cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6534) Kerberos delegation not possible if Authorization given
Date Fri, 14 Aug 2015 13:51:46 GMT

    [ https://issues.apache.org/jira/browse/CXF-6534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14697021#comment-14697021
] 

Colm O hEigeartaigh commented on CXF-6534:
------------------------------------------


Fix merged. Could you verify that it is working for you?

Colm.

> Kerberos delegation not possible if Authorization given
> -------------------------------------------------------
>
>                 Key: CXF-6534
>                 URL: https://issues.apache.org/jira/browse/CXF-6534
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 3.0.4, 3.1.0, 3.0.5, 3.1.1, 3.0.6, 3.1.2, 3.1.3
>            Reporter: Bernard Chesnoy
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.1.3, 3.0.7
>
>
> Issue discovered while migrating from version 3.0.2 to 3.1.2.
> In documentation it's say that to enable kerberos you have to give the informations policy
for Authorization and AuthorizationType:
> {code:xml}
> <conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
>   xmlns="http://cxf.apache.org/transports/http/configuration">
>   <authorization>
>      <AuthorizationType>Negotiate</AuthorizationType>
>      <Authorization>CXFClient</Authorization>
>   </authorization>
> </conduit>
> {code}
> And for delegation it's not necessary to give the Authorization field.
> But If you give a policy with both of them, It will never try to do delegation, resulting
in my application not working anymore (browser -> unix(wildfly) -> windows 2012 by kerberos
delegation).
> After a look to the source code, it seems the problem is due to a change in version 3.0.4
for the file AbstractSpnegoAuthSupplier.java:
> {code:java}
>     private byte[] getToken(AuthorizationPolicy authPolicy, 
>                             String spn, 
>                             Oid oid,
>                             Message message) throws GSSException, 
>         LoginException {
>         
>         Subject subject = null;
>         if (authPolicy != null) {
>             String contextName = authPolicy.getAuthorization();
>             if (contextName == null) {
>                 contextName = "";
>             }
>         
>             if (!(StringUtils.isEmpty(authPolicy.getUserName())
>                 && StringUtils.isEmpty(contextName) && loginConfig ==
null)) {
>                 CallbackHandler callbackHandler = getUsernamePasswordHandler(
>                     authPolicy.getUserName(), authPolicy.getPassword());
>                 LoginContext lc = new LoginContext(contextName, null, callbackHandler,
loginConfig);
>                 lc.login();
>                 subject = lc.getSubject();
>             }
>         }
>                                                                  
>         GSSManager manager = GSSManager.getInstance();
> {code}
> If the contextName is not null, it will always try to use getUsernamePasswordHandler
resulting in a loginException.
> Workaround : not specifying an authorization
> Possible fix :
> {code:java}
> if (authPolicy != null && !isCredDelegationRequired(message)) {
> {code}
> Do not hesitate to tell me if there is another way to do it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message