cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: canonicalized host name for kerberos (SPNEGO)
Date Tue, 28 Apr 2015 10:54:45 GMT
Would you be willing to submit a patch for this?

Colm.

On Mon, Apr 27, 2015 at 5:44 PM, David Mansfield <cxf@dm.cobite.com> wrote:

> Hi All,
>
> Most (*) SPNEGO client implementations will canonicalize a host name when
> using it to create a service principal.
>
> CXF seems to be an exception.  If a CNAME is used, say:
> mywebservice.example.com is a CNAME for
> sysadmins-like-really-long-hostnames.example.com, most setups will expect
> a request for HTTP/
> sysadmins-like-really-long-hostnames.example.com@EXAMPLE.COM. In this
> case, CXF will not be able to authenticate.
>
> I note, is IS possible to specify the servicePrincipalName directly, but
> that breaks the transparency of using a CNAME in the first place, as the
> configuration will need to reference the specific back-end providing the
> service.
>
> Providing hostname canonicalization will fix the need to "know" about the
> details behind the scenes.
>
> As this behavior would be a defaults-changing one, maybe we could add
> useCanonicalHostname=true/false (default false I guess).
>
> Implementation-wise, I think you need to get the socket, and then:
>
>   socket.getInetAddress().getCanonicalHostName()
>
> This would replace:
>  uri.getHost()
>
> that is currently used in
> org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier
>
>
> (*) Most that I have personally used :-)
>
> --
> Thanks,
> David Mansfield
> Cobite, INC.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message