You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Oliver Wulff <ow...@talend.com> on 2013/11/18 21:13:39 UTC
RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
I've got Kerberos with CXF/WSS4J and STS for Microsoft AD running in a customer environment.
Were you successful?
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Andrei Shakirin [ashakirin@talend.com]
Sent: 07 October 2013 09:18
To: users@cxf.apache.org
Cc: sinma.babel@gmail.com
Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Hi,
I never tried that under AD, not sure if Colm has some experience.
JDK provides JAAS Login module for Windows as well (com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it should work.
I would suggest to start from very simple case, not involving CXF at all on the first step:
jaas.conf:
alice {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
useTicketCache=true;
};
public class JaasLoginTest {
public static void main(String argv[]) {
URL conf = JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
System.setProperty("java.security.auth.login.config", conf.toString());
// Only needed when not using the ticket cache
CallbackHandler callbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
((NameCallback)callback).setName("alice");
}
if (callback instanceof PasswordCallback) {
((PasswordCallback)callback).setPassword("clarinet".toCharArray());
}
}
}
};
try {
LoginContext lc = new LoginContext("alice", callbackHandler);
lc.login();
Subject subject = lc.getSubject();
Set<Principal> principals = subject.getPrincipals();
Set<Object> credentials = subject.getPrivateCredentials();
System.out.println("OK: " + principals);
System.out.println("OK: " + credentials);
} catch (LoginException e) {
e.printStackTrace();
}
}
Code tries Kerberos logon with user alice and password clarinet.
After you get it works, you can try further steps with CXF.
Regards,
Andrei.
> -----Original Message-----
> From: sinma [mailto:sinma.babel@gmail.com]
> Sent: Samstag, 5. Oktober 2013 13:09
> To: users@cxf.apache.org
> Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
>
> Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The way
> they are setting service principal in AD is not the same as MIT Krb5 that Colm
> laid out in his blog - I personally believe MIT way is pretty straight forward
> and clear. So steps in Colm's blog are not enough to get it working with
> Microsoft AD as KDC. On top Microsoft adding their own PAC part to the
> ticket which it seems adding issues to ticket validation - am not sure about it
> yet. There must be couple tricks and tweaks in spn setup; I'm still digging in
> and will share if I can find it. I was just checking and hoping somebody tried
> MS Krb5 implementation and have it working with WSS4J/CXF. It seems the
> answer is no, at least in CXF community. Regards,Sin
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-
> Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html
> Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Posted by Oliver Wulff <ow...@talend.com>.
Hi there
I've the following configurations:
Here the jaas.conf:
STS {
com.sun.security.auth.module.Krb5LoginModule required
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="/app/sts/container/conf/sts.keytab"
principal="HTTP/mymachine.mydomain.com:8443";
};
ensure that the JAVA_OPTS variable contains the definition for the jaas.conf file location:
JAVA_OPTS="-Dsun.security.krb5.debug=false -Djava.security.auth.login.config=/app/sts/container/conf/jaas.conf"
export JAVA_OPTS
Ensure the kerberos service principal is set up in AD/KDC.
Here the STS related spring configuration:
<bean id="kerberosValidator" class="org.apache.ws.security.validate.KerberosTokenValidator">
<property name="contextName" value="STS" />
<property name="serviceName" value="HTTP@mymachine.mydomain.com:8443" />
</bean>
<jaxws:endpoint id="transportSTSKT" implementor="#transportSTSProviderBean"
address="/STSServiceTransportKerberos" wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
serviceName="ns1:SecurityTokenService" endpointName="ns1:TransportKerberos_Port">
<jaxws:properties>
<entry key="ws-security.callback-handler" value="demo.PasswordCallbackHandler" />
<entry key="ws-security.bst.validator" value-ref="kerberosValidator" />
</jaxws:properties>
</jaxws:endpoint>
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: sinma [sinma.babel@gmail.com]
Sent: 23 November 2013 01:32
To: users@cxf.apache.org
Subject: Re: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Hi,
No. Would it be possible to share setup steps?
Best Regards,
Sinma
On Mon, Nov 18, 2013 at 3:14 PM, Oliver Wulff-2 [via CXF] <
ml-node+s547215n5736504h8@n5.nabble.com> wrote:
> I've got Kerberos with CXF/WSS4J and STS for Microsoft AD running in a
> customer environment.
>
> Were you successful?
>
> Thanks
> Oli
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Andrei Shakirin [[hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=0>]
>
> Sent: 07 October 2013 09:18
> To: [hidden email] <http://user/SendEmail.jtp?type=node&node=5736504&i=1>
> Cc: [hidden email] <http://user/SendEmail.jtp?type=node&node=5736504&i=2>
> Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
>
> Hi,
>
> I never tried that under AD, not sure if Colm has some experience.
> JDK provides JAAS Login module for Windows as well
> (com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it
> should work.
>
> I would suggest to start from very simple case, not involving CXF at all
> on the first step:
>
> jaas.conf:
> alice {
> com.sun.security.auth.module.Krb5LoginModule required
> debug=true
> useTicketCache=true;
> };
>
> public class JaasLoginTest {
>
> public static void main(String argv[]) {
> URL conf =
> JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
> System.setProperty("java.security.auth.login.config",
> conf.toString());
>
> // Only needed when not using the ticket cache
> CallbackHandler callbackHandler = new CallbackHandler() {
>
> @Override
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (Callback callback : callbacks) {
> if (callback instanceof NameCallback) {
> ((NameCallback)callback).setName("alice");
> }
> if (callback instanceof PasswordCallback) {
>
> ((PasswordCallback)callback).setPassword("clarinet".toCharArray());
> }
> }
>
> }
> };
>
> try {
> LoginContext lc = new LoginContext("alice", callbackHandler);
> lc.login();
> Subject subject = lc.getSubject();
> Set<Principal> principals = subject.getPrincipals();
> Set<Object> credentials = subject.getPrivateCredentials();
> System.out.println("OK: " + principals);
> System.out.println("OK: " + credentials);
> } catch (LoginException e) {
> e.printStackTrace();
> }
> }
>
> Code tries Kerberos logon with user alice and password clarinet.
> After you get it works, you can try further steps with CXF.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: sinma [mailto:[hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=3>]
>
> > Sent: Samstag, 5. Oktober 2013 13:09
> > To: [hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=4>
> > Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
> >
> > Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The
> way
> > they are setting service principal in AD is not the same as MIT Krb5
> that Colm
> > laid out in his blog - I personally believe MIT way is pretty straight
> forward
> > and clear. So steps in Colm's blog are not enough to get it working with
> > Microsoft AD as KDC. On top Microsoft adding their own PAC part to the
> > ticket which it seems adding issues to ticket validation - am not sure
> about it
> > yet. There must be couple tricks and tweaks in spn setup; I'm still
> digging in
> > and will share if I can find it. I was just checking and hoping somebody
> tried
> > MS Krb5 implementation and have it working with WSS4J/CXF. It seems the
> > answer is no, at least in CXF community. Regards,Sin
> >
> >
> >
> > --
> > View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-
> > Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5736504.html
> To unsubscribe from CXF, WSS4J, Kerberos using Microsoft AD as KDC, click
> here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5734586&code=c2lubWEuYmFiZWxAZ21haWwuY29tfDU3MzQ1ODZ8MTg2NzUzMDc1NQ==>
> .
> NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5736913.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Posted by sinma <si...@gmail.com>.
Hi,
No. Would it be possible to share setup steps?
Best Regards,
Sinma
On Mon, Nov 18, 2013 at 3:14 PM, Oliver Wulff-2 [via CXF] <
ml-node+s547215n5736504h8@n5.nabble.com> wrote:
> I've got Kerberos with CXF/WSS4J and STS for Microsoft AD running in a
> customer environment.
>
> Were you successful?
>
> Thanks
> Oli
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Andrei Shakirin [[hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=0>]
>
> Sent: 07 October 2013 09:18
> To: [hidden email] <http://user/SendEmail.jtp?type=node&node=5736504&i=1>
> Cc: [hidden email] <http://user/SendEmail.jtp?type=node&node=5736504&i=2>
> Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
>
> Hi,
>
> I never tried that under AD, not sure if Colm has some experience.
> JDK provides JAAS Login module for Windows as well
> (com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it
> should work.
>
> I would suggest to start from very simple case, not involving CXF at all
> on the first step:
>
> jaas.conf:
> alice {
> com.sun.security.auth.module.Krb5LoginModule required
> debug=true
> useTicketCache=true;
> };
>
> public class JaasLoginTest {
>
> public static void main(String argv[]) {
> URL conf =
> JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
> System.setProperty("java.security.auth.login.config",
> conf.toString());
>
> // Only needed when not using the ticket cache
> CallbackHandler callbackHandler = new CallbackHandler() {
>
> @Override
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (Callback callback : callbacks) {
> if (callback instanceof NameCallback) {
> ((NameCallback)callback).setName("alice");
> }
> if (callback instanceof PasswordCallback) {
>
> ((PasswordCallback)callback).setPassword("clarinet".toCharArray());
> }
> }
>
> }
> };
>
> try {
> LoginContext lc = new LoginContext("alice", callbackHandler);
> lc.login();
> Subject subject = lc.getSubject();
> Set<Principal> principals = subject.getPrincipals();
> Set<Object> credentials = subject.getPrivateCredentials();
> System.out.println("OK: " + principals);
> System.out.println("OK: " + credentials);
> } catch (LoginException e) {
> e.printStackTrace();
> }
> }
>
> Code tries Kerberos logon with user alice and password clarinet.
> After you get it works, you can try further steps with CXF.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: sinma [mailto:[hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=3>]
>
> > Sent: Samstag, 5. Oktober 2013 13:09
> > To: [hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=4>
> > Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
> >
> > Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The
> way
> > they are setting service principal in AD is not the same as MIT Krb5
> that Colm
> > laid out in his blog - I personally believe MIT way is pretty straight
> forward
> > and clear. So steps in Colm's blog are not enough to get it working with
> > Microsoft AD as KDC. On top Microsoft adding their own PAC part to the
> > ticket which it seems adding issues to ticket validation - am not sure
> about it
> > yet. There must be couple tricks and tweaks in spn setup; I'm still
> digging in
> > and will share if I can find it. I was just checking and hoping somebody
> tried
> > MS Krb5 implementation and have it working with WSS4J/CXF. It seems the
> > answer is no, at least in CXF community. Regards,Sin
> >
> >
> >
> > --
> > View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-
> > Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5736504.html
> To unsubscribe from CXF, WSS4J, Kerberos using Microsoft AD as KDC, click
> here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5734586&code=c2lubWEuYmFiZWxAZ21haWwuY29tfDU3MzQ1ODZ8MTg2NzUzMDc1NQ==>
> .
> NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5736913.html
Sent from the cxf-user mailing list archive at Nabble.com.