Having a hard time trying to protect an existing CXF JAX-RS service with Kerberos authentication.
I went through what seems to be the reference documentation : http://cxf.apache.org/docs/jaxrs-kerberos.html but it did not help much.
I'm actually trying to configure Tomcat+CXF to reproduce this kind of Apache configuration (which works) :
<Directory /var/www/>
AuthType Kerberos
KrbServiceName HTTP/fqdn@realm
Krb5Keytab /path/to/file.keytab
Require valid-user
</Directory>
jaas.conf and krb5.conf were configured. The KerberosAuthenticationFilter was declared and referenced in CXF configuration as well. But I could not even reach the point where I get a 401 Forbidden status code.
I am stuck. Any help would be very much appreciated.
I eventually found a solution.
CXF provides KerberosAuthenticationFilter but please do not use CXF 3.0.1. There was a bug raising a NullPointerException. It was fixed in a following version (I could not tell which one). Switching to CXF 3.0.8 fixed the issue.
1) You need to declare this filter in your beans.xml :
<bean id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="mycontext"/>
<property name="servicePrincipalName" value="HTTP/[email protected]"/>
</bean>
2) and add a reference in your endpoint definition (still in beans.xml) :
<jaxrs:server address="/">
<jaxrs:serviceBeans>
<ref bean="bean1" />
<ref bean="bean2" />
<ref bean="bean3" />
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="someProvider" />
<ref bean="someExceptionMappper" />
<ref bean="kerberosFilter" />
</jaxrs:providers>
</jaxrs:server>
3) Add JAAS configuration file jaas.conf in Tomcat configuration path ($CATALINA_HOME/conf/) :
mycontext {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/[email protected]"
useKeyTab=true
keyTab="/path/to/keytab/HTTP-serviceprincipal.keytab"
debug=true
storeKey=true;
};
4) Install krb5-user and curl to test :
$ kinit (to authenticate againt the KDC)
$ klist (to verify)
$ curl --negotiate -u : http://serviceprincipal/rest/someservice
Here the client (curl) will send a request to our protected server. The server will send back a 401 Unauthorized Status response containing a specific header : WWW-Authenticate: Negotiate. Then the client will send the request again but this time it contains a token in its header metadata. Now the response should be as expected.
This works for me. I hope it helps someone else.
Ramzi
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments