKerberos-Serverconfiguration">Server configuration</h1><p>org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter
can be used to protected JAX-RS endpoints and enforce that a Negotiate authentication scheme
is used by clients, example:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+</div></div><p>In this example, the <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg">KerberosClientKeyTab</a>
policy is used which links to the available keytab; otherwise AuthorizationPolicy 'UserName'
and 'Password' properties would most likely have to be set too (with the possible exceptions
on Windows)</p><h3 id="JAXRSKerberos-Configuringtheserviceprincipalname">Configuring
the service principal name</h3><p>Service principal identifies a target service.</p><p>By
default, the service principal name is calculated by concatenating "HTTP", "/" and the name
of the target host, example, when invoking on "http://localhost:8080/services", the service
principal name is set to "HTTP/localhost".</p><p>The "servicePrincipalName" and
"realm" properties can be used to customize it, example, setting "servicePrincipalName" to
"HTTP/www.mycompany.com" and realm to "services.org" 
 will result in the "HTTP/www.mycompany.com@services.org" service principal name being used.</p><p>When
the "servicePrincipalName" is not specified, the target host from the provided endpoint URL
is used to construct one as-is.&#160; To perform canonicalization of this hostname (e.g.
if a CNAME record <a shape="rect" class="external-link" href="http://host.example.com"
rel="nofollow">host.example.com</a> points to an A record <a shape="rect" class="external-link"
href="http://host-x.example.com" rel="nofollow">host-x.example.com</a>, then use
"<a shape="rect" class="external-link" href="http://host-x.example.com" rel="nofollow">host-x.example.com</a>"
when constructing the servicePrincipalName), the "useCanonicalHostname" property can be set
to "true".</p><h3 id="JAXRSKerberos-UsingJAASConfiguration">Using JAAS Configuration</h3><p>Both
HTTPConduit and interceptor handlers need a "java.security.auth.login.config" system property
set up. This property needs to point to the file contai
 ning the configuration of the specific Kerberos login module.</p><p>Instead of
setting this system property and maintaining a configuration file, one might want to use an
implementation of javax.security.auth.login.Configuration and set it on the interceptor as
a "loginConfig" property.</p><h3 id="JAXRSKerberos-Howtoavoidsettingusernameandpasswordproperties">How
to avoid setting username and password properties</h3><p>Typically, one may have
to set AuthorizationPolicy UserName and Password properties for the Kerberos login module
to authenticate the user.</p><p>The next option is to create a keytab as noted
in the Setup section, which will let one to avoid specifying a password property.<br clear="none">
Finally, if the user actually owns the Java process which runs the code then no username and
password properties have to be provided, assuming the Kerberos login configuration has 'useTicketCache'
and possibly 'renewTGT' properties set to "true"</p><h1 id="JAXRSKerberos-Serverconfig
 uration">Server configuration</h1><p>org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter
can be used to protected JAX-RS endpoints and enforce that a Negotiate authentication scheme
is used by clients, example:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;bean
id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"&gt;
    &lt;property name="loginContextName" value="KerberosServiceKeyTab"/&gt;
 &lt;/bean&gt;



Mime
View raw message