You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2019/01/09 11:57:47 UTC
Re: Validate Kerberos token in CXF webservice
Sorry for the delay on this. I fixed this in
https://issues.apache.org/jira/browse/CXF-7939 so that you can omit the
"action" String in WSS4JInInterceptor, when the "ignoreActions" property is
true. You can take a look at the test-case I added here to see how it works:
https://github.com/apache/cxf/commit/976ecb5f43bd873d01e07078194636a99e812906
Colm.
On Mon, Dec 17, 2018 at 4:12 PM Burkard Stephan <St...@visana.ch>
wrote:
> Thanks for the hints!
>
> Currently there is no token at all. As a first step I want the service to
> reject the request because it has no authentication info.
>
> I tried to set setIgnoreActions(true) as well as the validatorMap, but I
> still get (as before) <faultstring>No security action was
> defined!</faultstring>
>
>
> I found the reason for that in WSS4JInInterceptor, in the method
> "handleMessageInternal". There is a method call to "getAction(SoapMessage
> msg, SoapVersion version)" and this method does not respect the
> "ignoreActions" flag.
>
> Is this there something like a NOOP action I can define for such a case?
> Or do you mean in your answer that I have to extend WSS4JInInterceptor to
> get this working?
>
> Thanks
> Stephan
>
>
> -----Ursprüngliche Nachricht-----
> Von: Colm O hEigeartaigh <co...@apache.org>
> Gesendet: Montag, 17. Dezember 2018 15:04
> An: users@cxf.apache.org
> Betreff: Re: Validate Kerberos token in CXF webservice
>
> Is it the case that only a KerberosToken encoded as a BinarySecurityToken
> is in the security header? Or are there signatures etc. in there as well?
> If (a), then you could try specifying setIgnoreActions(true) on
> WSS4JInInterceptor. It should process the security header, but won't
> actually verify that any action was performed. So in this case you'd need
> to write a custom interceptor to make sure that you actually processed a
> Kerberos Token.
>
> You'll also need to set the "validatorMap" property on the
> WSS4JInInterceptor properties object, so that the kerberosTokenValidator
> validates the BinarySecurityToken.
>
> Colm.
>
> On Mon, Dec 10, 2018 at 1:23 PM Burkard Stephan <Stephan.Burkard@visana.ch
> >
> wrote:
>
> > Hi CXF users
> >
> > I want to implement a CXF webservice that validates a Kerberos token
> > with plain WS-Security (not Policy) from the client.
> >
> > I found the following article, but it is done with WS-SecurityPolicy:
> >
> > http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-
> > part-i.html
> >
> >
> >
> > However, I was able to adapt some things from it. I have a
> "kerberos.jaas"
> > file that is passed to the webservice (Spring-Boot) as
> > "java.security.auth.login.config" and has the following content
> >
> > myContext {
> > com.sun.security.auth.module.Krb5LoginModule required
> > refreshKrb5Config=true useKeyTab=true storeKey=true
> > keyTab="path\to\keytab\file.keytab"
> > principal="HTTP/myService@Realm"; };
> >
> > In the Spring configuration I have this Bean
> >
> > @Bean
> > public KerberosTokenValidator kerberosTokenValidator() {
> > KerberosTokenValidator validator = new KerberosTokenValidator();
> > validator.setContextName("myContext");
> > validator.setServiceName("myService");
> > return validator;
> > }
> >
> > And the webservice endpoint is configured with the validator and the
> > JAAS context name:
> >
> > factory.getProperties().put(SecurityConstants.BST_TOKEN_VALIDATOR,
> > kerberosTokenValidator);
> >
> >
> factory.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, "
> > myContext ");
> >
> >
> >
> > All this has of course no effect at all because there is no WSS4J
> > In-Interceptor that triggers the WS-Security processing.
> >
> > @Bean
> > public WSS4JInInterceptor wss4JInInterceptor() {
> > Map<String, Object> properties = new HashMap<>();
> > properties.put(WSHandlerConstants.ACTION, >>> ??? <<<);
> > return new WSS4JInInterceptor(properties);
> > }
> >
> > But I did not found what WSS4J action is needed to configure the
> > Kerberos validation. The action "KERBEROS_TOKEN" seems to add a token,
> > so it is the opposite of what I want.
> >
> > Thanks for any help
> > Stephan
> >
> >
> >
> >
> >
> >
> >
> >
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Validate Kerberos token in CXF webservice
Posted by Colm O hEigeartaigh <co...@apache.org>.
I'm not sure to be honest, probably you will need to subclass
WSS4JInInterceptor to get it to work. 3.3.0 should be out soon if you can
wait for that,
Colm.
On Tue, Jan 15, 2019 at 8:24 AM Burkard Stephan <St...@visana.ch>
wrote:
> Great, thank you very much!
>
> For CXF < 3.3, is there something like a NOOP action or an action one can
> "misuse" to get around this?
>
> Regards
> Stephan
>
>
> -----Ursprüngliche Nachricht-----
> Von: Colm O hEigeartaigh <co...@apache.org>
> Gesendet: Mittwoch, 9. Januar 2019 12:58
> An: Burkard Stephan <St...@visana.ch>
> Cc: users@cxf.apache.org
> Betreff: Re: Validate Kerberos token in CXF webservice
>
> Sorry for the delay on this. I fixed this in
> https://issues.apache.org/jira/browse/CXF-7939 so that you can omit the
> "action" String in WSS4JInInterceptor, when the "ignoreActions" property is
> true. You can take a look at the test-case I added here to see how it works:
>
>
> https://github.com/apache/cxf/commit/976ecb5f43bd873d01e07078194636a99e812906
>
> Colm.
>
> On Mon, Dec 17, 2018 at 4:12 PM Burkard Stephan <Stephan.Burkard@visana.ch
> >
> wrote:
>
> > Thanks for the hints!
> >
> > Currently there is no token at all. As a first step I want the service
> > to reject the request because it has no authentication info.
> >
> > I tried to set setIgnoreActions(true) as well as the validatorMap, but
> > I still get (as before) <faultstring>No security action was
> > defined!</faultstring>
> >
> >
> > I found the reason for that in WSS4JInInterceptor, in the method
> > "handleMessageInternal". There is a method call to
> > "getAction(SoapMessage msg, SoapVersion version)" and this method does
> > not respect the "ignoreActions" flag.
> >
> > Is this there something like a NOOP action I can define for such a case?
> > Or do you mean in your answer that I have to extend WSS4JInInterceptor
> > to get this working?
> >
> > Thanks
> > Stephan
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Colm O hEigeartaigh <co...@apache.org>
> > Gesendet: Montag, 17. Dezember 2018 15:04
> > An: users@cxf.apache.org
> > Betreff: Re: Validate Kerberos token in CXF webservice
> >
> > Is it the case that only a KerberosToken encoded as a
> > BinarySecurityToken is in the security header? Or are there signatures
> etc. in there as well?
> > If (a), then you could try specifying setIgnoreActions(true) on
> > WSS4JInInterceptor. It should process the security header, but won't
> > actually verify that any action was performed. So in this case you'd
> > need to write a custom interceptor to make sure that you actually
> > processed a Kerberos Token.
> >
> > You'll also need to set the "validatorMap" property on the
> > WSS4JInInterceptor properties object, so that the
> > kerberosTokenValidator validates the BinarySecurityToken.
> >
> > Colm.
> >
> > On Mon, Dec 10, 2018 at 1:23 PM Burkard Stephan
> > <Stephan.Burkard@visana.ch
> > >
> > wrote:
> >
> > > Hi CXF users
> > >
> > > I want to implement a CXF webservice that validates a Kerberos token
> > > with plain WS-Security (not Policy) from the client.
> > >
> > > I found the following article, but it is done with WS-SecurityPolicy:
> > >
> > > http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-service
> > > s-
> > > part-i.html
> > >
> > >
> > >
> > > However, I was able to adapt some things from it. I have a
> > "kerberos.jaas"
> > > file that is passed to the webservice (Spring-Boot) as
> > > "java.security.auth.login.config" and has the following content
> > >
> > > myContext {
> > > com.sun.security.auth.module.Krb5LoginModule required
> > > refreshKrb5Config=true useKeyTab=true storeKey=true
> > > keyTab="path\to\keytab\file.keytab"
> > > principal="HTTP/myService@Realm"; };
> > >
> > > In the Spring configuration I have this Bean
> > >
> > > @Bean
> > > public KerberosTokenValidator kerberosTokenValidator() {
> > > KerberosTokenValidator validator = new
> KerberosTokenValidator();
> > > validator.setContextName("myContext");
> > > validator.setServiceName("myService");
> > > return validator;
> > > }
> > >
> > > And the webservice endpoint is configured with the validator and the
> > > JAAS context name:
> > >
> > >
> > > factory.getProperties().put(SecurityConstants.BST_TOKEN_VALIDATOR,
> > > kerberosTokenValidator);
> > >
> > >
> >
> factory.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, "
> > > myContext ");
> > >
> > >
> > >
> > > All this has of course no effect at all because there is no WSS4J
> > > In-Interceptor that triggers the WS-Security processing.
> > >
> > > @Bean
> > > public WSS4JInInterceptor wss4JInInterceptor() {
> > > Map<String, Object> properties = new HashMap<>();
> > > properties.put(WSHandlerConstants.ACTION, >>> ??? <<<);
> > > return new WSS4JInInterceptor(properties);
> > > }
> > >
> > > But I did not found what WSS4J action is needed to configure the
> > > Kerberos validation. The action "KERBEROS_TOKEN" seems to add a
> > > token, so it is the opposite of what I want.
> > >
> > > Thanks for any help
> > > Stephan
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
AW: Validate Kerberos token in CXF webservice
Posted by Burkard Stephan <St...@visana.ch>.
Great, thank you very much!
For CXF < 3.3, is there something like a NOOP action or an action one can "misuse" to get around this?
Regards
Stephan
-----Ursprüngliche Nachricht-----
Von: Colm O hEigeartaigh <co...@apache.org>
Gesendet: Mittwoch, 9. Januar 2019 12:58
An: Burkard Stephan <St...@visana.ch>
Cc: users@cxf.apache.org
Betreff: Re: Validate Kerberos token in CXF webservice
Sorry for the delay on this. I fixed this in
https://issues.apache.org/jira/browse/CXF-7939 so that you can omit the "action" String in WSS4JInInterceptor, when the "ignoreActions" property is true. You can take a look at the test-case I added here to see how it works:
https://github.com/apache/cxf/commit/976ecb5f43bd873d01e07078194636a99e812906
Colm.
On Mon, Dec 17, 2018 at 4:12 PM Burkard Stephan <St...@visana.ch>
wrote:
> Thanks for the hints!
>
> Currently there is no token at all. As a first step I want the service
> to reject the request because it has no authentication info.
>
> I tried to set setIgnoreActions(true) as well as the validatorMap, but
> I still get (as before) <faultstring>No security action was
> defined!</faultstring>
>
>
> I found the reason for that in WSS4JInInterceptor, in the method
> "handleMessageInternal". There is a method call to
> "getAction(SoapMessage msg, SoapVersion version)" and this method does
> not respect the "ignoreActions" flag.
>
> Is this there something like a NOOP action I can define for such a case?
> Or do you mean in your answer that I have to extend WSS4JInInterceptor
> to get this working?
>
> Thanks
> Stephan
>
>
> -----Ursprüngliche Nachricht-----
> Von: Colm O hEigeartaigh <co...@apache.org>
> Gesendet: Montag, 17. Dezember 2018 15:04
> An: users@cxf.apache.org
> Betreff: Re: Validate Kerberos token in CXF webservice
>
> Is it the case that only a KerberosToken encoded as a
> BinarySecurityToken is in the security header? Or are there signatures etc. in there as well?
> If (a), then you could try specifying setIgnoreActions(true) on
> WSS4JInInterceptor. It should process the security header, but won't
> actually verify that any action was performed. So in this case you'd
> need to write a custom interceptor to make sure that you actually
> processed a Kerberos Token.
>
> You'll also need to set the "validatorMap" property on the
> WSS4JInInterceptor properties object, so that the
> kerberosTokenValidator validates the BinarySecurityToken.
>
> Colm.
>
> On Mon, Dec 10, 2018 at 1:23 PM Burkard Stephan
> <Stephan.Burkard@visana.ch
> >
> wrote:
>
> > Hi CXF users
> >
> > I want to implement a CXF webservice that validates a Kerberos token
> > with plain WS-Security (not Policy) from the client.
> >
> > I found the following article, but it is done with WS-SecurityPolicy:
> >
> > http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-service
> > s-
> > part-i.html
> >
> >
> >
> > However, I was able to adapt some things from it. I have a
> "kerberos.jaas"
> > file that is passed to the webservice (Spring-Boot) as
> > "java.security.auth.login.config" and has the following content
> >
> > myContext {
> > com.sun.security.auth.module.Krb5LoginModule required
> > refreshKrb5Config=true useKeyTab=true storeKey=true
> > keyTab="path\to\keytab\file.keytab"
> > principal="HTTP/myService@Realm"; };
> >
> > In the Spring configuration I have this Bean
> >
> > @Bean
> > public KerberosTokenValidator kerberosTokenValidator() {
> > KerberosTokenValidator validator = new KerberosTokenValidator();
> > validator.setContextName("myContext");
> > validator.setServiceName("myService");
> > return validator;
> > }
> >
> > And the webservice endpoint is configured with the validator and the
> > JAAS context name:
> >
> >
> > factory.getProperties().put(SecurityConstants.BST_TOKEN_VALIDATOR,
> > kerberosTokenValidator);
> >
> >
> factory.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, "
> > myContext ");
> >
> >
> >
> > All this has of course no effect at all because there is no WSS4J
> > In-Interceptor that triggers the WS-Security processing.
> >
> > @Bean
> > public WSS4JInInterceptor wss4JInInterceptor() {
> > Map<String, Object> properties = new HashMap<>();
> > properties.put(WSHandlerConstants.ACTION, >>> ??? <<<);
> > return new WSS4JInInterceptor(properties);
> > }
> >
> > But I did not found what WSS4J action is needed to configure the
> > Kerberos validation. The action "KERBEROS_TOKEN" seems to add a
> > token, so it is the opposite of what I want.
> >
> > Thanks for any help
> > Stephan
> >
> >
> >
> >
> >
> >
> >
> >
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com