You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Paul O'Brien <pa...@gmail.com> on 2014/02/03 02:06:06 UTC
Kerberos Delegation Issue
Using the sample delegation code from the CXF Site:
http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-CredentialDelegation
I have protected my JAX-RS endpoint with the filter below:
<!-- Apache CXF Kerberos Filter Registration -->
<bean id="kerberosFilter"
class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="KerberosServer" />
</bean>
And I can confirm that Kerberos is working, a call to
securityContext.getUserPrincipal().getName() returns the Windows username
as passed by the web browser and the authentication scheme is definitely
"negotiate".
However when I try and use the returned SecurityContext to pass onto a
HTTPConduit I find that the SecurityContext is actually a
ThreadLocalSecurityContext object.
Specifically if I do this:
KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
GSSCredential cred = ksc.getGSSContext().getDelegCred();
I get the following exception:
org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast to
org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$KerberosSecurityContext
The note on that page says that I should get a KerberosSecurityContext
returned instead:
"Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the
endpoints, then the filter will have an org.ietf.jgss.GSSContext instance
available in the current CXF SecurityContext, via its
KerberosAuthenticationFilter$KerberosSecurityContext implementation, which
can be used to get to org.ietf.jgss.GSSCredential if the credential
delegation is supported for a given source principal"
Any ideas?
Thanks in advance.
Re: Kerberos Delegation Issue
Posted by Sergey Beryozkin <sb...@gmail.com>.
No problems, thanks for validating Kerberos filter and HTTPConduit work
well together, nice.
Cheers, Sergey
On 05/02/14 09:04, Paul O'Brien wrote:
> Thanks for all your help Sergey, I can confirm that all worked and Kerberos
> Delegation is working as expected.
> On 04/02/2014 9:24 PM, "Sergey Beryozkin" <sb...@gmail.com> wrote:
>
>> Hi Paul
>> On 04/02/14 04:18, Paul O'Brien wrote:
>>
>>> Thanks Sergey,
>>>
>>> That's helped a lot, I've been able to get it working properly with this
>>> code you provided:
>>> SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.
>>> apache.cxf.security.SecurityContext.class);
>>>
>>> However using the context object isn't working:
>>> SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext.
>>> class);
>>>
>>> The context version won't compile due to a type mismatch as Get works with
>>> object type only. Using a cast to SecurityContext didn't work for me, it
>>> seemed to fail but the logging isn't providing details. I used the below
>>> for testing:
>>>
>>> SecurityContext sc = (SecurityContext) context.get(org.apache.cxf.
>>> security.SecurityContext.class);
>>>
>>> I think the context version would make the example easier to understand
>>> but
>>> I'm not able to get it to work at this point in time.
>>>
>>> yes, you are right, I forgot MessageContext interface has no typed put &
>> get methods.
>>
>> SecurityContext sc = (SecurityContext) context.get(org.apache.cxf.
>> security.SecurityContext.class.getName());
>>
>> will do it
>>
>> Thanks, Sergey
>>
>> Regards, Paul
>>>
>>> On Monday, 3 February 2014, Sergey Beryozkin <sb...@gmail.com>
>>> wrote:
>>>
>>> Hi
>>>>
>>>> Right, it is indeed a thread-safe proxy which is injected.
>>>> It is a pity a cast does not translate to a thread local get in this
>>>> case.
>>>> One way to do it is this then:
>>>>
>>>> @Context org.apache.cxf.jaxrs.ext.MessageContext context;
>>>>
>>>> SecurityContext sc = context.get(org.apache.cxf.
>>>> security.SecurityContext.
>>>> class);
>>>>
>>>> or simply
>>>>
>>>> SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.
>>>> apache.cxf.security.SecurityContext.class);
>>>>
>>>>
>>>> and then check if the cast is possible
>>>>
>>>> Give it a try please, I will update the docs
>>>>
>>>> Thanks, Sergey
>>>>
>>>>
>>>>
>>>> On 03/02/14 01:06, Paul O'Brien wrote:
>>>>
>>>> Using the sample delegation code from the CXF Site:
>>>>> http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-
>>>>> CredentialDelegation
>>>>>
>>>>> I have protected my JAX-RS endpoint with the filter below:
>>>>>
>>>>> <!-- Apache CXF Kerberos Filter Registration -->
>>>>> <bean id="kerberosFilter"
>>>>> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
>>>>> <property name="loginContextName" value="KerberosServer" />
>>>>> </bean>
>>>>>
>>>>> And I can confirm that Kerberos is working, a call to
>>>>> securityContext.getUserPrincipal().getName() returns the Windows
>>>>> username
>>>>> as passed by the web browser and the authentication scheme is definitely
>>>>> "negotiate".
>>>>>
>>>>> However when I try and use the returned SecurityContext to pass onto a
>>>>> HTTPConduit I find that the SecurityContext is actually a
>>>>> ThreadLocalSecurityContext object.
>>>>>
>>>>> Specifically if I do this:
>>>>> KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
>>>>> GSSCredential cred = ksc.getGSSContext().getDelegCred();
>>>>>
>>>>> I get the following exception:
>>>>> org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast
>>>>> to
>>>>> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$
>>>>> KerberosSecurityContext
>>>>>
>>>>> The note on that page says that I should get a KerberosSecurityContext
>>>>> returned instead:
>>>>> "Note that if you have a JAX-RS KerberosAuthenticationFilter protecting
>>>>> the
>>>>> endpoints, then the filter will have an org.ietf.jgss.GSSContext
>>>>> instance
>>>>> available in the current CXF SecurityContext, via its
>>>>> KerberosAuthenticationFilter$KerberosSecurityContext implementation,
>>>>> which
>>>>> can be used to get to org.ietf.jgss.GSSCredential if the credential
>>>>> delegation is supported for a given source principal"
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Sergey Beryozkin
>>>>
>>>> Talend Community Coders
>>>> http://coders.talend.com/
>>>>
>>>> Blog: http://sberyozkin.blogspot.com
>>>>
>>>>
>>>
>>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: Kerberos Delegation Issue
Posted by Paul O'Brien <pa...@gmail.com>.
Thanks for all your help Sergey, I can confirm that all worked and Kerberos
Delegation is working as expected.
On 04/02/2014 9:24 PM, "Sergey Beryozkin" <sb...@gmail.com> wrote:
> Hi Paul
> On 04/02/14 04:18, Paul O'Brien wrote:
>
>> Thanks Sergey,
>>
>> That's helped a lot, I've been able to get it working properly with this
>> code you provided:
>> SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.
>> apache.cxf.security.SecurityContext.class);
>>
>> However using the context object isn't working:
>> SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext.
>> class);
>>
>> The context version won't compile due to a type mismatch as Get works with
>> object type only. Using a cast to SecurityContext didn't work for me, it
>> seemed to fail but the logging isn't providing details. I used the below
>> for testing:
>>
>> SecurityContext sc = (SecurityContext) context.get(org.apache.cxf.
>> security.SecurityContext.class);
>>
>> I think the context version would make the example easier to understand
>> but
>> I'm not able to get it to work at this point in time.
>>
>> yes, you are right, I forgot MessageContext interface has no typed put &
> get methods.
>
> SecurityContext sc = (SecurityContext) context.get(org.apache.cxf.
> security.SecurityContext.class.getName());
>
> will do it
>
> Thanks, Sergey
>
> Regards, Paul
>>
>> On Monday, 3 February 2014, Sergey Beryozkin <sb...@gmail.com>
>> wrote:
>>
>> Hi
>>>
>>> Right, it is indeed a thread-safe proxy which is injected.
>>> It is a pity a cast does not translate to a thread local get in this
>>> case.
>>> One way to do it is this then:
>>>
>>> @Context org.apache.cxf.jaxrs.ext.MessageContext context;
>>>
>>> SecurityContext sc = context.get(org.apache.cxf.
>>> security.SecurityContext.
>>> class);
>>>
>>> or simply
>>>
>>> SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.
>>> apache.cxf.security.SecurityContext.class);
>>>
>>>
>>> and then check if the cast is possible
>>>
>>> Give it a try please, I will update the docs
>>>
>>> Thanks, Sergey
>>>
>>>
>>>
>>> On 03/02/14 01:06, Paul O'Brien wrote:
>>>
>>> Using the sample delegation code from the CXF Site:
>>>> http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-
>>>> CredentialDelegation
>>>>
>>>> I have protected my JAX-RS endpoint with the filter below:
>>>>
>>>> <!-- Apache CXF Kerberos Filter Registration -->
>>>> <bean id="kerberosFilter"
>>>> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
>>>> <property name="loginContextName" value="KerberosServer" />
>>>> </bean>
>>>>
>>>> And I can confirm that Kerberos is working, a call to
>>>> securityContext.getUserPrincipal().getName() returns the Windows
>>>> username
>>>> as passed by the web browser and the authentication scheme is definitely
>>>> "negotiate".
>>>>
>>>> However when I try and use the returned SecurityContext to pass onto a
>>>> HTTPConduit I find that the SecurityContext is actually a
>>>> ThreadLocalSecurityContext object.
>>>>
>>>> Specifically if I do this:
>>>> KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
>>>> GSSCredential cred = ksc.getGSSContext().getDelegCred();
>>>>
>>>> I get the following exception:
>>>> org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast
>>>> to
>>>> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$
>>>> KerberosSecurityContext
>>>>
>>>> The note on that page says that I should get a KerberosSecurityContext
>>>> returned instead:
>>>> "Note that if you have a JAX-RS KerberosAuthenticationFilter protecting
>>>> the
>>>> endpoints, then the filter will have an org.ietf.jgss.GSSContext
>>>> instance
>>>> available in the current CXF SecurityContext, via its
>>>> KerberosAuthenticationFilter$KerberosSecurityContext implementation,
>>>> which
>>>> can be used to get to org.ietf.jgss.GSSCredential if the credential
>>>> delegation is supported for a given source principal"
>>>>
>>>> Any ideas?
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>>
>>> --
>>> Sergey Beryozkin
>>>
>>> Talend Community Coders
>>> http://coders.talend.com/
>>>
>>> Blog: http://sberyozkin.blogspot.com
>>>
>>>
>>
>
Re: Kerberos Delegation Issue
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Paul
On 04/02/14 04:18, Paul O'Brien wrote:
> Thanks Sergey,
>
> That's helped a lot, I've been able to get it working properly with this
> code you provided:
> SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.
> apache.cxf.security.SecurityContext.class);
>
> However using the context object isn't working:
> SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext.
> class);
>
> The context version won't compile due to a type mismatch as Get works with
> object type only. Using a cast to SecurityContext didn't work for me, it
> seemed to fail but the logging isn't providing details. I used the below
> for testing:
>
> SecurityContext sc = (SecurityContext) context.get(org.apache.cxf.
> security.SecurityContext.class);
>
> I think the context version would make the example easier to understand but
> I'm not able to get it to work at this point in time.
>
yes, you are right, I forgot MessageContext interface has no typed put &
get methods.
SecurityContext sc = (SecurityContext) context.get(org.apache.cxf.
security.SecurityContext.class.getName());
will do it
Thanks, Sergey
> Regards, Paul
>
> On Monday, 3 February 2014, Sergey Beryozkin <sb...@gmail.com> wrote:
>
>> Hi
>>
>> Right, it is indeed a thread-safe proxy which is injected.
>> It is a pity a cast does not translate to a thread local get in this case.
>> One way to do it is this then:
>>
>> @Context org.apache.cxf.jaxrs.ext.MessageContext context;
>>
>> SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext.
>> class);
>>
>> or simply
>>
>> SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.
>> apache.cxf.security.SecurityContext.class);
>>
>>
>> and then check if the cast is possible
>>
>> Give it a try please, I will update the docs
>>
>> Thanks, Sergey
>>
>>
>>
>> On 03/02/14 01:06, Paul O'Brien wrote:
>>
>>> Using the sample delegation code from the CXF Site:
>>> http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-
>>> CredentialDelegation
>>>
>>> I have protected my JAX-RS endpoint with the filter below:
>>>
>>> <!-- Apache CXF Kerberos Filter Registration -->
>>> <bean id="kerberosFilter"
>>> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
>>> <property name="loginContextName" value="KerberosServer" />
>>> </bean>
>>>
>>> And I can confirm that Kerberos is working, a call to
>>> securityContext.getUserPrincipal().getName() returns the Windows username
>>> as passed by the web browser and the authentication scheme is definitely
>>> "negotiate".
>>>
>>> However when I try and use the returned SecurityContext to pass onto a
>>> HTTPConduit I find that the SecurityContext is actually a
>>> ThreadLocalSecurityContext object.
>>>
>>> Specifically if I do this:
>>> KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
>>> GSSCredential cred = ksc.getGSSContext().getDelegCred();
>>>
>>> I get the following exception:
>>> org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast to
>>> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$
>>> KerberosSecurityContext
>>>
>>> The note on that page says that I should get a KerberosSecurityContext
>>> returned instead:
>>> "Note that if you have a JAX-RS KerberosAuthenticationFilter protecting
>>> the
>>> endpoints, then the filter will have an org.ietf.jgss.GSSContext instance
>>> available in the current CXF SecurityContext, via its
>>> KerberosAuthenticationFilter$KerberosSecurityContext implementation,
>>> which
>>> can be used to get to org.ietf.jgss.GSSCredential if the credential
>>> delegation is supported for a given source principal"
>>>
>>> Any ideas?
>>>
>>> Thanks in advance.
>>>
>>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>
Re: Kerberos Delegation Issue
Posted by Paul O'Brien <pa...@gmail.com>.
Thanks Sergey,
That's helped a lot, I've been able to get it working properly with this
code you provided:
SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.
apache.cxf.security.SecurityContext.class);
However using the context object isn't working:
SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext.
class);
The context version won't compile due to a type mismatch as Get works with
object type only. Using a cast to SecurityContext didn't work for me, it
seemed to fail but the logging isn't providing details. I used the below
for testing:
SecurityContext sc = (SecurityContext) context.get(org.apache.cxf.
security.SecurityContext.class);
I think the context version would make the example easier to understand but
I'm not able to get it to work at this point in time.
Regards, Paul
On Monday, 3 February 2014, Sergey Beryozkin <sb...@gmail.com> wrote:
> Hi
>
> Right, it is indeed a thread-safe proxy which is injected.
> It is a pity a cast does not translate to a thread local get in this case.
> One way to do it is this then:
>
> @Context org.apache.cxf.jaxrs.ext.MessageContext context;
>
> SecurityContext sc = context.get(org.apache.cxf.security.SecurityContext.
> class);
>
> or simply
>
> SecurityContext sc = PhaseInterceptorChain.getCurrentMessage().get(org.
> apache.cxf.security.SecurityContext.class);
>
>
> and then check if the cast is possible
>
> Give it a try please, I will update the docs
>
> Thanks, Sergey
>
>
>
> On 03/02/14 01:06, Paul O'Brien wrote:
>
>> Using the sample delegation code from the CXF Site:
>> http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-
>> CredentialDelegation
>>
>> I have protected my JAX-RS endpoint with the filter below:
>>
>> <!-- Apache CXF Kerberos Filter Registration -->
>> <bean id="kerberosFilter"
>> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
>> <property name="loginContextName" value="KerberosServer" />
>> </bean>
>>
>> And I can confirm that Kerberos is working, a call to
>> securityContext.getUserPrincipal().getName() returns the Windows username
>> as passed by the web browser and the authentication scheme is definitely
>> "negotiate".
>>
>> However when I try and use the returned SecurityContext to pass onto a
>> HTTPConduit I find that the SecurityContext is actually a
>> ThreadLocalSecurityContext object.
>>
>> Specifically if I do this:
>> KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
>> GSSCredential cred = ksc.getGSSContext().getDelegCred();
>>
>> I get the following exception:
>> org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast to
>> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$
>> KerberosSecurityContext
>>
>> The note on that page says that I should get a KerberosSecurityContext
>> returned instead:
>> "Note that if you have a JAX-RS KerberosAuthenticationFilter protecting
>> the
>> endpoints, then the filter will have an org.ietf.jgss.GSSContext instance
>> available in the current CXF SecurityContext, via its
>> KerberosAuthenticationFilter$KerberosSecurityContext implementation,
>> which
>> can be used to get to org.ietf.jgss.GSSCredential if the credential
>> delegation is supported for a given source principal"
>>
>> Any ideas?
>>
>> Thanks in advance.
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
Re: Kerberos Delegation Issue
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
Right, it is indeed a thread-safe proxy which is injected.
It is a pity a cast does not translate to a thread local get in this case.
One way to do it is this then:
@Context org.apache.cxf.jaxrs.ext.MessageContext context;
SecurityContext sc =
context.get(org.apache.cxf.security.SecurityContext.class);
or simply
SecurityContext sc =
PhaseInterceptorChain.getCurrentMessage().get(org.apache.cxf.security.SecurityContext.class);
and then check if the cast is possible
Give it a try please, I will update the docs
Thanks, Sergey
On 03/02/14 01:06, Paul O'Brien wrote:
> Using the sample delegation code from the CXF Site:
> http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-CredentialDelegation
>
> I have protected my JAX-RS endpoint with the filter below:
>
> <!-- Apache CXF Kerberos Filter Registration -->
> <bean id="kerberosFilter"
> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
> <property name="loginContextName" value="KerberosServer" />
> </bean>
>
> And I can confirm that Kerberos is working, a call to
> securityContext.getUserPrincipal().getName() returns the Windows username
> as passed by the web browser and the authentication scheme is definitely
> "negotiate".
>
> However when I try and use the returned SecurityContext to pass onto a
> HTTPConduit I find that the SecurityContext is actually a
> ThreadLocalSecurityContext object.
>
> Specifically if I do this:
> KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
> GSSCredential cred = ksc.getGSSContext().getDelegCred();
>
> I get the following exception:
> org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast to
> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$KerberosSecurityContext
>
> The note on that page says that I should get a KerberosSecurityContext
> returned instead:
> "Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the
> endpoints, then the filter will have an org.ietf.jgss.GSSContext instance
> available in the current CXF SecurityContext, via its
> KerberosAuthenticationFilter$KerberosSecurityContext implementation, which
> can be used to get to org.ietf.jgss.GSSCredential if the credential
> delegation is supported for a given source principal"
>
> Any ideas?
>
> Thanks in advance.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com