cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <>
Subject Re: AW: Spnego / Kerberos Authentication
Date Fri, 22 Oct 2010 13:07:13 GMT


This is at a different level.   This is transport level auth, similar to 
BasicAuth/DigestAuth/NTLM.   It's payload independent stuff.   Slightly  
different use case, but does have an impact when working with MS secured 
things.  The WebServer itself can be configured to only accept proper 
Spnego/Kerberos connections and thus nothing even reaches the soap endpoint.

Kind of equivilent to using the security things in the web.xml of a war. 


On Friday 22 October 2010 2:57:38 am Oliver Wulff wrote:
> Hi Christian
> I don't understand why the kerberos authentication itself is really
> relevant to CXF for two reasons:
> 1) the kerberos security token profile described a mapping for the GSS API
> to let issue a kerberos ticket when it has been submitted to oasis:
> Later this chapter has been removed and because it's out of scope how you
> obtain a ticket. You can use the JAAS Login Module for Kerberos to let
> issue the ticket and the kerberos token profile describes how to attach
> the ticket to a soap message.
> 2) The issuance of kerberos tickets happens between the client and the kdc
> only (which is not related to CXF). Only the spec PKDA (I think it's not
> final) enables kerberos to work without a KDC (but based on PKI).
> What is your use case for the kerberos usage?
> Thanks
> Oli
> ________________________________________
> Von: Daniel Kulp []
> Gesendet: Freitag, 22. Oktober 2010 03:51
> An:
> Cc: Christian Schneider
> Betreff: Re: Spnego / Kerberos Authentication
> On Thursday 21 October 2010 7:00:30 pm Christian Schneider wrote:
> >   I just found that HTTPClient supports spnego authentication now (as of
> > 
> > 4.1 alpha 2). In fact I added an issue to support spnego/kerberos and
> > oleg reminded me that it is already implemented. Could this help us to
> > also support this authentication scheme?
> > As far as I know we do not use httpclient at the moment.
> I started a branch:
> where I started working on using the http-commons stuff for a complete
> async client side for http (haven't touched https yet).   The goal for me
> so far was to get a more scalable async capability (less threads), but it
> may be usable for this usecase as well.   That said, for the pure async
> capabilities, you have to drop down into the http-core stuff and not the
> higher layer http- client stuff.   Thus, it might not be usable at all.  
> I don't really know. Didn't get into the auth parts and such.     I'd love
> help if you want to look at it.  :-)
> > I can image two ways to support Spnego/Kerberos. Either we use
> > httpclient and let it do the whole thing or we look how they do the
> > scheme and add it to the http transport ourselves.
> > Any opinions about this?
> We could also add some better hooks to allow a user (LGPL, we cannot ship
> it) to plug in to create the
> HttpUrlConnection.
> > Thanks
> > 
> > Christian
> --
> Daniel Kulp

Daniel Kulp

View raw message