Using the sample delegation code from the CXF Site:
http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-CredentialDelegation
I have protected my JAX-RS endpoint with the filter below:
<!-- Apache CXF Kerberos Filter Registration -->
<bean id="kerberosFilter"
class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="KerberosServer" />
</bean>
And I can confirm that Kerberos is working, a call to
securityContext.getUserPrincipal().getName() returns the Windows username
as passed by the web browser and the authentication scheme is definitely
"negotiate".
However when I try and use the returned SecurityContext to pass onto a
HTTPConduit I find that the SecurityContext is actually a
ThreadLocalSecurityContext object.
Specifically if I do this:
KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
GSSCredential cred = ksc.getGSSContext().getDelegCred();
I get the following exception:
org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast to
org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$KerberosSecurityContext
The note on that page says that I should get a KerberosSecurityContext
returned instead:
"Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the
endpoints, then the filter will have an org.ietf.jgss.GSSContext instance
available in the current CXF SecurityContext, via its
KerberosAuthenticationFilter$KerberosSecurityContext implementation, which
can be used to get to org.ietf.jgss.GSSCredential if the credential
delegation is supported for a given source principal"
Any ideas?
Thanks in advance.
http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-CredentialDelegation
I have protected my JAX-RS endpoint with the filter below:
<!-- Apache CXF Kerberos Filter Registration -->
<bean id="kerberosFilter"
class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="KerberosServer" />
</bean>
And I can confirm that Kerberos is working, a call to
securityContext.getUserPrincipal().getName() returns the Windows username
as passed by the web browser and the authentication scheme is definitely
"negotiate".
However when I try and use the returned SecurityContext to pass onto a
HTTPConduit I find that the SecurityContext is actually a
ThreadLocalSecurityContext object.
Specifically if I do this:
KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
GSSCredential cred = ksc.getGSSContext().getDelegCred();
I get the following exception:
org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast to
org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$KerberosSecurityContext
The note on that page says that I should get a KerberosSecurityContext
returned instead:
"Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the
endpoints, then the filter will have an org.ietf.jgss.GSSContext instance
available in the current CXF SecurityContext, via its
KerberosAuthenticationFilter$KerberosSecurityContext implementation, which
can be used to get to org.ietf.jgss.GSSCredential if the credential
delegation is supported for a given source principal"
Any ideas?
Thanks in advance.