You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Paul O'Brien <pa...@gmail.com> on 2014/01/08 11:00:46 UTC
JAXRS service with CXF KerberosAuthenticationFilter
Hi All,
Trying to setup CXF JAXRS with Kerberos authentication (Active Directory
KDC), the CXF endpoint works fine however I'm unable to successfully
authenticate once the Kerberos Filter is activated.
Using the sample code on the Apache CXF project homepage as a guide:
http://cxf.apache.org/docs/jaxrs-kerberos.html
My project cxf-servlet.conf file has the Kerberos filter enabled as per
below:
<bean id="kerberosFilter"
class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="KerberosServer"/>
</bean>
<jaxrs:server>
<jaxrs:serviceBeans>
<bean class="org.mycompany.MyCompanyResource"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="kerberosFilter">
</jaxrs:providers>
</jaxrs:server>
My jaas.conf file has been placed in the /src/main/webapp/WEB-INF directory
and contains the following:
KerberosServer {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
};
KerberosServerKeyTab {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
refreshKrb5Config=true
useKeyTab=true
keyTab="/etc/tomcat.keytab"
principal="HTTP/<Hosting Workstation name>@<Valid REALM>";
};
However the following exception is received when making a call against the
protected service:
Jan 08, 2014 3:57:01 PM
org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse
WARNING: javax.ws.rs.NotAuthorizedException
at
org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.handleRequest(KerberosAuthenticationFilter.java:117)
at
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:208)
at
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:90)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:211)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
My initial thought was that the jaas.conf wasn't being read and applied but
even setting the java.security.auth.login.config variable in the tomcat
setenv.sh script seemingly hasn't worked.
Any ideas on why the above isn't working or how I can debug further?
Thanks in advance.
Re: JAXRS service with CXF KerberosAuthenticationFilter
Posted by Paul O'Brien <pa...@gmail.com>.
The client is a web browser and we can live with it, just wanted to ensure
it wasn't an unexpected error.
On Monday, 13 January 2014, Sergey Beryozkin wrote:
> Hi,
> On 13/01/14 10:46, Paul O'Brien wrote:
>
>> Thanks Sergey,
>>
>> Your information was helpful and I narrowed the problem down to the
>> -Djava.security.auth.login.config environment variable not being
>> configured
>> in my environment, setting this has got everything working.
>>
>> Note that I do get the same exception even though it's working, it appears
>> to be generated as part of the Negotiate handshake process. When a client
>> generates a service request the server raises a NotAuthorizedException in
>> the tomcat server console while the retry attempt (with the token)
>> succeeds.
>>
>> Given the way the negotiate protocol works I expect this to be the
>> expected
>> behavior, any reason to believe this isn't the case?
>>
>
> I guess if it is possible to configure the client to immediately include a
> token then it is avoidable, I think we can do it with CXF clients, do you
> use CXF on the client side ?
>
> Cheers, Sergey
>
>
>
> On 13 January 2014 09:48, Sergey Beryozkin <sb...@gmail.com> wrote:
>
> FYI, this is how it is picked up in the test:
>
> String jaasConfig = JAXRSKerberosBookTest.class
>
> .getResource("/org/apache/cxf/systest/jaxrs/security/
> kerberos.cfg").toURI().getPath();
> System.setProperty("java.security.auth.login.config",
> jaasConfig);
>
> You may want to try to move the config file to main resources, so that it
> will end up in WEB-INF/classes, it must be something to do with the
> resource location,
>
> Cheers, Sergey
>
>
> On 12/01/14 19:22, Sergey Beryozkin wrote:
>
> Hi
>
> It does seem that a context configuration is not found,
> It is unfortunate that only the LoginException handler loses the
> exception info, the other handlers at least log the exception message, I
> will fix it, in meantime I can only suggest to either
> - try to debug with the CXF source, that would be the best option
> - try to register javax.security.auth.login.Configuration implementation
> (via the loginConfig property) instead of setting the loginContextName
> property
>
> Give it a try please and let us know the result, we can try and narrow
> the problem somehow if the above does not help
> Cheers, Sergey
>
> On 08/01/14 10:00, Paul O'Brien wrote:
>
> Hi All,
>
> Trying to setup CXF JAXRS with Kerberos authentication (Active Directory
> KDC), the CXF endpoint works fine however I'm unable to successfully
> authenticate once the Kerberos Filter is activated.
>
> Using the sample code on the Apache CXF project homepage as a guide:
> http://cxf.apache.org/docs/jaxrs-kerberos.html
>
> My project cxf-servlet.conf file has the Kerberos filter enabled as per
> below:
>
> <bean id="kerberosFilter"
> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
> <property name="loginContextName" value="KerberosServer"/>
> </bean>
>
> <jaxrs:server>
> <jaxrs:serviceBeans>
> <bean class="org.mycompany.MyCompanyResource"/>
> </jaxrs:serviceBeans>
> <jaxrs:providers>
> <ref bean="kerberosFilter">
> </jaxrs:providers>
> </jaxrs:server>
>
> My jaas.conf file has been placed in the /src/main/webapp/WEB-INF
> directory
> and contains the following:
>
> KerberosServer {
> com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
> };
> KerberosServerKeyTab {
> com.sun.security.auth.module.Krb5LoginModule required
> storeKey=true
> refreshKrb5Config=true
> useKeyTab=true
> keyTab="/etc/tomcat.keytab"
> principal="HTTP/<Hosting Workstation name>@<Valid REALM>";
> };
>
> However the following exception is received when making a call against
> the
> protected service:
> Jan 08, 2014 3:57:01 PM
> org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse
> WARNING: javax.ws.rs.NotAuthorizedException
> at
> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.
> handleRequest(KerberosAuthenticationFilter.java:117)
>
> at
> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(
> JAXRSInInterceptor.java:208)
>
> at
> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(
> JAXRSInInterceptor.java:90)
>
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> PhaseInterceptorChain.java:272)
>
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(
> ChainInitiationObserver.java:121)
>
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(
> AbstractHTTPDestination.java:239)
>
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(
> ServletController.java:248)
>
> at
> org.apache.cxf.transport.servlet.ServletController.
> invoke(ServletController.java:222)
>
> at
> org.apache.cxf.transport.servlet.ServletController.
> invoke(ServletController.java:1
>
>
Re: JAXRS service with CXF KerberosAuthenticationFilter
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi,
On 13/01/14 10:46, Paul O'Brien wrote:
> Thanks Sergey,
>
> Your information was helpful and I narrowed the problem down to the
> -Djava.security.auth.login.config environment variable not being configured
> in my environment, setting this has got everything working.
>
> Note that I do get the same exception even though it's working, it appears
> to be generated as part of the Negotiate handshake process. When a client
> generates a service request the server raises a NotAuthorizedException in
> the tomcat server console while the retry attempt (with the token) succeeds.
>
> Given the way the negotiate protocol works I expect this to be the expected
> behavior, any reason to believe this isn't the case?
I guess if it is possible to configure the client to immediately include
a token then it is avoidable, I think we can do it with CXF clients, do
you use CXF on the client side ?
Cheers, Sergey
>
>
> On 13 January 2014 09:48, Sergey Beryozkin <sb...@gmail.com> wrote:
>
>> FYI, this is how it is picked up in the test:
>>
>> String jaasConfig = JAXRSKerberosBookTest.class
>>
>> .getResource("/org/apache/cxf/systest/jaxrs/security/
>> kerberos.cfg").toURI().getPath();
>> System.setProperty("java.security.auth.login.config", jaasConfig);
>>
>> You may want to try to move the config file to main resources, so that it
>> will end up in WEB-INF/classes, it must be something to do with the
>> resource location,
>>
>> Cheers, Sergey
>>
>>
>> On 12/01/14 19:22, Sergey Beryozkin wrote:
>>
>>> Hi
>>>
>>> It does seem that a context configuration is not found,
>>> It is unfortunate that only the LoginException handler loses the
>>> exception info, the other handlers at least log the exception message, I
>>> will fix it, in meantime I can only suggest to either
>>> - try to debug with the CXF source, that would be the best option
>>> - try to register javax.security.auth.login.Configuration implementation
>>> (via the loginConfig property) instead of setting the loginContextName
>>> property
>>>
>>> Give it a try please and let us know the result, we can try and narrow
>>> the problem somehow if the above does not help
>>> Cheers, Sergey
>>>
>>> On 08/01/14 10:00, Paul O'Brien wrote:
>>>
>>>> Hi All,
>>>>
>>>> Trying to setup CXF JAXRS with Kerberos authentication (Active Directory
>>>> KDC), the CXF endpoint works fine however I'm unable to successfully
>>>> authenticate once the Kerberos Filter is activated.
>>>>
>>>> Using the sample code on the Apache CXF project homepage as a guide:
>>>> http://cxf.apache.org/docs/jaxrs-kerberos.html
>>>>
>>>> My project cxf-servlet.conf file has the Kerberos filter enabled as per
>>>> below:
>>>>
>>>> <bean id="kerberosFilter"
>>>> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
>>>> <property name="loginContextName" value="KerberosServer"/>
>>>> </bean>
>>>>
>>>> <jaxrs:server>
>>>> <jaxrs:serviceBeans>
>>>> <bean class="org.mycompany.MyCompanyResource"/>
>>>> </jaxrs:serviceBeans>
>>>> <jaxrs:providers>
>>>> <ref bean="kerberosFilter">
>>>> </jaxrs:providers>
>>>> </jaxrs:server>
>>>>
>>>> My jaas.conf file has been placed in the /src/main/webapp/WEB-INF
>>>> directory
>>>> and contains the following:
>>>>
>>>> KerberosServer {
>>>> com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
>>>> };
>>>> KerberosServerKeyTab {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> storeKey=true
>>>> refreshKrb5Config=true
>>>> useKeyTab=true
>>>> keyTab="/etc/tomcat.keytab"
>>>> principal="HTTP/<Hosting Workstation name>@<Valid REALM>";
>>>> };
>>>>
>>>> However the following exception is received when making a call against
>>>> the
>>>> protected service:
>>>> Jan 08, 2014 3:57:01 PM
>>>> org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse
>>>> WARNING: javax.ws.rs.NotAuthorizedException
>>>> at
>>>> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.
>>>> handleRequest(KerberosAuthenticationFilter.java:117)
>>>>
>>>> at
>>>> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(
>>>> JAXRSInInterceptor.java:208)
>>>>
>>>> at
>>>> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(
>>>> JAXRSInInterceptor.java:90)
>>>>
>>>> at
>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
>>>> PhaseInterceptorChain.java:272)
>>>>
>>>> at
>>>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(
>>>> ChainInitiationObserver.java:121)
>>>>
>>>> at
>>>> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(
>>>> AbstractHTTPDestination.java:239)
>>>>
>>>> at
>>>> org.apache.cxf.transport.servlet.ServletController.invokeDestination(
>>>> ServletController.java:248)
>>>>
>>>> at
>>>> org.apache.cxf.transport.servlet.ServletController.
>>>> invoke(ServletController.java:222)
>>>>
>>>> at
>>>> org.apache.cxf.transport.servlet.ServletController.
>>>> invoke(ServletController.java:153)
>>>>
>>>> at
>>>> org.apache.cxf.transport.servlet.CXFNonSpringServlet.
>>>> invoke(CXFNonSpringServlet.java:167)
>>>>
>>>> at
>>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(
>>>> AbstractHTTPServlet.java:286)
>>>>
>>>> at
>>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.
>>>> doGet(AbstractHTTPServlet.java:211)
>>>>
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
>>>> at
>>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.
>>>> service(AbstractHTTPServlet.java:262)
>>>>
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
>>>> ApplicationFilterChain.java:305)
>>>>
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(
>>>> ApplicationFilterChain.java:210)
>>>>
>>>> at
>>>> org.apache.catalina.core.StandardWrapperValve.invoke(
>>>> StandardWrapperValve.java:222)
>>>>
>>>> at
>>>> org.apache.catalina.core.StandardContextValve.invoke(
>>>> StandardContextValve.java:123)
>>>>
>>>> at
>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(
>>>> AuthenticatorBase.java:472)
>>>>
>>>> at
>>>> org.apache.catalina.core.StandardHostValve.invoke(
>>>> StandardHostValve.java:171)
>>>>
>>>> at
>>>> org.apache.catalina.valves.ErrorReportValve.invoke(
>>>> ErrorReportValve.java:99)
>>>>
>>>> at
>>>> org.apache.catalina.valves.AccessLogValve.invoke(
>>>> AccessLogValve.java:953)
>>>> at
>>>> org.apache.catalina.core.StandardEngineValve.invoke(
>>>> StandardEngineValve.java:118)
>>>>
>>>> at
>>>> org.apache.catalina.connector.CoyoteAdapter.service(
>>>> CoyoteAdapter.java:408)
>>>>
>>>> at
>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(
>>>> AbstractHttp11Processor.java:1023)
>>>>
>>>> at
>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.
>>>> process(AbstractProtocol.java:589)
>>>>
>>>> at
>>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.
>>>> run(JIoEndpoint.java:312)
>>>>
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
>>>> ThreadPoolExecutor.java:1145)
>>>>
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>>> ThreadPoolExecutor.java:615)
>>>>
>>>> at java.lang.Thread.run(Thread.java:724)
>>>>
>>>> My initial thought was that the jaas.conf wasn't being read and
>>>> applied but
>>>> even setting the java.security.auth.login.config variable in the tomcat
>>>> setenv.sh script seemingly hasn't worked.
>>>>
>>>> Any ideas on why the above isn't working or how I can debug further?
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>
>>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>
Re: JAXRS service with CXF KerberosAuthenticationFilter
Posted by Paul O'Brien <pa...@gmail.com>.
Thanks Sergey,
Your information was helpful and I narrowed the problem down to the
-Djava.security.auth.login.config environment variable not being configured
in my environment, setting this has got everything working.
Note that I do get the same exception even though it's working, it appears
to be generated as part of the Negotiate handshake process. When a client
generates a service request the server raises a NotAuthorizedException in
the tomcat server console while the retry attempt (with the token) succeeds.
Given the way the negotiate protocol works I expect this to be the expected
behavior, any reason to believe this isn't the case?
On 13 January 2014 09:48, Sergey Beryozkin <sb...@gmail.com> wrote:
> FYI, this is how it is picked up in the test:
>
> String jaasConfig = JAXRSKerberosBookTest.class
>
> .getResource("/org/apache/cxf/systest/jaxrs/security/
> kerberos.cfg").toURI().getPath();
> System.setProperty("java.security.auth.login.config", jaasConfig);
>
> You may want to try to move the config file to main resources, so that it
> will end up in WEB-INF/classes, it must be something to do with the
> resource location,
>
> Cheers, Sergey
>
>
> On 12/01/14 19:22, Sergey Beryozkin wrote:
>
>> Hi
>>
>> It does seem that a context configuration is not found,
>> It is unfortunate that only the LoginException handler loses the
>> exception info, the other handlers at least log the exception message, I
>> will fix it, in meantime I can only suggest to either
>> - try to debug with the CXF source, that would be the best option
>> - try to register javax.security.auth.login.Configuration implementation
>> (via the loginConfig property) instead of setting the loginContextName
>> property
>>
>> Give it a try please and let us know the result, we can try and narrow
>> the problem somehow if the above does not help
>> Cheers, Sergey
>>
>> On 08/01/14 10:00, Paul O'Brien wrote:
>>
>>> Hi All,
>>>
>>> Trying to setup CXF JAXRS with Kerberos authentication (Active Directory
>>> KDC), the CXF endpoint works fine however I'm unable to successfully
>>> authenticate once the Kerberos Filter is activated.
>>>
>>> Using the sample code on the Apache CXF project homepage as a guide:
>>> http://cxf.apache.org/docs/jaxrs-kerberos.html
>>>
>>> My project cxf-servlet.conf file has the Kerberos filter enabled as per
>>> below:
>>>
>>> <bean id="kerberosFilter"
>>> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
>>> <property name="loginContextName" value="KerberosServer"/>
>>> </bean>
>>>
>>> <jaxrs:server>
>>> <jaxrs:serviceBeans>
>>> <bean class="org.mycompany.MyCompanyResource"/>
>>> </jaxrs:serviceBeans>
>>> <jaxrs:providers>
>>> <ref bean="kerberosFilter">
>>> </jaxrs:providers>
>>> </jaxrs:server>
>>>
>>> My jaas.conf file has been placed in the /src/main/webapp/WEB-INF
>>> directory
>>> and contains the following:
>>>
>>> KerberosServer {
>>> com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
>>> };
>>> KerberosServerKeyTab {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> storeKey=true
>>> refreshKrb5Config=true
>>> useKeyTab=true
>>> keyTab="/etc/tomcat.keytab"
>>> principal="HTTP/<Hosting Workstation name>@<Valid REALM>";
>>> };
>>>
>>> However the following exception is received when making a call against
>>> the
>>> protected service:
>>> Jan 08, 2014 3:57:01 PM
>>> org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse
>>> WARNING: javax.ws.rs.NotAuthorizedException
>>> at
>>> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.
>>> handleRequest(KerberosAuthenticationFilter.java:117)
>>>
>>> at
>>> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(
>>> JAXRSInInterceptor.java:208)
>>>
>>> at
>>> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(
>>> JAXRSInInterceptor.java:90)
>>>
>>> at
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
>>> PhaseInterceptorChain.java:272)
>>>
>>> at
>>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(
>>> ChainInitiationObserver.java:121)
>>>
>>> at
>>> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(
>>> AbstractHTTPDestination.java:239)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.ServletController.invokeDestination(
>>> ServletController.java:248)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.ServletController.
>>> invoke(ServletController.java:222)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.ServletController.
>>> invoke(ServletController.java:153)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.CXFNonSpringServlet.
>>> invoke(CXFNonSpringServlet.java:167)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(
>>> AbstractHTTPServlet.java:286)
>>>
>>> at
>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.
>>> doGet(AbstractHTTPServlet.java:211)
>>>
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
>>> at
>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.
>>> service(AbstractHTTPServlet.java:262)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
>>> ApplicationFilterChain.java:305)
>>>
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(
>>> ApplicationFilterChain.java:210)
>>>
>>> at
>>> org.apache.catalina.core.StandardWrapperValve.invoke(
>>> StandardWrapperValve.java:222)
>>>
>>> at
>>> org.apache.catalina.core.StandardContextValve.invoke(
>>> StandardContextValve.java:123)
>>>
>>> at
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(
>>> AuthenticatorBase.java:472)
>>>
>>> at
>>> org.apache.catalina.core.StandardHostValve.invoke(
>>> StandardHostValve.java:171)
>>>
>>> at
>>> org.apache.catalina.valves.ErrorReportValve.invoke(
>>> ErrorReportValve.java:99)
>>>
>>> at
>>> org.apache.catalina.valves.AccessLogValve.invoke(
>>> AccessLogValve.java:953)
>>> at
>>> org.apache.catalina.core.StandardEngineValve.invoke(
>>> StandardEngineValve.java:118)
>>>
>>> at
>>> org.apache.catalina.connector.CoyoteAdapter.service(
>>> CoyoteAdapter.java:408)
>>>
>>> at
>>> org.apache.coyote.http11.AbstractHttp11Processor.process(
>>> AbstractHttp11Processor.java:1023)
>>>
>>> at
>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.
>>> process(AbstractProtocol.java:589)
>>>
>>> at
>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.
>>> run(JIoEndpoint.java:312)
>>>
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
>>> ThreadPoolExecutor.java:1145)
>>>
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>> ThreadPoolExecutor.java:615)
>>>
>>> at java.lang.Thread.run(Thread.java:724)
>>>
>>> My initial thought was that the jaas.conf wasn't being read and
>>> applied but
>>> even setting the java.security.auth.login.config variable in the tomcat
>>> setenv.sh script seemingly hasn't worked.
>>>
>>> Any ideas on why the above isn't working or how I can debug further?
>>>
>>> Thanks in advance.
>>>
>>>
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
Re: JAXRS service with CXF KerberosAuthenticationFilter
Posted by Sergey Beryozkin <sb...@gmail.com>.
FYI, this is how it is picked up in the test:
String jaasConfig = JAXRSKerberosBookTest.class
.getResource("/org/apache/cxf/systest/jaxrs/security/kerberos.cfg").toURI().getPath();
System.setProperty("java.security.auth.login.config", jaasConfig);
You may want to try to move the config file to main resources, so that
it will end up in WEB-INF/classes, it must be something to do with the
resource location,
Cheers, Sergey
On 12/01/14 19:22, Sergey Beryozkin wrote:
> Hi
>
> It does seem that a context configuration is not found,
> It is unfortunate that only the LoginException handler loses the
> exception info, the other handlers at least log the exception message, I
> will fix it, in meantime I can only suggest to either
> - try to debug with the CXF source, that would be the best option
> - try to register javax.security.auth.login.Configuration implementation
> (via the loginConfig property) instead of setting the loginContextName
> property
>
> Give it a try please and let us know the result, we can try and narrow
> the problem somehow if the above does not help
> Cheers, Sergey
>
> On 08/01/14 10:00, Paul O'Brien wrote:
>> Hi All,
>>
>> Trying to setup CXF JAXRS with Kerberos authentication (Active Directory
>> KDC), the CXF endpoint works fine however I'm unable to successfully
>> authenticate once the Kerberos Filter is activated.
>>
>> Using the sample code on the Apache CXF project homepage as a guide:
>> http://cxf.apache.org/docs/jaxrs-kerberos.html
>>
>> My project cxf-servlet.conf file has the Kerberos filter enabled as per
>> below:
>>
>> <bean id="kerberosFilter"
>> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
>> <property name="loginContextName" value="KerberosServer"/>
>> </bean>
>>
>> <jaxrs:server>
>> <jaxrs:serviceBeans>
>> <bean class="org.mycompany.MyCompanyResource"/>
>> </jaxrs:serviceBeans>
>> <jaxrs:providers>
>> <ref bean="kerberosFilter">
>> </jaxrs:providers>
>> </jaxrs:server>
>>
>> My jaas.conf file has been placed in the /src/main/webapp/WEB-INF
>> directory
>> and contains the following:
>>
>> KerberosServer {
>> com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
>> };
>> KerberosServerKeyTab {
>> com.sun.security.auth.module.Krb5LoginModule required
>> storeKey=true
>> refreshKrb5Config=true
>> useKeyTab=true
>> keyTab="/etc/tomcat.keytab"
>> principal="HTTP/<Hosting Workstation name>@<Valid REALM>";
>> };
>>
>> However the following exception is received when making a call against
>> the
>> protected service:
>> Jan 08, 2014 3:57:01 PM
>> org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse
>> WARNING: javax.ws.rs.NotAuthorizedException
>> at
>> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.handleRequest(KerberosAuthenticationFilter.java:117)
>>
>> at
>> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:208)
>>
>> at
>> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:90)
>>
>> at
>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
>>
>> at
>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
>>
>> at
>> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
>>
>> at
>> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
>>
>> at
>> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
>>
>> at
>> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
>>
>> at
>> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
>>
>> at
>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
>>
>> at
>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:211)
>>
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
>> at
>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>>
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
>>
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>>
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
>>
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>>
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
>>
>> at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>>
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>>
>> at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
>>
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
>>
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>
>> at java.lang.Thread.run(Thread.java:724)
>>
>> My initial thought was that the jaas.conf wasn't being read and
>> applied but
>> even setting the java.security.auth.login.config variable in the tomcat
>> setenv.sh script seemingly hasn't worked.
>>
>> Any ideas on why the above isn't working or how I can debug further?
>>
>> Thanks in advance.
>>
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: JAXRS service with CXF KerberosAuthenticationFilter
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
It does seem that a context configuration is not found,
It is unfortunate that only the LoginException handler loses the
exception info, the other handlers at least log the exception message, I
will fix it, in meantime I can only suggest to either
- try to debug with the CXF source, that would be the best option
- try to register javax.security.auth.login.Configuration implementation
(via the loginConfig property) instead of setting the loginContextName
property
Give it a try please and let us know the result, we can try and narrow
the problem somehow if the above does not help
Cheers, Sergey
On 08/01/14 10:00, Paul O'Brien wrote:
> Hi All,
>
> Trying to setup CXF JAXRS with Kerberos authentication (Active Directory
> KDC), the CXF endpoint works fine however I'm unable to successfully
> authenticate once the Kerberos Filter is activated.
>
> Using the sample code on the Apache CXF project homepage as a guide:
> http://cxf.apache.org/docs/jaxrs-kerberos.html
>
> My project cxf-servlet.conf file has the Kerberos filter enabled as per
> below:
>
> <bean id="kerberosFilter"
> class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
> <property name="loginContextName" value="KerberosServer"/>
> </bean>
>
> <jaxrs:server>
> <jaxrs:serviceBeans>
> <bean class="org.mycompany.MyCompanyResource"/>
> </jaxrs:serviceBeans>
> <jaxrs:providers>
> <ref bean="kerberosFilter">
> </jaxrs:providers>
> </jaxrs:server>
>
> My jaas.conf file has been placed in the /src/main/webapp/WEB-INF directory
> and contains the following:
>
> KerberosServer {
> com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
> };
> KerberosServerKeyTab {
> com.sun.security.auth.module.Krb5LoginModule required
> storeKey=true
> refreshKrb5Config=true
> useKeyTab=true
> keyTab="/etc/tomcat.keytab"
> principal="HTTP/<Hosting Workstation name>@<Valid REALM>";
> };
>
> However the following exception is received when making a call against the
> protected service:
> Jan 08, 2014 3:57:01 PM
> org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper toResponse
> WARNING: javax.ws.rs.NotAuthorizedException
> at
> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.handleRequest(KerberosAuthenticationFilter.java:117)
> at
> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:208)
> at
> org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:90)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:211)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:724)
>
> My initial thought was that the jaas.conf wasn't being read and applied but
> even setting the java.security.auth.login.config variable in the tomcat
> setenv.sh script seemingly hasn't worked.
>
> Any ideas on why the above isn't working or how I can debug further?
>
> Thanks in advance.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com