You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by smkheir <me...@gmail.com> on 2014/10/02 03:52:33 UTC
cxf kerberos + karaf blueprint
Hi,
I'm trying to use cxf kerberos support in karaf container. all unit test and
standalone apps are working fine based on 3 system properties:
System.setProperty( "java.security.auth.login.config",
"/apps/krb5/jaas.conf");
System.setProperty( "java.security.krb5.realm", "MYCOMPANY.COM"));
System.setProperty( "java.security.krb5.kdc", "kdc.mycompany.com");
when I set these properties in karaf etc/system.properties (or karaf startup
using -D...) the container is not picking them up and am getting exception
as "No LoginModule found for my-context" ... looks to me a conflict between
JAAS and OSGI (no wonder ...)
I looked at Karaf examples and there are many jaas login modules for ldap,
jdbc, ... but there is nothing for kerberos. I was wondering if something
like this is possible:
<blueprint ...>
<jaas:config name="MyRealm">
<jaas:module
className="com.sun.security.auth.module.Krb5LoginModule" flags="required">
debug = true
useTicketCache = true
useKeyTab=true
keytab=/apps/krb5/server.keytab
principal=myserver/server1.mycompany.com
</jaas:module>
</jaas:config>
</blueprint>
I cannot find any example and was wondering if anyone can help. How can I
pass these three important data (login config, realm and kdc) to wss4j
KerberosTokenValidator?
Thanks,
Smkheir
--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-kerberos-karaf-blueprint-tp5749380.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: cxf kerberos + karaf blueprint
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
I would implement that also using JAAS.
You can create additional custom LoginModule, receiving user Kerberos principle in CallbackHandler as parameter.
This LoginModule will validate group membership of this user and (if necessary) adds appropriate Principles into security Subject.
You can take Karaf LDAPLoginModule as a sample.
Regards,
Andrei.
> -----Original Message-----
> From: smkheir [mailto:mehran.abady@gmail.com]
> Sent: Montag, 6. Oktober 2014 14:22
> To: users@cxf.apache.org
> Subject: RE: cxf kerberos + karaf blueprint
>
> Thanks Andrei. I did this and KerberosTokenValidator picked it up. All working
> fine now.
>
> I have another question and was wondering if you can help?
>
> I'm getting my caller principal via wscontext and need to check its group
> membership within one of active directory groups. What is the best way to
> achieve this?
>
> Many thanks,
> Smkheir
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/cxf-kerberos-
> karaf-blueprint-tp5749380p5749462.html
> Sent from the cxf-user mailing list archive at Nabble.com.
RE: cxf kerberos + karaf blueprint
Posted by smkheir <me...@gmail.com>.
Thanks Andrei. I did this and KerberosTokenValidator picked it up. All
working fine now.
I have another question and was wondering if you can help?
I'm getting my caller principal via wscontext and need to check its group
membership within one of active directory groups. What is the best way to
achieve this?
Many thanks,
Smkheir
--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-kerberos-karaf-blueprint-tp5749380p5749462.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: cxf kerberos + karaf blueprint
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
Yes, you need to deploy Kerberos jaas config in Karaf either wrap into the bundle or directly into deploy folder.
The configuration should look like this:
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<jaas:config name="my-kerberos">
<jaas:module className="com.sun.security.auth.module.Krb5LoginModule" flags="required">
debug = true
refreshKrb5Config = true
useKeyTab = true
storeKey = true
keyTab = etc/my.keytab
principal = mydomain/myservices.example.com
detailed.login.exception = true
</jaas:module>
</jaas:config>
</blueprint>
Regards,
Andrei.
> -----Original Message-----
> From: smkheir [mailto:mehran.abady@gmail.com]
> Sent: Donnerstag, 2. Oktober 2014 03:53
> To: users@cxf.apache.org
> Subject: cxf kerberos + karaf blueprint
>
> Hi,
> I'm trying to use cxf kerberos support in karaf container. all unit test and
> standalone apps are working fine based on 3 system properties:
>
> System.setProperty( "java.security.auth.login.config",
> "/apps/krb5/jaas.conf");
> System.setProperty( "java.security.krb5.realm", "MYCOMPANY.COM"));
> System.setProperty( "java.security.krb5.kdc", "kdc.mycompany.com");
>
> when I set these properties in karaf etc/system.properties (or karaf startup
> using -D...) the container is not picking them up and am getting exception as
> "No LoginModule found for my-context" ... looks to me a conflict between JAAS
> and OSGI (no wonder ...)
>
> I looked at Karaf examples and there are many jaas login modules for ldap,
> jdbc, ... but there is nothing for kerberos. I was wondering if something like this
> is possible:
>
> <blueprint ...>
>
> <jaas:config name="MyRealm">
> <jaas:module
> className="com.sun.security.auth.module.Krb5LoginModule"
> flags="required">
> debug = true
> useTicketCache = true
> useKeyTab=true
> keytab=/apps/krb5/server.keytab
> principal=myserver/server1.mycompany.com
> </jaas:module>
> </jaas:config>
>
> </blueprint>
>
> I cannot find any example and was wondering if anyone can help. How can I
> pass these three important data (login config, realm and kdc) to wss4j
> KerberosTokenValidator?
>
> Thanks,
> Smkheir
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/cxf-kerberos-
> karaf-blueprint-tp5749380.html
> Sent from the cxf-user mailing list archive at Nabble.com.