You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2016/10/14 14:12:23 UTC
[jira] [Closed] (CXF-6534) Kerberos delegation not possible if
Authorization given
[ https://issues.apache.org/jira/browse/CXF-6534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed CXF-6534.
------------------------------------
> Kerberos delegation not possible if Authorization given
> -------------------------------------------------------
>
> Key: CXF-6534
> URL: https://issues.apache.org/jira/browse/CXF-6534
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 3.0.4, 3.1.0, 3.0.5, 3.1.1, 3.0.6, 3.1.2, 3.1.3
> Reporter: Bernard Chesnoy
> Assignee: Colm O hEigeartaigh
> Fix For: 3.1.3, 3.0.7
>
>
> Issue discovered while migrating from version 3.0.2 to 3.1.2.
> In documentation it's say that to enable kerberos you have to give the informations policy for Authorization and AuthorizationType:
> {code:xml}
> <conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
> xmlns="http://cxf.apache.org/transports/http/configuration">
> <authorization>
> <AuthorizationType>Negotiate</AuthorizationType>
> <Authorization>CXFClient</Authorization>
> </authorization>
> </conduit>
> {code}
> And for delegation it's not necessary to give the Authorization field.
> But If you give a policy with both of them, It will never try to do delegation, resulting in my application not working anymore (browser -> unix(wildfly) -> windows 2012 by kerberos delegation).
> After a look to the source code, it seems the problem is due to a change in version 3.0.4 for the file AbstractSpnegoAuthSupplier.java:
> {code:java}
> private byte[] getToken(AuthorizationPolicy authPolicy,
> String spn,
> Oid oid,
> Message message) throws GSSException,
> LoginException {
>
> Subject subject = null;
> if (authPolicy != null) {
> String contextName = authPolicy.getAuthorization();
> if (contextName == null) {
> contextName = "";
> }
>
> if (!(StringUtils.isEmpty(authPolicy.getUserName())
> && StringUtils.isEmpty(contextName) && loginConfig == null)) {
> CallbackHandler callbackHandler = getUsernamePasswordHandler(
> authPolicy.getUserName(), authPolicy.getPassword());
> LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig);
> lc.login();
> subject = lc.getSubject();
> }
> }
>
> GSSManager manager = GSSManager.getInstance();
> {code}
> If the contextName is not null, it will always try to use getUsernamePasswordHandler resulting in a loginException.
> Workaround : not specifying an authorization
> Possible fix :
> {code:java}
> if (authPolicy != null && !isCredDelegationRequired(message)) {
> {code}
> Do not hesitate to tell me if there is another way to do it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)