You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2016/10/14 14:12:23 UTC

[jira] [Closed] (CXF-6534) Kerberos delegation not possible if Authorization given

     [ https://issues.apache.org/jira/browse/CXF-6534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed CXF-6534.
------------------------------------

> Kerberos delegation not possible if Authorization given
> -------------------------------------------------------
>
>                 Key: CXF-6534
>                 URL: https://issues.apache.org/jira/browse/CXF-6534
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 3.0.4, 3.1.0, 3.0.5, 3.1.1, 3.0.6, 3.1.2, 3.1.3
>            Reporter: Bernard Chesnoy
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.1.3, 3.0.7
>
>
> Issue discovered while migrating from version 3.0.2 to 3.1.2.
> In documentation it's say that to enable kerberos you have to give the informations policy for Authorization and AuthorizationType:
> {code:xml}
> <conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
>   xmlns="http://cxf.apache.org/transports/http/configuration">
>   <authorization>
>      <AuthorizationType>Negotiate</AuthorizationType>
>      <Authorization>CXFClient</Authorization>
>   </authorization>
> </conduit>
> {code}
> And for delegation it's not necessary to give the Authorization field.
> But If you give a policy with both of them, It will never try to do delegation, resulting in my application not working anymore (browser -> unix(wildfly) -> windows 2012 by kerberos delegation).
> After a look to the source code, it seems the problem is due to a change in version 3.0.4 for the file AbstractSpnegoAuthSupplier.java:
> {code:java}
>     private byte[] getToken(AuthorizationPolicy authPolicy, 
>                             String spn, 
>                             Oid oid,
>                             Message message) throws GSSException, 
>         LoginException {
>         
>         Subject subject = null;
>         if (authPolicy != null) {
>             String contextName = authPolicy.getAuthorization();
>             if (contextName == null) {
>                 contextName = "";
>             }
>         
>             if (!(StringUtils.isEmpty(authPolicy.getUserName())
>                 && StringUtils.isEmpty(contextName) && loginConfig == null)) {
>                 CallbackHandler callbackHandler = getUsernamePasswordHandler(
>                     authPolicy.getUserName(), authPolicy.getPassword());
>                 LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig);
>                 lc.login();
>                 subject = lc.getSubject();
>             }
>         }
>                                                                  
>         GSSManager manager = GSSManager.getInstance();
> {code}
> If the contextName is not null, it will always try to use getUsernamePasswordHandler resulting in a loginException.
> Workaround : not specifying an authorization
> Possible fix :
> {code:java}
> if (authPolicy != null && !isCredDelegationRequired(message)) {
> {code}
> Do not hesitate to tell me if there is another way to do it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)