Quantcast
Channel: Apache Timeline
Viewing all articles
Browse latest Browse all 5648

Kerberos Delegation Issue

$
0
0
Using the sample delegation code from the CXF Site:
http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-CredentialDelegation

I have protected my JAX-RS endpoint with the filter below:

<!-- Apache CXF Kerberos Filter Registration -->
<bean id="kerberosFilter"
class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="KerberosServer" />
</bean>

And I can confirm that Kerberos is working, a call to
securityContext.getUserPrincipal().getName() returns the Windows username
as passed by the web browser and the authentication scheme is definitely
"negotiate".

However when I try and use the returned SecurityContext to pass onto a
HTTPConduit I find that the SecurityContext is actually a
ThreadLocalSecurityContext object.

Specifically if I do this:
KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
GSSCredential cred = ksc.getGSSContext().getDelegCred();

I get the following exception:
org.apache.cxf.jaxrs.impl.tl.ThreadLocalSecurityContext cannot be cast to
org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter$KerberosSecurityContext

The note on that page says that I should get a KerberosSecurityContext
returned instead:
"Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the
endpoints, then the filter will have an org.ietf.jgss.GSSContext instance
available in the current CXF SecurityContext, via its
KerberosAuthenticationFilter$KerberosSecurityContext implementation, which
can be used to get to org.ietf.jgss.GSSCredential if the credential
delegation is supported for a given source principal"

Any ideas?

Thanks in advance.

Viewing all articles
Browse latest Browse all 5648

Trending Articles