cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aris Tsaklidis (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-3496) SpnegoAuthSupplier using Kerberos OID instead of Spnego
Date Fri, 06 May 2011 10:22:03 GMT

    [ https://issues.apache.org/jira/browse/CXF-3496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13029880#comment-13029880
] 

Aris Tsaklidis commented on CXF-3496:
-------------------------------------

added the working SpnegoAuthSupplier.java (see attachment)

> SpnegoAuthSupplier using Kerberos OID instead of Spnego
> -------------------------------------------------------
>
>                 Key: CXF-3496
>                 URL: https://issues.apache.org/jira/browse/CXF-3496
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.4
>            Reporter: Aris Tsaklidis
>         Attachments: SpnegoAuthSupplier.java
>
>
> Updating from 2.3.4 to 2.4.0 added the SpnegoAuthSupplier which is called everytime you
use "Negotiate" as AuthorizationType. SpnegoAuthSupplier uses Kerberos OID instead of Spnego.
Spnego would be correct.
> http://cxf.547215.n5.nabble.com/CXF-2-4-Kerberos-SpnegoAuthSupplier-Message-content-from-Soap-Response-is-null-td4369582.html
> ## correct code in SpnegoAuthSupplier.java
>  private byte[] getToken(AuthorizationPolicy proxyAuthPolicy, String spn) throws GSSException,

>         LoginException {
>         GSSManager manager = GSSManager.getInstance();
>         GSSName serverName = manager.createName(spn, null);
>         // need to use SPNEGO_OID
>         Oid oid = new Oid(SPNEGO_OID);
>         
>         GSSContext context = manager
>                 .createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
>         // TODO Do we need mutual auth. Will the code we have really work with
>         // mutual auth?
>         context.requestMutualAuth(true);
>         // TODO Credential delegation could be a security hole if it was not
>         // intended. Both settings should be configurable
>         context.requestCredDeleg(true);
>         return getToken(proxyAuthPolicy, context);
>     }

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message