You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Michael Sliwak <mi...@raytion.com> on 2011/09/12 13:07:42 UTC
Client HTTP transport with Kerberos/SPNEGO
Hello everyone!
According to http://cxf.apache.org/docs/client-http-transport-including-ssl-
support.html#ClientHTTPTransport%28includingSSLsupport%29-
SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
Kerberos/SPNEGO authentication when accessing web services.
I'm trying to access an ASP.NET Web Service that is secured by Kerberos
(Integrated Windows authentication) using CXF.
I have configured everything as stated in the documentation. Here's my cxf.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<http:conduit name="{http://some.name.space/}SoapPort.http-conduit">
<http:client AllowChunking="false" />
<http:authorization>
<sec:UserName>username</sec:UserName>
<sec:Password>password</sec:Password>
<sec:AuthorizationType>Negotiate</sec:AuthorizationType>
</http:authorization>
</http:conduit>
</beans>
Whenever i run my code, i get the following exception:
Caused by: java.lang.RuntimeException: Invalid null input: name
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:80)
at
org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:771)
at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:541)
at
org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
... 2 more
Caused by: javax.security.auth.login.LoginException: Invalid null input: name
at javax.security.auth.login.LoginContext.init(LoginContext.java:229)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:104)
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:144)
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:77)
... 12 more
This happens on both Windows and Linux.
krb5.conf/krb5.ini is present and found by Java.
On the other hand, when I leave the Username and password blank i get an
exception that no TGT could be aquired. Anyhow 'klist' on both Windows and
Linux states that there is a TGT available in the cache.
Caused by: java.lang.RuntimeException: No valid credentials provided
(Mechanism level: No valid credentials provided (Mechanism level: Failed to
find any Kerberos tgt))
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:82)
at
org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:771)
at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:541)
at
org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
... 2 more
Caused by: GSSException: No valid credentials provided (Mechanism level: No
valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))
at
sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:450)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:100)
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:144)
at
org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:77)
... 12 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at
sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:851)
at
sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:309)
... 17 more
Did I miss anything in my configuration?
Thanks in advance!
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Michael Sliwak <mi...@raytion.com>.
Hi!
On Monday 12 September 2011 17:43:23 Christian Schneider wrote:
> I have updated the documentation in the Wiki:
> https://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+%
> 28including+SSL+support%29
>
> Btw. if you want to help with documentation we can give you access to
> the Wiki.
>
As I'm quite new in using CXF I think that I can't contribute that much yet.
However I'll help wherever I can.
> It should be possbile to use authentication when retrieving the WSDL. I
> don´t know you can use Spnego though.
>
> Anyway I would not recommand to use the WSDL from a server directly.
> Better store the WSDL somewhere and version it separately.
> So I think it is not so bad to store it with the code. It allows you to
> see how the WSDL looked like when you compiled. If it changes later and
> you did not store it then how do you prove that you used the correct
> WSDL if someone says your client is incorrectly calling the server.
>
You're absolutely right about this. However because I'm in charge of both the
client and the server code, this shouldn't be a big issue in my case. :)
> Christian
>
> Am 12.09.2011 15:29, schrieb Michael Sliwak:
> > Ok, this did the trick.
> >
> > The following steps are necessary:
> >
> > 1) make sure that krb5.conf/krb5.ini is configured correctly for the
> > Kerberos realm you want to authenticate against and supply it to your
> > application by setting the java.security.krb5.conf system property
> >
> > 2) supply a login.conf to your application by setting the
> > java.security.auth.login.config system property, e.g.:
> >
> > MyConfig {
> >
> > com.sun.security.auth.module.Krb5LoginModule required
> > client=TRUE useTicketCache=true;>
> > };
> >
> > 3) set up spnego using xml configuration or through code: (e.g. in
> > cxf.xml)
> >
> > <http:conduit name="*.http-conduit">
> >
> > <http:authorization>
> >
> > <sec:UserName>username</sec:UserName>
> > <sec:Password>password</sec:Password>
> > <sec:AuthorizationType>Negotiate</sec:AuthorizationType>
> > <sec:Authorization>MyConfig</sec:Authorization>
> >
> > </http:authorization>
> >
> > </http:conduit>
> >
> > Now Kerberos authentication works when supplying username and password.
> > However using an existing TGT still does not work for me.
> >
> > Maybe the documentation should be updated accordingly.
> >
> > Another issue using authentication with the http transport is that it is
> > not possible for me to point the wsdl location for my client directly
> > to the server as it seems that CXF is completely ignoring the
> > authentication challenge when trying to download the wsdl. So I have to
> > download the wsdl manually and place it somewhere local to my
> > application.
--
Michael Sliwak, M.Sc.
Raytion GmbH
Kaiser-Friedrich-Ring 74
40547 Düsseldorf
Fon +49-211-550266-0
Fax +49-211-550266-19
michael.sliwak@raytion.com
http://www.raytion.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Michael Sliwak <mi...@raytion.com>.
Hi!
On Thursday 15 September 2011 19:08:25 Christian Schneider wrote:
> Can´t you simply copy the wsdl in your build process so it is available
> locally afterwards?
Yes, that's what I will do now. Copying the WSDL during deployment so that it
is available to the client locally.
Thanks all for all your responses!
Michael
> Christian
>
> Am 15.09.2011 11:10, schrieb Michael Sliwak:
> > Hi!
> >
> > On Tuesday 13 September 2011 13:12:47 Freeman Fang wrote:
> >> Hi,
> >>
> >> In this case the "{WSDL Namespace}portName" would never work for
> >> downloading the wsdl as the portName is unknown at that point.
> >> You need change your http:conduit like
> >> <http-conf:conduit name="https://server_ip:port/.*">
> >>
> >> the "https" prefix here is important.
> >
> > This works nicely, thanks! :)
> >
> > Also specifying<http-conf:conduit name="*"> works.
> >
> > Is it possible to configure this in code instead of XML?
--
Michael Sliwak, M.Sc.
Raytion GmbH
Kaiser-Friedrich-Ring 74
40547 Düsseldorf
Fon +49-211-550266-0
Fax +49-211-550266-19
michael.sliwak@raytion.com
http://www.raytion.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Daniel Kulp <dk...@apache.org>.
On Thursday, September 15, 2011 11:10:08 AM Michael Sliwak wrote:
> Hi!
>
> On Tuesday 13 September 2011 13:12:47 Freeman Fang wrote:
> > Hi,
> >
> > In this case the "{WSDL Namespace}portName" would never work for
> > downloading the wsdl as the portName is unknown at that point.
> > You need change your http:conduit like
> > <http-conf:conduit name="https://server_ip:port/.*">
> >
> > the "https" prefix here is important.
>
> This works nicely, thanks! :)
>
> Also specifying <http-conf:conduit name="*"> works.
>
> Is it possible to configure this in code instead of XML?
Not for the WSDL download part of it, no. If you use a local wsdl, you can
then use API's to configure the HTTPConduit of the clients, but there isn't
anything in place right now for configuring things for the wsdldownload parts.
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Christian Schneider <ch...@die-schneider.net>.
Can´t you simply copy the wsdl in your build process so it is available
locally afterwards?
Christian
Am 15.09.2011 11:10, schrieb Michael Sliwak:
> Hi!
>
> On Tuesday 13 September 2011 13:12:47 Freeman Fang wrote:
>> Hi,
>>
>> In this case the "{WSDL Namespace}portName" would never work for
>> downloading the wsdl as the portName is unknown at that point.
>> You need change your http:conduit like
>> <http-conf:conduit name="https://server_ip:port/.*">
>> the "https" prefix here is important.
>>
> This works nicely, thanks! :)
>
> Also specifying<http-conf:conduit name="*"> works.
>
> Is it possible to configure this in code instead of XML?
>
--
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Michael Sliwak <mi...@raytion.com>.
Hi!
On Tuesday 13 September 2011 13:12:47 Freeman Fang wrote:
> Hi,
>
> In this case the "{WSDL Namespace}portName" would never work for
> downloading the wsdl as the portName is unknown at that point.
> You need change your http:conduit like
> <http-conf:conduit name="https://server_ip:port/.*">
> the "https" prefix here is important.
>
This works nicely, thanks! :)
Also specifying <http-conf:conduit name="*"> works.
Is it possible to configure this in code instead of XML?
> Freeman
>
> > On Monday 12 September 2011 15:03:45 Michael Sliwak wrote:
> >> I successfully logged in with Kerberos using httpcomponents-client as
> >> described here http://hc.apache.org/httpcomponents-client-
> >> ga/tutorial/html/authentication.html#spnego
> >>
> >> After a debugging run it seems that you have to set
> >>
> >> <sec:Authorization/>
> >>
> >> when using <sec:UserName /> and <sec:Password /> in cxf.xml.
> >> Line 104 in SpnegoAuthSupplier.java creates a new LoginContext with
> >> authPolicy.getAuthorization() as the first constructor argument.
> >> Currently
> >> this method returns null as I did not set <sec:Authorization/> in
> >> cxf.xml.
> >> Maybe this sets the name for the login.conf section. SampleClient
> >> in your
> >> example. I'll give it a try.
> >>
> >> On Monday 12 September 2011 14:50:54 Christian Schneider wrote:
> >>> I am not sure if it is the login.conf but you need to specify that
> >>> you
> >>> want to use the tgt cache like this:
> >>>
> >>> SampleClient {
> >>>
> >>> com.sun.security.auth.module.Krb5LoginModule
> >>>
> >>> required*useTicketCache=true* };
> >>>
> >>> I am not sure about the name SampleClient above and what you should
> >>> write
> >>> there but the *useTicketCache=true* is important.
> >>> I currently have no kerberos environment else I would do a test
> >>> and let
> >>> you know what is necessary.
> >>>
> >>> Btw. Have you tried to do a kerberos login without CXF? The config
> >>> you
> >>> need there should be the same as for cxf.
> >>>
> >>> Christian
> >>>
> >>> Am 12.09.2011 14:38, schrieb Michael Sliwak:
> >>>> Hi Christian!
> >>>>
> >>>> Setting the corresponding registry key on windows does not have
> >>>> any
> >>>> effect.
> >>>>
> >>>> Just one quick question before I dive more in to the code of CXF.
> >>>> Do
> >>>> I
> >>>> have to specify a login.conf for JGSS when using CXF?
> >>>>
> >>>> The Javadoc for the LoginContext states
> >>>> (http://download.oracle.com/javase/1,5.0/docs/api/javax/security/
> >>>> aut
> >>>> h/lo gin/LoginContext.html#LoginContext(java.lang.String,
> >>>> %20javax.security.auth.callback.CallbackHandler):
> >>>>
> >>>> Throws:
> >>>> LoginException - if the caller-specified name does not appear in
> >>>> the
> >>>> Configuration and there is no Configuration entry for "other", if
> >>>> the
> >>>> caller- specified subject is null, or if the
> >>>> auth.login.defaultCallbackHandler security property was set, but
> >>>> the
> >>>> implementation class could not be loaded.
> >>>>
> >>>> I have a slight suspicion that I'm still missing some
> >>>> configuration.
> >>>>
> >>>> Michael
> >>>>
> >>>> On Monday 12 September 2011 13:19:16 Christian Schneider wrote:
> >>>>> I am not sure about the first exception. Could you debug into
> >>>>> the
> >>>>> code
> >>>>> and try to find out more about the point where the exception
> >>>>> happens?
> >>>>>
> >>>>> About the second problem when using no username and password on
> >>>>> windows.
> >>>>> Can you check if you have the registry setting that allows java
> >>>>> to
> >>>>> use
> >>>>> the tgt?
> >>>>> See: http://www.javaactivedirectory.com/?page_id=93
> >>>>>
> >>>>> Christian
> >>>>>
> >>>>> Am 12.09.2011 13:07, schrieb Michael Sliwak:
> >>>>>> Hello everyone!
> >>>>>>
> >>>>>> According to
> >>>>>> http://cxf.apache.org/docs/client-http-transport-including-ssl
> >>>>>> -
> >>>>>> support.html#ClientHTTPTransport%28includingSSLsupport%29-
> >>>>>> SpnegoAuthentication%28Kerberos%29 CXF should be able to
> >>>>>> handle
> >>>>>> Kerberos/SPNEGO authentication when accessing web services.
> >>>>>>
> >>>>>> I'm trying to access an ASP.NET Web Service that is secured by
> >>>>>> Kerberos
> >>>>>> (Integrated Windows authentication) using CXF.
> >>>>>>
> >>>>>> I have configured everything as stated in the documentation.
> >>>>>> Here's
> >>>>>> my
> >>>>>> cxf.xml
> >>>>>>
> >>>>>> <?xml version="1.0" encoding="UTF-8"?>
> >>>>>>
> >>>>>> <beans xmlns="http://www.springframework.org/schema/beans"
> >>>>>>
> >>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >>>>>>
> >>>>>> xmlns:sec="http://cxf.apache.org/configuration/security"
> >>>>>>
> >>>>>> xmlns:http="http://cxf.apache.org/transports/http/config
> >>>>>> urat
> >>>>>> ion"
> >>>>>> xmlns:jaxws="http://cxf.apache.org/jaxws"
> >>>>>> xsi:schemaLocation="
> >>>>>>
> >>>>>> http://cxf.apache.org/configuration/se
> >>>>>> curi
> >>>>>> ty
> >>>>>> http://cxf.apache.org/schemas/configur
> >>>>>> atio
> >>>>>> n/secu
> >>>>>> rity.xsd
> >>>>>> http://cxf.apache.org/transports/http/
> >>>>>> conf
> >>>>>> igurat
> >>>>>> ion
> >>>>>> http://cxf.apache.org/schemas/configur
> >>>>>> atio
> >>>>>> n/http
> >>>>>> -conf.xsd
> >>>>>> http://cxf.apache.org/jaxws
> >>>>>> http://cxf.apache.org/schemas/jaxws.xs
> >>>>>> d
> >>>>>> http://www.springframework.org/schema/
> >>>>>> bean
> >>>>>> s
> >>>>>> http://www.springframework.org/schema/
> >>>>>> bean
> >>>>>> s/spri
> >>>>>> ng-beans.xsd">>
> >>>>>>
> >>>>>> <http:conduit
> >>>>>> name="{http://some.name.space/}SoapPort.http-conduit">
> >>>>>>
> >>>>>> <http:client AllowChunking="false" />
> >>>>>> <http:authorization>
> >>>>>>
> >>>>>> <sec:UserName>username</sec:UserName>
> >>>>>> <sec:Password>password</sec:Password>
> >>>>>> <sec:AuthorizationType>Negotiate</sec:Authorizat
> >>>>>> ionT
> >>>>>> ype>
> >>>>>>
> >>>>>> </http:authorization>
> >>>>>>
> >>>>>> </http:conduit>
> >>>>>>
> >>>>>> </beans>
> >>>>>>
> >>>>>> Whenever i run my code, i get the following exception:
> >>>>>>
> >>>>>> Caused by: java.lang.RuntimeException: Invalid null input:
> >>>>>> name
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAutho
> >>>>>> ri
> >>>>>> zati
> >>>>>> on(S pnegoAuthSupplier.java:80)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthoriz
> >>>>>> at
> >>>>>> ionP
> >>>>>> olic y(HTTPConduit.java:771)>
> >>>>>>
> >>>>>> at
> >>>>>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPCondui
> >>>>>> t.
> >>>>>> java
> >>>>>>
> >>>>>> :54
> >>>>>>
> >>>>>> 1) at
> >>>>>>
> >>>>>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMess
> >>>>>> ag
> >>>>>> e(Me
> >>>>>> ssag eSenderInterceptor.java:46)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIn
> >>>>>> te
> >>>>>> rcep
> >>>>>> torC hain.java:263)>
> >>>>>>
> >>>>>> at
> >>>>>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:
> >>>>>> 51
> >>>>>> 9)
> >>>>>> at
> >>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:44
> >>>>>> 9
> >>>>>> )
> >>>>>> at
> >>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:35
> >>>>>> 2
> >>>>>> )
> >>>>>> at
> >>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:30
> >>>>>> 4
> >>>>>> )
> >>>>>> at
> >>>>>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.j
> >>>>>> av
> >>>>>> a:8
> >>>>>> 8)
> >>>>>> at
> >>>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
> >>>>>> y.
> >>>>>> java
> >>>>>>
> >>>>>> :13
> >>>>>>
> >>>>>> 4) ... 2 more
> >>>>>>
> >>>>>> Caused by: javax.security.auth.login.LoginException: Invalid
> >>>>>> null
> >>>>>> input: name>
> >>>>>>
> >>>>>> at
> >>>>>> javax.security.auth.login.LoginContext.init(LoginContext.jav
> >>>>>> a:
> >>>>>> 229
> >>>>>> )
> >>>>>> at
> >>>>>> javax.security.auth.login.LoginContext.<init>(LoginContext.j
> >>>>>> av
> >>>>>> a:40
> >>>>>> 3)
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken
> >>>>>> (S
> >>>>>> pneg
> >>>>>> oAut hSupplier.java:104)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken
> >>>>>> (S
> >>>>>> pneg
> >>>>>> oAut hSupplier.java:144)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAutho
> >>>>>> ri
> >>>>>> zati
> >>>>>> on(S pnegoAuthSupplier.java:77)>
> >>>>>>
> >>>>>> ... 12 more
> >>>>>>
> >>>>>> This happens on both Windows and Linux.
> >>>>>>
> >>>>>> krb5.conf/krb5.ini is present and found by Java.
> >>>>>>
> >>>>>> On the other hand, when I leave the Username and password
> >>>>>> blank
> >>>>>> i
> >>>>>> get an exception that no TGT could be aquired. Anyhow 'klist'
> >>>>>> on
> >>>>>> both Windows and Linux states that there is a TGT available in
> >>>>>> the
> >>>>>> cache.
> >>>>>>
> >>>>>> Caused by: java.lang.RuntimeException: No valid credentials
> >>>>>> provided
> >>>>>> (Mechanism level: No valid credentials provided (Mechanism
> >>>>>> level:
> >>>>>> Failed to find any Kerberos tgt))
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAutho
> >>>>>> ri
> >>>>>> zati
> >>>>>> on(S pnegoAuthSupplier.java:82)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthoriz
> >>>>>> at
> >>>>>> ionP
> >>>>>> olic y(HTTPConduit.java:771)>
> >>>>>>
> >>>>>> at
> >>>>>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPCondui
> >>>>>> t.
> >>>>>> java
> >>>>>>
> >>>>>> :54
> >>>>>>
> >>>>>> 1) at
> >>>>>>
> >>>>>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMess
> >>>>>> ag
> >>>>>> e(Me
> >>>>>> ssag eSenderInterceptor.java:46)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIn
> >>>>>> te
> >>>>>> rcep
> >>>>>> torC hain.java:263)>
> >>>>>>
> >>>>>> at
> >>>>>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:
> >>>>>> 51
> >>>>>> 9)
> >>>>>> at
> >>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:44
> >>>>>> 9
> >>>>>> )
> >>>>>> at
> >>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:35
> >>>>>> 2
> >>>>>> )
> >>>>>> at
> >>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:30
> >>>>>> 4
> >>>>>> )
> >>>>>> at
> >>>>>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.j
> >>>>>> av
> >>>>>> a:8
> >>>>>> 8)
> >>>>>> at
> >>>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
> >>>>>> y.
> >>>>>> java
> >>>>>>
> >>>>>> :13
> >>>>>>
> >>>>>> 4) ... 2 more
> >>>>>>
> >>>>>> Caused by: GSSException: No valid credentials provided
> >>>>>> (Mechanism
> >>>>>> level: No valid credentials provided (Mechanism level: Failed
> >>>>>> to
> >>>>>> find any Kerberos tgt))>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoCo
> >>>>>> nt
> >>>>>> ext.
> >>>>>> java>>>
> >>>>>>
> >>>>>> :450)>
> >>>>>> :
> >>>>>> at
> >>>>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
> >>>>>> pl
> >>>>>> .jav
> >>>>>> a:2
> >>>>>> 30) at
> >>>>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
> >>>>>> pl
> >>>>>> .jav
> >>>>>> a:1
> >>>>>> 62) at
> >>>>>>
> >>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken
> >>>>>> (S
> >>>>>> pneg
> >>>>>> oAut hSupplier.java:100)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken
> >>>>>> (S
> >>>>>> pneg
> >>>>>> oAut hSupplier.java:144)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAutho
> >>>>>> ri
> >>>>>> zati
> >>>>>> on(S pnegoAuthSupplier.java:77)>
> >>>>>>
> >>>>>> ... 12 more
> >>>>>>
> >>>>>> Caused by: GSSException: No valid credentials provided
> >>>>>> (Mechanism
> >>>>>> level: Failed to find any Kerberos tgt)
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5Init
> >>>>>> Cr
> >>>>>> eden
> >>>>>> tial .java:130)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Kr
> >>>>>> b5
> >>>>>> Mech
> >>>>>> Fact ory.java:106)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb
> >>>>>> 5M
> >>>>>> echF
> >>>>>> acto ry.java:172)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManage
> >>>>>> rI
> >>>>>> mpl.
> >>>>>> java>>>
> >>>>>>
> >>>>>> :209)>
> >>>>>> :
> >>>>>> at
> >>>>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
> >>>>>> pl
> >>>>>> .jav
> >>>>>> a:1
> >>>>>> 95) at
> >>>>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
> >>>>>> pl
> >>>>>> .jav
> >>>>>> a:1
> >>>>>> 62) at
> >>>>>>
> >>>>>> sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNe
> >>>>>> go
> >>>>>> Cont
> >>>>>> ext. java:851)>
> >>>>>>
> >>>>>> at
> >>>>>>
> >>>>>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoCo
> >>>>>> nt
> >>>>>> ext.
> >>>>>> java>>>
> >>>>>>
> >>>>>> :309)>
> >>>>>> :
> >>>>>> ... 17 more
> >>>>>>
> >>>>>> Did I miss anything in my configuration?
> >>>>>>
> >>>>>> Thanks in advance!
> >
> > Raytion GmbH
> > Kaiser-Friedrich-Ring 74
> > 40547 Düsseldorf
> >
> > Fon +49-211-550266-0
> > Fax +49-211-550266-19
> >
> > michael.sliwak@raytion.com
> > http://www.raytion.com
>
> ---------------------------------------------
> Freeman Fang
>
> FuseSource
> Email:ffang@fusesource.com
> Web: fusesource.com
> Twitter: freemanfang
> Blog: http://freemanfang.blogspot.com
--
Michael Sliwak, M.Sc.
Raytion GmbH
Kaiser-Friedrich-Ring 74
40547 Düsseldorf
Fon +49-211-550266-0
Fax +49-211-550266-19
michael.sliwak@raytion.com
http://www.raytion.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Freeman Fang <fr...@gmail.com>.
On 2011-9-12, at 下午9:29, Michael Sliwak wrote:
> Ok, this did the trick.
>
> The following steps are necessary:
>
> 1) make sure that krb5.conf/krb5.ini is configured correctly for the
> Kerberos realm you want to authenticate against
> and supply it to your application by setting the
> java.security.krb5.conf system property
>
> 2) supply a login.conf to your application by setting the
> java.security.auth.login.config system property, e.g.:
>
> MyConfig {
> com.sun.security.auth.module.Krb5LoginModule required client=TRUE
> useTicketCache=true;
> };
>
> 3) set up spnego using xml configuration or through code: (e.g. in
> cxf.xml)
>
> <http:conduit name="*.http-conduit">
> <http:authorization>
> <sec:UserName>username</sec:UserName>
> <sec:Password>password</sec:Password>
> <sec:AuthorizationType>Negotiate</sec:AuthorizationType>
> <sec:Authorization>MyConfig</sec:Authorization>
> </http:authorization>
> </http:conduit>
>
> Now Kerberos authentication works when supplying username and
> password. However using an existing TGT still does not work for me.
>
> Maybe the documentation should be updated accordingly.
>
> Another issue using authentication with the http transport is that
> it is not possible for me to point the wsdl location for my client
> directly to the server as it seems that CXF is completely ignoring
> the authentication challenge when trying to download the wsdl.
> So I have to download the wsdl manually and place it somewhere local
> to my application.
Hi,
In this case the "{WSDL Namespace}portName" would never work for
downloading the wsdl as the portName is unknown at that point.
You need change your http:conduit like
<http-conf:conduit name="https://server_ip:port/.*">
the "https" prefix here is important.
Freeman
>
> On Monday 12 September 2011 15:03:45 Michael Sliwak wrote:
>> I successfully logged in with Kerberos using httpcomponents-client as
>> described here http://hc.apache.org/httpcomponents-client-
>> ga/tutorial/html/authentication.html#spnego
>>
>> After a debugging run it seems that you have to set
>>
>> <sec:Authorization/>
>>
>> when using <sec:UserName /> and <sec:Password /> in cxf.xml.
>> Line 104 in SpnegoAuthSupplier.java creates a new LoginContext with
>> authPolicy.getAuthorization() as the first constructor argument.
>> Currently
>> this method returns null as I did not set <sec:Authorization/> in
>> cxf.xml.
>> Maybe this sets the name for the login.conf section. SampleClient
>> in your
>> example. I'll give it a try.
>>
>> On Monday 12 September 2011 14:50:54 Christian Schneider wrote:
>>> I am not sure if it is the login.conf but you need to specify that
>>> you
>>> want to use the tgt cache like this:
>>>
>>> SampleClient {
>>>
>>> com.sun.security.auth.module.Krb5LoginModule
>>>
>>> required*useTicketCache=true* };
>>>
>>> I am not sure about the name SampleClient above and what you should
>>> write
>>> there but the *useTicketCache=true* is important.
>>> I currently have no kerberos environment else I would do a test
>>> and let
>>> you know what is necessary.
>>>
>>> Btw. Have you tried to do a kerberos login without CXF? The config
>>> you
>>> need there should be the same as for cxf.
>>>
>>> Christian
>>>
>>> Am 12.09.2011 14:38, schrieb Michael Sliwak:
>>>> Hi Christian!
>>>>
>>>> Setting the corresponding registry key on windows does not have any
>>>> effect.
>>>>
>>>> Just one quick question before I dive more in to the code of CXF.
>>>> Do
>>>> I
>>>> have to specify a login.conf for JGSS when using CXF?
>>>>
>>>> The Javadoc for the LoginContext states
>>>> (http://download.oracle.com/javase/1,5.0/docs/api/javax/security/
>>>> aut
>>>> h/lo gin/LoginContext.html#LoginContext(java.lang.String,
>>>> %20javax.security.auth.callback.CallbackHandler):
>>>>
>>>> Throws:
>>>> LoginException - if the caller-specified name does not appear in
>>>> the
>>>> Configuration and there is no Configuration entry for "other", if
>>>> the
>>>> caller- specified subject is null, or if the
>>>> auth.login.defaultCallbackHandler security property was set, but
>>>> the
>>>> implementation class could not be loaded.
>>>>
>>>> I have a slight suspicion that I'm still missing some
>>>> configuration.
>>>>
>>>> Michael
>>>>
>>>> On Monday 12 September 2011 13:19:16 Christian Schneider wrote:
>>>>> I am not sure about the first exception. Could you debug into the
>>>>> code
>>>>> and try to find out more about the point where the exception
>>>>> happens?
>>>>>
>>>>> About the second problem when using no username and password on
>>>>> windows.
>>>>> Can you check if you have the registry setting that allows java to
>>>>> use
>>>>> the tgt?
>>>>> See: http://www.javaactivedirectory.com/?page_id=93
>>>>>
>>>>> Christian
>>>>>
>>>>> Am 12.09.2011 13:07, schrieb Michael Sliwak:
>>>>>> Hello everyone!
>>>>>>
>>>>>> According to
>>>>>> http://cxf.apache.org/docs/client-http-transport-including-ssl-
>>>>>> support.html#ClientHTTPTransport%28includingSSLsupport%29-
>>>>>> SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
>>>>>> Kerberos/SPNEGO authentication when accessing web services.
>>>>>>
>>>>>> I'm trying to access an ASP.NET Web Service that is secured by
>>>>>> Kerberos
>>>>>> (Integrated Windows authentication) using CXF.
>>>>>>
>>>>>> I have configured everything as stated in the documentation.
>>>>>> Here's
>>>>>> my
>>>>>> cxf.xml
>>>>>>
>>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>>>
>>>>>> <beans xmlns="http://www.springframework.org/schema/beans"
>>>>>>
>>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>>>
>>>>>> xmlns:sec="http://cxf.apache.org/configuration/security"
>>>>>>
>>>>>> xmlns:http="http://cxf.apache.org/transports/http/config
>>>>>> urat
>>>>>> ion"
>>>>>> xmlns:jaxws="http://cxf.apache.org/jaxws"
>>>>>> xsi:schemaLocation="
>>>>>>
>>>>>> http://cxf.apache.org/configuration/se
>>>>>> curi
>>>>>> ty
>>>>>> http://cxf.apache.org/schemas/configur
>>>>>> atio
>>>>>> n/secu
>>>>>> rity.xsd
>>>>>> http://cxf.apache.org/transports/http/
>>>>>> conf
>>>>>> igurat
>>>>>> ion
>>>>>> http://cxf.apache.org/schemas/configur
>>>>>> atio
>>>>>> n/http
>>>>>> -conf.xsd
>>>>>> http://cxf.apache.org/jaxws
>>>>>> http://cxf.apache.org/schemas/jaxws.xs
>>>>>> d
>>>>>> http://www.springframework.org/schema/
>>>>>> bean
>>>>>> s
>>>>>> http://www.springframework.org/schema/
>>>>>> bean
>>>>>> s/spri
>>>>>> ng-beans.xsd">>
>>>>>>
>>>>>> <http:conduit
>>>>>> name="{http://some.name.space/}SoapPort.http-conduit">
>>>>>>
>>>>>> <http:client AllowChunking="false" />
>>>>>> <http:authorization>
>>>>>>
>>>>>> <sec:UserName>username</sec:UserName>
>>>>>> <sec:Password>password</sec:Password>
>>>>>> <sec:AuthorizationType>Negotiate</sec:Authorizat
>>>>>> ionT
>>>>>> ype>
>>>>>>
>>>>>> </http:authorization>
>>>>>>
>>>>>> </http:conduit>
>>>>>>
>>>>>> </beans>
>>>>>>
>>>>>> Whenever i run my code, i get the following exception:
>>>>>>
>>>>>> Caused by: java.lang.RuntimeException: Invalid null input: name
>>>>>>
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
>>>>>> zati
>>>>>> on(S pnegoAuthSupplier.java:80)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizat
>>>>>> ionP
>>>>>> olic y(HTTPConduit.java:771)>
>>>>>>
>>>>>> at
>>>>>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.
>>>>>> java
>>>>>>
>>>>>> :54
>>>>>>
>>>>>> 1) at
>>>>>>
>>>>>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessag
>>>>>> e(Me
>>>>>> ssag eSenderInterceptor.java:46)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
>>>>>> rcep
>>>>>> torC hain.java:263)>
>>>>>>
>>>>>> at
>>>>>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:51
>>>>>> 9)
>>>>>> at
>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449
>>>>>> )
>>>>>> at
>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352
>>>>>> )
>>>>>> at
>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304
>>>>>> )
>>>>>> at
>>>>>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.jav
>>>>>> a:8
>>>>>> 8)
>>>>>> at
>>>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.
>>>>>> java
>>>>>>
>>>>>> :13
>>>>>>
>>>>>> 4) ... 2 more
>>>>>>
>>>>>> Caused by: javax.security.auth.login.LoginException: Invalid
>>>>>> null
>>>>>> input: name>
>>>>>>
>>>>>> at
>>>>>> javax.security.auth.login.LoginContext.init(LoginContext.java:
>>>>>> 229
>>>>>> )
>>>>>> at
>>>>>> javax.security.auth.login.LoginContext.<init>(LoginContext.jav
>>>>>> a:40
>>>>>> 3)
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
>>>>>> pneg
>>>>>> oAut hSupplier.java:104)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
>>>>>> pneg
>>>>>> oAut hSupplier.java:144)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
>>>>>> zati
>>>>>> on(S pnegoAuthSupplier.java:77)>
>>>>>>
>>>>>> ... 12 more
>>>>>>
>>>>>> This happens on both Windows and Linux.
>>>>>>
>>>>>> krb5.conf/krb5.ini is present and found by Java.
>>>>>>
>>>>>> On the other hand, when I leave the Username and password blank
>>>>>> i
>>>>>> get an exception that no TGT could be aquired. Anyhow 'klist' on
>>>>>> both Windows and Linux states that there is a TGT available in
>>>>>> the
>>>>>> cache.
>>>>>>
>>>>>> Caused by: java.lang.RuntimeException: No valid credentials
>>>>>> provided
>>>>>> (Mechanism level: No valid credentials provided (Mechanism
>>>>>> level:
>>>>>> Failed to find any Kerberos tgt))
>>>>>>
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
>>>>>> zati
>>>>>> on(S pnegoAuthSupplier.java:82)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizat
>>>>>> ionP
>>>>>> olic y(HTTPConduit.java:771)>
>>>>>>
>>>>>> at
>>>>>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.
>>>>>> java
>>>>>>
>>>>>> :54
>>>>>>
>>>>>> 1) at
>>>>>>
>>>>>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessag
>>>>>> e(Me
>>>>>> ssag eSenderInterceptor.java:46)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
>>>>>> rcep
>>>>>> torC hain.java:263)>
>>>>>>
>>>>>> at
>>>>>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:51
>>>>>> 9)
>>>>>> at
>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449
>>>>>> )
>>>>>> at
>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352
>>>>>> )
>>>>>> at
>>>>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304
>>>>>> )
>>>>>> at
>>>>>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.jav
>>>>>> a:8
>>>>>> 8)
>>>>>> at
>>>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.
>>>>>> java
>>>>>>
>>>>>> :13
>>>>>>
>>>>>> 4) ... 2 more
>>>>>>
>>>>>> Caused by: GSSException: No valid credentials provided
>>>>>> (Mechanism
>>>>>> level: No valid credentials provided (Mechanism level: Failed to
>>>>>> find any Kerberos tgt))>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoCont
>>>>>> ext.
>>>>>> java>>>
>>>>>>
>>>>>> :450)>
>>>>>> :
>>>>>> at
>>>>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
>>>>>> .jav
>>>>>> a:2
>>>>>> 30) at
>>>>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
>>>>>> .jav
>>>>>> a:1
>>>>>> 62) at
>>>>>>
>>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
>>>>>> pneg
>>>>>> oAut hSupplier.java:100)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
>>>>>> pneg
>>>>>> oAut hSupplier.java:144)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
>>>>>> zati
>>>>>> on(S pnegoAuthSupplier.java:77)>
>>>>>>
>>>>>> ... 12 more
>>>>>>
>>>>>> Caused by: GSSException: No valid credentials provided
>>>>>> (Mechanism
>>>>>> level: Failed to find any Kerberos tgt)
>>>>>>
>>>>>> at
>>>>>>
>>>>>> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCr
>>>>>> eden
>>>>>> tial .java:130)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5
>>>>>> Mech
>>>>>> Fact ory.java:106)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5M
>>>>>> echF
>>>>>> acto ry.java:172)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerI
>>>>>> mpl.
>>>>>> java>>>
>>>>>>
>>>>>> :209)>
>>>>>> :
>>>>>> at
>>>>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
>>>>>> .jav
>>>>>> a:1
>>>>>> 95) at
>>>>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
>>>>>> .jav
>>>>>> a:1
>>>>>> 62) at
>>>>>>
>>>>>> sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNego
>>>>>> Cont
>>>>>> ext. java:851)>
>>>>>>
>>>>>> at
>>>>>>
>>>>>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoCont
>>>>>> ext.
>>>>>> java>>>
>>>>>>
>>>>>> :309)>
>>>>>> :
>>>>>> ... 17 more
>>>>>>
>>>>>> Did I miss anything in my configuration?
>>>>>>
>>>>>> Thanks in advance!
> --
> Michael Sliwak, M.Sc.
>
> Raytion GmbH
> Kaiser-Friedrich-Ring 74
> 40547 Düsseldorf
>
> Fon +49-211-550266-0
> Fax +49-211-550266-19
>
> michael.sliwak@raytion.com
> http://www.raytion.com
---------------------------------------------
Freeman Fang
FuseSource
Email:ffang@fusesource.com
Web: fusesource.com
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Christian Schneider <ch...@die-schneider.net>.
I have updated the documentation in the Wiki:
https://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+%28including+SSL+support%29
Btw. if you want to help with documentation we can give you access to
the Wiki.
It should be possbile to use authentication when retrieving the WSDL. I
don´t know you can use Spnego though.
Anyway I would not recommand to use the WSDL from a server directly.
Better store the WSDL somewhere and version it separately.
So I think it is not so bad to store it with the code. It allows you to
see how the WSDL looked like when you compiled. If it changes later and
you did not store it then how do you prove that you used the correct
WSDL if someone says your client is incorrectly calling the server.
Christian
Am 12.09.2011 15:29, schrieb Michael Sliwak:
> Ok, this did the trick.
>
> The following steps are necessary:
>
> 1) make sure that krb5.conf/krb5.ini is configured correctly for the Kerberos realm you want to authenticate against
> and supply it to your application by setting the java.security.krb5.conf system property
>
> 2) supply a login.conf to your application by setting the java.security.auth.login.config system property, e.g.:
>
> MyConfig {
> com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;
> };
>
> 3) set up spnego using xml configuration or through code: (e.g. in cxf.xml)
>
> <http:conduit name="*.http-conduit">
> <http:authorization>
> <sec:UserName>username</sec:UserName>
> <sec:Password>password</sec:Password>
> <sec:AuthorizationType>Negotiate</sec:AuthorizationType>
> <sec:Authorization>MyConfig</sec:Authorization>
> </http:authorization>
> </http:conduit>
>
> Now Kerberos authentication works when supplying username and password. However using an existing TGT still does not work for me.
>
> Maybe the documentation should be updated accordingly.
>
> Another issue using authentication with the http transport is that it is not possible for me to point the wsdl location for my client
> directly to the server as it seems that CXF is completely ignoring the authentication challenge when trying to download the wsdl.
> So I have to download the wsdl manually and place it somewhere local to my application.
>
>
--
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Ludi <lt...@fhv.at>.
Hello,
I try to get Tomcat with CXF and Kerberos (SPNEGO) running.
Tomcat with CXF works fine, Tomcat with Kerberos (SPNEGO) as well. But I was
not able to combine CXF and Kerberos.
I found already the documentation
https://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+%28including+SSL+support%29
and the thread
http://cxf.547215.n5.nabble.com/Client-HTTP-transport-with-Kerberos-SPNEGO-td4793790.html#a4794118
.
I tried to add the following XML code within the cxf.xml
<conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
xmlns="http://cxf.apache.org/transports/http/configuration">
<authorization>
<AuthorizationType>Negotiate</AuthorizationType>
<Authorization>CXFClient</Authorization>
</authorization>
</conduit>
Afterwards the tomcat starts with an exception.
Does anyone have a short example or is able to send me a web.xml and the
corresponding cxf.xml?
Thanks a lot
Ludi
--
View this message in context: http://cxf.547215.n5.nabble.com/Client-HTTP-transport-with-Kerberos-SPNEGO-tp4793790p4952066.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Michael Sliwak <mi...@raytion.com>.
Ok, this did the trick.
The following steps are necessary:
1) make sure that krb5.conf/krb5.ini is configured correctly for the Kerberos realm you want to authenticate against
and supply it to your application by setting the java.security.krb5.conf system property
2) supply a login.conf to your application by setting the java.security.auth.login.config system property, e.g.:
MyConfig {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;
};
3) set up spnego using xml configuration or through code: (e.g. in cxf.xml)
<http:conduit name="*.http-conduit">
<http:authorization>
<sec:UserName>username</sec:UserName>
<sec:Password>password</sec:Password>
<sec:AuthorizationType>Negotiate</sec:AuthorizationType>
<sec:Authorization>MyConfig</sec:Authorization>
</http:authorization>
</http:conduit>
Now Kerberos authentication works when supplying username and password. However using an existing TGT still does not work for me.
Maybe the documentation should be updated accordingly.
Another issue using authentication with the http transport is that it is not possible for me to point the wsdl location for my client
directly to the server as it seems that CXF is completely ignoring the authentication challenge when trying to download the wsdl.
So I have to download the wsdl manually and place it somewhere local to my application.
On Monday 12 September 2011 15:03:45 Michael Sliwak wrote:
> I successfully logged in with Kerberos using httpcomponents-client as
> described here http://hc.apache.org/httpcomponents-client-
> ga/tutorial/html/authentication.html#spnego
>
> After a debugging run it seems that you have to set
>
> <sec:Authorization/>
>
> when using <sec:UserName /> and <sec:Password /> in cxf.xml.
> Line 104 in SpnegoAuthSupplier.java creates a new LoginContext with
> authPolicy.getAuthorization() as the first constructor argument. Currently
> this method returns null as I did not set <sec:Authorization/> in cxf.xml.
> Maybe this sets the name for the login.conf section. SampleClient in your
> example. I'll give it a try.
>
> On Monday 12 September 2011 14:50:54 Christian Schneider wrote:
> > I am not sure if it is the login.conf but you need to specify that you
> > want to use the tgt cache like this:
> >
> > SampleClient {
> >
> > com.sun.security.auth.module.Krb5LoginModule
> >
> > required*useTicketCache=true* };
> >
> > I am not sure about the name SampleClient above and what you should
> > write
> > there but the *useTicketCache=true* is important.
> > I currently have no kerberos environment else I would do a test and let
> > you know what is necessary.
> >
> > Btw. Have you tried to do a kerberos login without CXF? The config you
> > need there should be the same as for cxf.
> >
> > Christian
> >
> > Am 12.09.2011 14:38, schrieb Michael Sliwak:
> > > Hi Christian!
> > >
> > > Setting the corresponding registry key on windows does not have any
> > > effect.
> > >
> > > Just one quick question before I dive more in to the code of CXF. Do
> > > I
> > > have to specify a login.conf for JGSS when using CXF?
> > >
> > > The Javadoc for the LoginContext states
> > > (http://download.oracle.com/javase/1,5.0/docs/api/javax/security/aut
> > > h/lo gin/LoginContext.html#LoginContext(java.lang.String,
> > > %20javax.security.auth.callback.CallbackHandler):
> > >
> > > Throws:
> > > LoginException - if the caller-specified name does not appear in the
> > > Configuration and there is no Configuration entry for "other", if
> > > the
> > > caller- specified subject is null, or if the
> > > auth.login.defaultCallbackHandler security property was set, but the
> > > implementation class could not be loaded.
> > >
> > > I have a slight suspicion that I'm still missing some configuration.
> > >
> > > Michael
> > >
> > > On Monday 12 September 2011 13:19:16 Christian Schneider wrote:
> > >> I am not sure about the first exception. Could you debug into the
> > >> code
> > >> and try to find out more about the point where the exception
> > >> happens?
> > >>
> > >> About the second problem when using no username and password on
> > >> windows.
> > >> Can you check if you have the registry setting that allows java to
> > >> use
> > >> the tgt?
> > >> See: http://www.javaactivedirectory.com/?page_id=93
> > >>
> > >> Christian
> > >>
> > >> Am 12.09.2011 13:07, schrieb Michael Sliwak:
> > >>> Hello everyone!
> > >>>
> > >>> According to
> > >>> http://cxf.apache.org/docs/client-http-transport-including-ssl-
> > >>> support.html#ClientHTTPTransport%28includingSSLsupport%29-
> > >>> SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
> > >>> Kerberos/SPNEGO authentication when accessing web services.
> > >>>
> > >>> I'm trying to access an ASP.NET Web Service that is secured by
> > >>> Kerberos
> > >>> (Integrated Windows authentication) using CXF.
> > >>>
> > >>> I have configured everything as stated in the documentation.
> > >>> Here's
> > >>> my
> > >>> cxf.xml
> > >>>
> > >>> <?xml version="1.0" encoding="UTF-8"?>
> > >>>
> > >>> <beans xmlns="http://www.springframework.org/schema/beans"
> > >>>
> > >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > >>>
> > >>> xmlns:sec="http://cxf.apache.org/configuration/security"
> > >>>
> > >>> xmlns:http="http://cxf.apache.org/transports/http/config
> > >>> urat
> > >>> ion"
> > >>> xmlns:jaxws="http://cxf.apache.org/jaxws"
> > >>> xsi:schemaLocation="
> > >>>
> > >>> http://cxf.apache.org/configuration/se
> > >>> curi
> > >>> ty
> > >>> http://cxf.apache.org/schemas/configur
> > >>> atio
> > >>> n/secu
> > >>> rity.xsd
> > >>> http://cxf.apache.org/transports/http/
> > >>> conf
> > >>> igurat
> > >>> ion
> > >>> http://cxf.apache.org/schemas/configur
> > >>> atio
> > >>> n/http
> > >>> -conf.xsd
> > >>> http://cxf.apache.org/jaxws
> > >>> http://cxf.apache.org/schemas/jaxws.xs
> > >>> d
> > >>> http://www.springframework.org/schema/
> > >>> bean
> > >>> s
> > >>> http://www.springframework.org/schema/
> > >>> bean
> > >>> s/spri
> > >>> ng-beans.xsd">>
> > >>>
> > >>> <http:conduit
> > >>> name="{http://some.name.space/}SoapPort.http-conduit">
> > >>>
> > >>> <http:client AllowChunking="false" />
> > >>> <http:authorization>
> > >>>
> > >>> <sec:UserName>username</sec:UserName>
> > >>> <sec:Password>password</sec:Password>
> > >>> <sec:AuthorizationType>Negotiate</sec:Authorizat
> > >>> ionT
> > >>> ype>
> > >>>
> > >>> </http:authorization>
> > >>>
> > >>> </http:conduit>
> > >>>
> > >>> </beans>
> > >>>
> > >>> Whenever i run my code, i get the following exception:
> > >>>
> > >>> Caused by: java.lang.RuntimeException: Invalid null input: name
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
> > >>> zati
> > >>> on(S pnegoAuthSupplier.java:80)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizat
> > >>> ionP
> > >>> olic y(HTTPConduit.java:771)>
> > >>>
> > >>> at
> > >>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.
> > >>> java
> > >>>
> > >>> :54
> > >>>
> > >>> 1) at
> > >>>
> > >>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessag
> > >>> e(Me
> > >>> ssag eSenderInterceptor.java:46)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
> > >>> rcep
> > >>> torC hain.java:263)>
> > >>>
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:51
> > >>> 9)
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449
> > >>> )
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352
> > >>> )
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304
> > >>> )
> > >>> at
> > >>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.jav
> > >>> a:8
> > >>> 8)
> > >>> at
> > >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.
> > >>> java
> > >>>
> > >>> :13
> > >>>
> > >>> 4) ... 2 more
> > >>>
> > >>> Caused by: javax.security.auth.login.LoginException: Invalid
> > >>> null
> > >>> input: name>
> > >>>
> > >>> at
> > >>> javax.security.auth.login.LoginContext.init(LoginContext.java:
> > >>> 229
> > >>> )
> > >>> at
> > >>> javax.security.auth.login.LoginContext.<init>(LoginContext.jav
> > >>> a:40
> > >>> 3)
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
> > >>> pneg
> > >>> oAut hSupplier.java:104)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
> > >>> pneg
> > >>> oAut hSupplier.java:144)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
> > >>> zati
> > >>> on(S pnegoAuthSupplier.java:77)>
> > >>>
> > >>> ... 12 more
> > >>>
> > >>> This happens on both Windows and Linux.
> > >>>
> > >>> krb5.conf/krb5.ini is present and found by Java.
> > >>>
> > >>> On the other hand, when I leave the Username and password blank
> > >>> i
> > >>> get an exception that no TGT could be aquired. Anyhow 'klist' on
> > >>> both Windows and Linux states that there is a TGT available in
> > >>> the
> > >>> cache.
> > >>>
> > >>> Caused by: java.lang.RuntimeException: No valid credentials
> > >>> provided
> > >>> (Mechanism level: No valid credentials provided (Mechanism
> > >>> level:
> > >>> Failed to find any Kerberos tgt))
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
> > >>> zati
> > >>> on(S pnegoAuthSupplier.java:82)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizat
> > >>> ionP
> > >>> olic y(HTTPConduit.java:771)>
> > >>>
> > >>> at
> > >>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.
> > >>> java
> > >>>
> > >>> :54
> > >>>
> > >>> 1) at
> > >>>
> > >>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessag
> > >>> e(Me
> > >>> ssag eSenderInterceptor.java:46)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
> > >>> rcep
> > >>> torC hain.java:263)>
> > >>>
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:51
> > >>> 9)
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449
> > >>> )
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352
> > >>> )
> > >>> at
> > >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304
> > >>> )
> > >>> at
> > >>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.jav
> > >>> a:8
> > >>> 8)
> > >>> at
> > >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.
> > >>> java
> > >>>
> > >>> :13
> > >>>
> > >>> 4) ... 2 more
> > >>>
> > >>> Caused by: GSSException: No valid credentials provided
> > >>> (Mechanism
> > >>> level: No valid credentials provided (Mechanism level: Failed to
> > >>> find any Kerberos tgt))>
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoCont
> > >>> ext.
> > >>> java>>>
> > >>>
> > >>> :450)>
> > >>> :
> > >>> at
> > >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
> > >>> .jav
> > >>> a:2
> > >>> 30) at
> > >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
> > >>> .jav
> > >>> a:1
> > >>> 62) at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
> > >>> pneg
> > >>> oAut hSupplier.java:100)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(S
> > >>> pneg
> > >>> oAut hSupplier.java:144)>
> > >>>
> > >>> at
> > >>>
> > >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthori
> > >>> zati
> > >>> on(S pnegoAuthSupplier.java:77)>
> > >>>
> > >>> ... 12 more
> > >>>
> > >>> Caused by: GSSException: No valid credentials provided
> > >>> (Mechanism
> > >>> level: Failed to find any Kerberos tgt)
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCr
> > >>> eden
> > >>> tial .java:130)>
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5
> > >>> Mech
> > >>> Fact ory.java:106)>
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5M
> > >>> echF
> > >>> acto ry.java:172)>
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerI
> > >>> mpl.
> > >>> java>>>
> > >>>
> > >>> :209)>
> > >>> :
> > >>> at
> > >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
> > >>> .jav
> > >>> a:1
> > >>> 95) at
> > >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl
> > >>> .jav
> > >>> a:1
> > >>> 62) at
> > >>>
> > >>> sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNego
> > >>> Cont
> > >>> ext. java:851)>
> > >>>
> > >>> at
> > >>>
> > >>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoCont
> > >>> ext.
> > >>> java>>>
> > >>>
> > >>> :309)>
> > >>> :
> > >>> ... 17 more
> > >>>
> > >>> Did I miss anything in my configuration?
> > >>>
> > >>> Thanks in advance!
--
Michael Sliwak, M.Sc.
Raytion GmbH
Kaiser-Friedrich-Ring 74
40547 Düsseldorf
Fon +49-211-550266-0
Fax +49-211-550266-19
michael.sliwak@raytion.com
http://www.raytion.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Christian Schneider <ch...@die-schneider.net>.
I just looked into the examples of how to use LoginContext. Yes the
first parameter is the name that points to the section in the login
config (what was SampleClient in the config in my mail).
I wonder if this is a bug in the cxf code. sec:Authorization is normally
used for soemthing quite different. In any case I think we should have a
default like "cxfClient" or similar.
Christian
Am 12.09.2011 15:03, schrieb Michael Sliwak:
> I successfully logged in with Kerberos using httpcomponents-client as
> described here http://hc.apache.org/httpcomponents-client-
> ga/tutorial/html/authentication.html#spnego
>
> After a debugging run it seems that you have to set
>
> <sec:Authorization/>
>
> when using<sec:UserName /> and<sec:Password /> in cxf.xml.
> Line 104 in SpnegoAuthSupplier.java creates a new LoginContext with
> authPolicy.getAuthorization() as the first constructor argument. Currently this
> method returns null as I did not set<sec:Authorization/> in cxf.xml. Maybe
> this sets the name for the login.conf section. SampleClient in your example.
> I'll give it a try.
>
>
--
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Michael Sliwak <mi...@raytion.com>.
I successfully logged in with Kerberos using httpcomponents-client as
described here http://hc.apache.org/httpcomponents-client-
ga/tutorial/html/authentication.html#spnego
After a debugging run it seems that you have to set
<sec:Authorization/>
when using <sec:UserName /> and <sec:Password /> in cxf.xml.
Line 104 in SpnegoAuthSupplier.java creates a new LoginContext with
authPolicy.getAuthorization() as the first constructor argument. Currently this
method returns null as I did not set <sec:Authorization/> in cxf.xml. Maybe
this sets the name for the login.conf section. SampleClient in your example.
I'll give it a try.
On Monday 12 September 2011 14:50:54 Christian Schneider wrote:
> I am not sure if it is the login.conf but you need to specify that you
> want to use the tgt cache like this:
>
> SampleClient {
> com.sun.security.auth.module.Krb5LoginModule
> required*useTicketCache=true* };
>
> I am not sure about the name SampleClient above and what you should write
> there but the *useTicketCache=true* is important.
> I currently have no kerberos environment else I would do a test and let you
> know what is necessary.
>
> Btw. Have you tried to do a kerberos login without CXF? The config you need
> there should be the same as for cxf.
>
> Christian
>
> Am 12.09.2011 14:38, schrieb Michael Sliwak:
> > Hi Christian!
> >
> > Setting the corresponding registry key on windows does not have any
> > effect.
> >
> > Just one quick question before I dive more in to the code of CXF. Do I
> > have to specify a login.conf for JGSS when using CXF?
> >
> > The Javadoc for the LoginContext states
> > (http://download.oracle.com/javase/1,5.0/docs/api/javax/security/auth/lo
> > gin/LoginContext.html#LoginContext(java.lang.String,
> > %20javax.security.auth.callback.CallbackHandler):
> >
> > Throws:
> > LoginException - if the caller-specified name does not appear in the
> > Configuration and there is no Configuration entry for "other", if the
> > caller- specified subject is null, or if the
> > auth.login.defaultCallbackHandler security property was set, but the
> > implementation class could not be loaded.
> >
> > I have a slight suspicion that I'm still missing some configuration.
> >
> > Michael
> >
> > On Monday 12 September 2011 13:19:16 Christian Schneider wrote:
> >> I am not sure about the first exception. Could you debug into the code
> >> and try to find out more about the point where the exception happens?
> >>
> >> About the second problem when using no username and password on
> >> windows.
> >> Can you check if you have the registry setting that allows java to use
> >> the tgt?
> >> See: http://www.javaactivedirectory.com/?page_id=93
> >>
> >> Christian
> >>
> >> Am 12.09.2011 13:07, schrieb Michael Sliwak:
> >>> Hello everyone!
> >>>
> >>> According to
> >>> http://cxf.apache.org/docs/client-http-transport-including-ssl-
> >>> support.html#ClientHTTPTransport%28includingSSLsupport%29-
> >>> SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
> >>> Kerberos/SPNEGO authentication when accessing web services.
> >>>
> >>> I'm trying to access an ASP.NET Web Service that is secured by
> >>> Kerberos
> >>> (Integrated Windows authentication) using CXF.
> >>>
> >>> I have configured everything as stated in the documentation. Here's
> >>> my
> >>> cxf.xml
> >>>
> >>> <?xml version="1.0" encoding="UTF-8"?>
> >>>
> >>> <beans xmlns="http://www.springframework.org/schema/beans"
> >>>
> >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >>>
> >>> xmlns:sec="http://cxf.apache.org/configuration/security"
> >>>
> >>> xmlns:http="http://cxf.apache.org/transports/http/configurat
> >>> ion"
> >>> xmlns:jaxws="http://cxf.apache.org/jaxws"
> >>> xsi:schemaLocation="
> >>>
> >>> http://cxf.apache.org/configuration/securi
> >>> ty
> >>> http://cxf.apache.org/schemas/configuratio
> >>> n/secu
> >>> rity.xsd
> >>> http://cxf.apache.org/transports/http/conf
> >>> igurat
> >>> ion
> >>> http://cxf.apache.org/schemas/configuratio
> >>> n/http
> >>> -conf.xsd
> >>> http://cxf.apache.org/jaxws
> >>> http://cxf.apache.org/schemas/jaxws.xsd
> >>> http://www.springframework.org/schema/bean
> >>> s
> >>> http://www.springframework.org/schema/bean
> >>> s/spri
> >>> ng-beans.xsd">>
> >>>
> >>> <http:conduit
> >>> name="{http://some.name.space/}SoapPort.http-conduit">
> >>>
> >>> <http:client AllowChunking="false" />
> >>> <http:authorization>
> >>>
> >>> <sec:UserName>username</sec:UserName>
> >>> <sec:Password>password</sec:Password>
> >>> <sec:AuthorizationType>Negotiate</sec:AuthorizationT
> >>> ype>
> >>>
> >>> </http:authorization>
> >>>
> >>> </http:conduit>
> >>>
> >>> </beans>
> >>>
> >>> Whenever i run my code, i get the following exception:
> >>>
> >>> Caused by: java.lang.RuntimeException: Invalid null input: name
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorizati
> >>> on(S pnegoAuthSupplier.java:80)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationP
> >>> olic y(HTTPConduit.java:771)>
> >>>
> >>> at
> >>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java
> >>> :54
> >>> 1) at
> >>>
> >>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(Me
> >>> ssag eSenderInterceptor.java:46)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercep
> >>> torC hain.java:263)>
> >>>
> >>> at
> >>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
> >>> at
> >>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:8
> >>> 8)
> >>> at
> >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java
> >>> :13
> >>> 4) ... 2 more
> >>>
> >>> Caused by: javax.security.auth.login.LoginException: Invalid null
> >>> input: name>
> >>>
> >>> at
> >>> javax.security.auth.login.LoginContext.init(LoginContext.java:229
> >>> )
> >>> at
> >>> javax.security.auth.login.LoginContext.<init>(LoginContext.java:40
> >>> 3)
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(Spneg
> >>> oAut hSupplier.java:104)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(Spneg
> >>> oAut hSupplier.java:144)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorizati
> >>> on(S pnegoAuthSupplier.java:77)>
> >>>
> >>> ... 12 more
> >>>
> >>> This happens on both Windows and Linux.
> >>>
> >>> krb5.conf/krb5.ini is present and found by Java.
> >>>
> >>> On the other hand, when I leave the Username and password blank i
> >>> get an exception that no TGT could be aquired. Anyhow 'klist' on
> >>> both Windows and Linux states that there is a TGT available in the
> >>> cache.
> >>>
> >>> Caused by: java.lang.RuntimeException: No valid credentials provided
> >>> (Mechanism level: No valid credentials provided (Mechanism level:
> >>> Failed to find any Kerberos tgt))
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorizati
> >>> on(S pnegoAuthSupplier.java:82)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationP
> >>> olic y(HTTPConduit.java:771)>
> >>>
> >>> at
> >>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java
> >>> :54
> >>> 1) at
> >>>
> >>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(Me
> >>> ssag eSenderInterceptor.java:46)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercep
> >>> torC hain.java:263)>
> >>>
> >>> at
> >>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
> >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
> >>> at
> >>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:8
> >>> 8)
> >>> at
> >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java
> >>> :13
> >>> 4) ... 2 more
> >>>
> >>> Caused by: GSSException: No valid credentials provided (Mechanism
> >>> level: No valid credentials provided (Mechanism level: Failed to
> >>> find any Kerberos tgt))>
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.
> >>> java>>>
> >>> :450)>
> >>> :
> >>> at
> >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.jav
> >>> a:2
> >>> 30) at
> >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.jav
> >>> a:1
> >>> 62) at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(Spneg
> >>> oAut hSupplier.java:100)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(Spneg
> >>> oAut hSupplier.java:144)>
> >>>
> >>> at
> >>>
> >>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorizati
> >>> on(S pnegoAuthSupplier.java:77)>
> >>>
> >>> ... 12 more
> >>>
> >>> Caused by: GSSException: No valid credentials provided (Mechanism
> >>> level: Failed to find any Kerberos tgt)
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCreden
> >>> tial .java:130)>
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5Mech
> >>> Fact ory.java:106)>
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechF
> >>> acto ry.java:172)>
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.
> >>> java>>>
> >>> :209)>
> >>> :
> >>> at
> >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.jav
> >>> a:1
> >>> 95) at
> >>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.jav
> >>> a:1
> >>> 62) at
> >>>
> >>> sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoCont
> >>> ext. java:851)>
> >>>
> >>> at
> >>>
> >>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.
> >>> java>>>
> >>> :309)>
> >>> :
> >>> ... 17 more
> >>>
> >>> Did I miss anything in my configuration?
> >>>
> >>> Thanks in advance!
--
Michael Sliwak, M.Sc.
Raytion GmbH
Kaiser-Friedrich-Ring 74
40547 Düsseldorf
Fon +49-211-550266-0
Fax +49-211-550266-19
michael.sliwak@raytion.com
http://www.raytion.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Christian Schneider <ch...@die-schneider.net>.
I am not sure if it is the login.conf but you need to specify that you
want to use the tgt cache like this:
SampleClient {
com.sun.security.auth.module.Krb5LoginModule required*useTicketCache=true*
};
I am not sure about the name SampleClient above and what you should write there but the
*useTicketCache=true* is important.
I currently have no kerberos environment else I would do a test and let you know what is necessary.
Btw. Have you tried to do a kerberos login without CXF? The config you need there should be the same as for cxf.
Christian
Am 12.09.2011 14:38, schrieb Michael Sliwak:
> Hi Christian!
>
> Setting the corresponding registry key on windows does not have any effect.
>
> Just one quick question before I dive more in to the code of CXF. Do I have to
> specify a login.conf for JGSS when using CXF?
>
> The Javadoc for the LoginContext states
> (http://download.oracle.com/javase/1,5.0/docs/api/javax/security/auth/login/LoginContext.html#LoginContext(java.lang.String,
> %20javax.security.auth.callback.CallbackHandler):
>
> Throws:
> LoginException - if the caller-specified name does not appear in the
> Configuration and there is no Configuration entry for "other", if the caller-
> specified subject is null, or if the auth.login.defaultCallbackHandler security
> property was set, but the implementation class could not be loaded.
>
> I have a slight suspicion that I'm still missing some configuration.
>
> Michael
>
>
>
> On Monday 12 September 2011 13:19:16 Christian Schneider wrote:
>> I am not sure about the first exception. Could you debug into the code
>> and try to find out more about the point where the exception happens?
>>
>> About the second problem when using no username and password on windows.
>> Can you check if you have the registry setting that allows java to use
>> the tgt?
>> See: http://www.javaactivedirectory.com/?page_id=93
>>
>> Christian
>>
>> Am 12.09.2011 13:07, schrieb Michael Sliwak:
>>> Hello everyone!
>>>
>>> According to
>>> http://cxf.apache.org/docs/client-http-transport-including-ssl-
>>> support.html#ClientHTTPTransport%28includingSSLsupport%29-
>>> SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
>>> Kerberos/SPNEGO authentication when accessing web services.
>>>
>>> I'm trying to access an ASP.NET Web Service that is secured by Kerberos
>>> (Integrated Windows authentication) using CXF.
>>>
>>> I have configured everything as stated in the documentation. Here's my
>>> cxf.xml
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>>
>>> <beans xmlns="http://www.springframework.org/schema/beans"
>>>
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>
>>> xmlns:sec="http://cxf.apache.org/configuration/security"
>>>
>>> xmlns:http="http://cxf.apache.org/transports/http/configuration"
>>> xmlns:jaxws="http://cxf.apache.org/jaxws"
>>> xsi:schemaLocation="
>>>
>>> http://cxf.apache.org/configuration/security
>>> http://cxf.apache.org/schemas/configuration/secu
>>> rity.xsd
>>> http://cxf.apache.org/transports/http/configurat
>>> ion
>>> http://cxf.apache.org/schemas/configuration/http
>>> -conf.xsd
>>> http://cxf.apache.org/jaxws
>>> http://cxf.apache.org/schemas/jaxws.xsd
>>> http://www.springframework.org/schema/beans
>>> http://www.springframework.org/schema/beans/spri
>>> ng-beans.xsd">>
>>> <http:conduit
>>> name="{http://some.name.space/}SoapPort.http-conduit">
>>>
>>> <http:client AllowChunking="false" />
>>> <http:authorization>
>>>
>>> <sec:UserName>username</sec:UserName>
>>> <sec:Password>password</sec:Password>
>>> <sec:AuthorizationType>Negotiate</sec:AuthorizationType>
>>>
>>> </http:authorization>
>>>
>>> </http:conduit>
>>>
>>> </beans>
>>>
>>> Whenever i run my code, i get the following exception:
>>>
>>> Caused by: java.lang.RuntimeException: Invalid null input: name
>>>
>>> at
>>>
>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
>>> pnegoAuthSupplier.java:80)>
>>> at
>>>
>>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolic
>>> y(HTTPConduit.java:771)>
>>> at
>>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:54
>>> 1) at
>>>
>>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(Messag
>>> eSenderInterceptor.java:46)>
>>> at
>>>
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
>>> hain.java:263)>
>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
>>> at
>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:13
>>> 4) ... 2 more
>>>
>>> Caused by: javax.security.auth.login.LoginException: Invalid null input:
>>> name>
>>> at javax.security.auth.login.LoginContext.init(LoginContext.java:229)
>>> at
>>> javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
>>> at
>>>
>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
>>> hSupplier.java:104)>
>>> at
>>>
>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
>>> hSupplier.java:144)>
>>> at
>>>
>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
>>> pnegoAuthSupplier.java:77)>
>>> ... 12 more
>>>
>>> This happens on both Windows and Linux.
>>>
>>> krb5.conf/krb5.ini is present and found by Java.
>>>
>>> On the other hand, when I leave the Username and password blank i get an
>>> exception that no TGT could be aquired. Anyhow 'klist' on both Windows
>>> and Linux states that there is a TGT available in the cache.
>>>
>>> Caused by: java.lang.RuntimeException: No valid credentials provided
>>> (Mechanism level: No valid credentials provided (Mechanism level: Failed
>>> to find any Kerberos tgt))
>>>
>>> at
>>>
>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
>>> pnegoAuthSupplier.java:82)>
>>> at
>>>
>>> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolic
>>> y(HTTPConduit.java:771)>
>>> at
>>> org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:54
>>> 1) at
>>>
>>> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(Messag
>>> eSenderInterceptor.java:46)>
>>> at
>>>
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
>>> hain.java:263)>
>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
>>> at
>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:13
>>> 4) ... 2 more
>>>
>>> Caused by: GSSException: No valid credentials provided (Mechanism level:
>>> No valid credentials provided (Mechanism level: Failed to find any
>>> Kerberos tgt))>
>>> at
>>>
>>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java
>>> :450)>
>>> at
>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:2
>>> 30) at
>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
>>> 62) at
>>>
>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
>>> hSupplier.java:100)>
>>> at
>>>
>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
>>> hSupplier.java:144)>
>>> at
>>>
>>> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
>>> pnegoAuthSupplier.java:77)>
>>> ... 12 more
>>>
>>> Caused by: GSSException: No valid credentials provided (Mechanism level:
>>> Failed to find any Kerberos tgt)
>>>
>>> at
>>>
>>> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
>>> .java:130)>
>>> at
>>>
>>> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFact
>>> ory.java:106)>
>>> at
>>>
>>> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFacto
>>> ry.java:172)>
>>> at
>>>
>>> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java
>>> :209)>
>>> at
>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
>>> 95) at
>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
>>> 62) at
>>>
>>> sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.
>>> java:851)>
>>> at
>>>
>>> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java
>>> :309)>
>>> ... 17 more
>>>
>>> Did I miss anything in my configuration?
>>>
>>> Thanks in advance!
>
--
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Michael Sliwak <mi...@raytion.com>.
Hi Christian!
Setting the corresponding registry key on windows does not have any effect.
Just one quick question before I dive more in to the code of CXF. Do I have to
specify a login.conf for JGSS when using CXF?
The Javadoc for the LoginContext states
(http://download.oracle.com/javase/1,5.0/docs/api/javax/security/auth/login/LoginContext.html#LoginContext(java.lang.String,
%20javax.security.auth.callback.CallbackHandler):
Throws:
LoginException - if the caller-specified name does not appear in the
Configuration and there is no Configuration entry for "other", if the caller-
specified subject is null, or if the auth.login.defaultCallbackHandler security
property was set, but the implementation class could not be loaded.
I have a slight suspicion that I'm still missing some configuration.
Michael
On Monday 12 September 2011 13:19:16 Christian Schneider wrote:
> I am not sure about the first exception. Could you debug into the code
> and try to find out more about the point where the exception happens?
>
> About the second problem when using no username and password on windows.
> Can you check if you have the registry setting that allows java to use
> the tgt?
> See: http://www.javaactivedirectory.com/?page_id=93
>
> Christian
>
> Am 12.09.2011 13:07, schrieb Michael Sliwak:
> > Hello everyone!
> >
> > According to
> > http://cxf.apache.org/docs/client-http-transport-including-ssl-
> > support.html#ClientHTTPTransport%28includingSSLsupport%29-
> > SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
> > Kerberos/SPNEGO authentication when accessing web services.
> >
> > I'm trying to access an ASP.NET Web Service that is secured by Kerberos
> > (Integrated Windows authentication) using CXF.
> >
> > I have configured everything as stated in the documentation. Here's my
> > cxf.xml
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> >
> > <beans xmlns="http://www.springframework.org/schema/beans"
> >
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >
> > xmlns:sec="http://cxf.apache.org/configuration/security"
> >
> > xmlns:http="http://cxf.apache.org/transports/http/configuration"
> > xmlns:jaxws="http://cxf.apache.org/jaxws"
> > xsi:schemaLocation="
> >
> > http://cxf.apache.org/configuration/security
> > http://cxf.apache.org/schemas/configuration/secu
> > rity.xsd
> > http://cxf.apache.org/transports/http/configurat
> > ion
> > http://cxf.apache.org/schemas/configuration/http
> > -conf.xsd
> > http://cxf.apache.org/jaxws
> > http://cxf.apache.org/schemas/jaxws.xsd
> > http://www.springframework.org/schema/beans
> > http://www.springframework.org/schema/beans/spri
> > ng-beans.xsd">>
> > <http:conduit
> > name="{http://some.name.space/}SoapPort.http-conduit">
> >
> > <http:client AllowChunking="false" />
> > <http:authorization>
> >
> > <sec:UserName>username</sec:UserName>
> > <sec:Password>password</sec:Password>
> > <sec:AuthorizationType>Negotiate</sec:AuthorizationType>
> >
> > </http:authorization>
> >
> > </http:conduit>
> >
> > </beans>
> >
> > Whenever i run my code, i get the following exception:
> >
> > Caused by: java.lang.RuntimeException: Invalid null input: name
> >
> > at
> >
> > org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
> > pnegoAuthSupplier.java:80)>
> > at
> >
> > org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolic
> > y(HTTPConduit.java:771)>
> > at
> > org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:54
> > 1) at
> >
> > org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(Messag
> > eSenderInterceptor.java:46)>
> > at
> >
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
> > hain.java:263)>
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
> > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
> > at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:13
> > 4) ... 2 more
> >
> > Caused by: javax.security.auth.login.LoginException: Invalid null input:
> > name>
> > at javax.security.auth.login.LoginContext.init(LoginContext.java:229)
> > at
> > javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
> > at
> >
> > org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
> > hSupplier.java:104)>
> > at
> >
> > org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
> > hSupplier.java:144)>
> > at
> >
> > org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
> > pnegoAuthSupplier.java:77)>
> > ... 12 more
> >
> > This happens on both Windows and Linux.
> >
> > krb5.conf/krb5.ini is present and found by Java.
> >
> > On the other hand, when I leave the Username and password blank i get an
> > exception that no TGT could be aquired. Anyhow 'klist' on both Windows
> > and Linux states that there is a TGT available in the cache.
> >
> > Caused by: java.lang.RuntimeException: No valid credentials provided
> > (Mechanism level: No valid credentials provided (Mechanism level: Failed
> > to find any Kerberos tgt))
> >
> > at
> >
> > org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
> > pnegoAuthSupplier.java:82)>
> > at
> >
> > org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolic
> > y(HTTPConduit.java:771)>
> > at
> > org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:54
> > 1) at
> >
> > org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(Messag
> > eSenderInterceptor.java:46)>
> > at
> >
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
> > hain.java:263)>
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
> > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
> > at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:13
> > 4) ... 2 more
> >
> > Caused by: GSSException: No valid credentials provided (Mechanism level:
> > No valid credentials provided (Mechanism level: Failed to find any
> > Kerberos tgt))>
> > at
> >
> > sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java
> > :450)>
> > at
> > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:2
> > 30) at
> > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
> > 62) at
> >
> > org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
> > hSupplier.java:100)>
> > at
> >
> > org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAut
> > hSupplier.java:144)>
> > at
> >
> > org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(S
> > pnegoAuthSupplier.java:77)>
> > ... 12 more
> >
> > Caused by: GSSException: No valid credentials provided (Mechanism level:
> > Failed to find any Kerberos tgt)
> >
> > at
> >
> > sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
> > .java:130)>
> > at
> >
> > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFact
> > ory.java:106)>
> > at
> >
> > sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFacto
> > ry.java:172)>
> > at
> >
> > sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java
> > :209)>
> > at
> > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
> > 95) at
> > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
> > 62) at
> >
> > sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.
> > java:851)>
> > at
> >
> > sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java
> > :309)>
> > ... 17 more
> >
> > Did I miss anything in my configuration?
> >
> > Thanks in advance!
Re: Client HTTP transport with Kerberos/SPNEGO
Posted by Christian Schneider <ch...@die-schneider.net>.
I am not sure about the first exception. Could you debug into the code
and try to find out more about the point where the exception happens?
About the second problem when using no username and password on windows.
Can you check if you have the registry setting that allows java to use
the tgt?
See: http://www.javaactivedirectory.com/?page_id=93
Christian
Am 12.09.2011 13:07, schrieb Michael Sliwak:
> Hello everyone!
>
> According to http://cxf.apache.org/docs/client-http-transport-including-ssl-
> support.html#ClientHTTPTransport%28includingSSLsupport%29-
> SpnegoAuthentication%28Kerberos%29 CXF should be able to handle
> Kerberos/SPNEGO authentication when accessing web services.
>
> I'm trying to access an ASP.NET Web Service that is secured by Kerberos
> (Integrated Windows authentication) using CXF.
>
> I have configured everything as stated in the documentation. Here's my cxf.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:sec="http://cxf.apache.org/configuration/security"
> xmlns:http="http://cxf.apache.org/transports/http/configuration"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xsi:schemaLocation="
> http://cxf.apache.org/configuration/security
> http://cxf.apache.org/schemas/configuration/security.xsd
> http://cxf.apache.org/transports/http/configuration
> http://cxf.apache.org/schemas/configuration/http-conf.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd">
>
> <http:conduit name="{http://some.name.space/}SoapPort.http-conduit">
> <http:client AllowChunking="false" />
> <http:authorization>
> <sec:UserName>username</sec:UserName>
> <sec:Password>password</sec:Password>
> <sec:AuthorizationType>Negotiate</sec:AuthorizationType>
> </http:authorization>
> </http:conduit>
>
> </beans>
>
> Whenever i run my code, i get the following exception:
>
> Caused by: java.lang.RuntimeException: Invalid null input: name
> at
> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:80)
> at
> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:771)
> at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:541)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
> ... 2 more
> Caused by: javax.security.auth.login.LoginException: Invalid null input: name
> at javax.security.auth.login.LoginContext.init(LoginContext.java:229)
> at javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
> at
> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:104)
> at
> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:144)
> at
> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:77)
> ... 12 more
>
> This happens on both Windows and Linux.
>
> krb5.conf/krb5.ini is present and found by Java.
>
> On the other hand, when I leave the Username and password blank i get an
> exception that no TGT could be aquired. Anyhow 'klist' on both Windows and
> Linux states that there is a TGT available in the cache.
>
> Caused by: java.lang.RuntimeException: No valid credentials provided
> (Mechanism level: No valid credentials provided (Mechanism level: Failed to
> find any Kerberos tgt))
> at
> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:82)
> at
> org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:771)
> at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:541)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
> ... 2 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: No
> valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))
> at
> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:450)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
> at
> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:100)
> at
> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getToken(SpnegoAuthSupplier.java:144)
> at
> org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:77)
> ... 12 more
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos tgt)
> at
> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
> at
> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
> at
> sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:851)
> at
> sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:309)
> ... 17 more
>
> Did I miss anything in my configuration?
>
> Thanks in advance!
>
--
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com