You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2012/08/02 12:47:27 UTC
svn commit: r827704 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jaxrs-kerberos.html
Author: buildbot
Date: Thu Aug 2 10:47:27 2012
New Revision: 827704
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-kerberos.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Thu Aug 2 10:47:27 2012
@@ -135,7 +135,53 @@ The <a shape="rect" class="external-link
<h3><a shape="rect" name="JAXRSKerberos-Unix"></a>Unix</h3>
-<p>TODO</p>
+<p>1. Install the packages</p>
+
+<p>> sudo apt-get install krb5-kdc krb5-admin-server</p>
+
+<p>During the installation enter "localhost" as the host name for Kerberos servers (unless you have more specific host names to enter) and set a default realm, example, "MYCOMPANY.COM". Follow the 1.2 step from this <a shape="rect" class="external-link" href="http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html" rel="nofollow">blog entry</a> to get this default realm set up properly.</p>
+
+<p>2. Create principals</p>
+
+<p>From the step 1.3 at <a shape="rect" class="external-link" href="http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html" rel="nofollow">this blog entry</a>:</p>
+
+<p>2.1 Create master key:<br clear="none">
+> sudo kdb5_util create -s</p>
+
+<p>2.2 Create user and service principals</p>
+
+<p>> sudo kadmin.local </p>
+
+<p>followed by</p>
+
+<p>> addprinc alice<br clear="none">
+> addprinc HTTP/localhost</p>
+
+<p>where 'HTTP/localhost' is the typical service principal name used in the Negotiate scheme, replace 'localhost' if needed.<br clear="none">
+Add more user and service principals too as required.</p>
+
+<p>3 Start KDC</p>
+
+<p>> sudo krb5kdc</p>
+
+<p>4. Create an optional ticket cache</p>
+
+<p>> klist</p>
+
+<p>returns an empty response</p>
+
+<p>> kinit alice</p>
+
+<p>> klist</p>
+
+<p>confirms a TGT for 'alice' is in the cache.</p>
+
+<p>2.4 Create keytabs</p>
+
+<p>When keytabs are available, the principal password does not have to be specified in the login configuration.<br clear="none">
+Please follow the step 1.4 from <a shape="rect" class="external-link" href="http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html" rel="nofollow">this blog entry</a>.</p>
+
+<p>Note, creating a keytab actually resets an original principal password, example, after creating a keytab for 'alice' one would not be able to use the original password (TODO: apparently this can be restored - find out how). Thus, if you'd like to experiment with keytabs then you may want to have few user and service principals created, with only selected principals using keytabs. </p>
<h3><a shape="rect" name="JAXRSKerberos-Windows"></a>Windows</h3>
@@ -195,6 +241,7 @@ Book b = wc.get(Book.class);
</pre>
</div></div>
+<p>In this example, the <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg">KerberosClientKeyTab</a> policy is used which links to the available keytab; otherwise AuthorizationPolicy 'UserName' and 'Password' properties would most likely have to be set too (with the possible exceptions on Windows) </p>
<h3><a shape="rect" name="JAXRSKerberos-Configuringtheserviceprincipalname"></a>Configuring the service principal name</h3>
@@ -264,6 +311,7 @@ Book b = wc.get(Book.class);
</pre>
</div></div>
+<p>In this example, the <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg">KerberosServer</a> policy is used.</p>
<h1><a shape="rect" name="JAXRSKerberos-CredentialDelegation"></a>Credential Delegation</h1>