您的位置: 首页  >  技术问答  >  通过CXF和Kerberos身份验证提供宁静的服务

通过CXF和Kerberos身份验证提供宁静的服务

分类: 技术问答 2022-05-18 16:42:26
问题描述:

尝试通过Kerberos身份验证来保护现有的CXF JAX-RS服务非常困难.

Having a hard time trying to protect an existing CXF JAX-RS service with Kerberos authentication.

我仔细阅读了似乎是参考文档的内容: http://cxf.apache .org/docs/jaxrs-kerberos.html ,但并没有太大帮助.

I went through what seems to be the reference documentation : http://cxf.apache.org/docs/jaxrs-kerberos.html but it did not help much.

我实际上是在尝试配置Tomcat + CXF来重现这种Apache配置(有效):

I'm actually trying to configure Tomcat+CXF to reproduce this kind of Apache configuration (which works) :

<Directory /var/www/>
AuthType Kerberos
KrbServiceName HTTP/fqdn@realm
Krb5Keytab /path/to/file.keytab
Require valid-user
</Directory>

已配置

jaas.conf krb5.conf . KerberosAuthenticationFilter 也已在CXF配置中声明和引用.但是我什至无法获得401禁止状态代码.

jaas.conf and krb5.conf were configured. The KerberosAuthenticationFilter was declared and referenced in CXF configuration as well. But I could not even reach the point where I get a 401 Forbidden status code.

我被困住了.任何帮助将不胜感激.

I am stuck. Any help would be very much appreciated.

我最终找到了解决方案.

I eventually found a solution.

CXF提供了KerberosAuthenticationFilter,但请不要使用CXF 3.0.1 .有一个引发NullPointerException的错误.它已在以下版本中修复(我无法确定是哪个版本).切换到CXF 3.0.8可以解决此问题.

CXF provides KerberosAuthenticationFilter but please do not use CXF 3.0.1. There was a bug raising a NullPointerException. It was fixed in a following version (I could not tell which one). Switching to CXF 3.0.8 fixed the issue.

1)您需要在beans.xml中声明此过滤器:

1) You need to declare this filter in your beans.xml :

<bean id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
    <property name="loginContextName" value="mycontext"/>
    <property name="servicePrincipalName" value="HTTP/serviceprincipal@MYDOMAIN.COM"/>
</bean>

2)并在端点定义中添加引用(仍在beans.xml中):

2) and add a reference in your endpoint definition (still in beans.xml) :

<jaxrs:server address="/">
    <jaxrs:serviceBeans>
        <ref bean="bean1" />
        <ref bean="bean2" />
        <ref bean="bean3" />
    </jaxrs:serviceBeans>
    <jaxrs:providers>
        <ref bean="someProvider" />
        <ref bean="someExceptionMappper" />
        <ref bean="kerberosFilter" />
    </jaxrs:providers>
</jaxrs:server>

3)在Tomcat配置路径($ CATALINA_HOME/conf/)中添加JAAS配置文件jaas.conf:

3) Add JAAS configuration file jaas.conf in Tomcat configuration path ($CATALINA_HOME/conf/) :

mycontext {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/serviceprincipal@MYDOMAIN.COM"
    useKeyTab=true
    keyTab="/path/to/keytab/HTTP-serviceprincipal.keytab"
    debug=true
    storeKey=true;
};

4)安装krb5-user并卷曲进行测试:

4) Install krb5-user and curl to test :

$ kinit (to authenticate againt the KDC)
$ klist (to verify)
$ curl --negotiate -u : http://serviceprincipal/rest/someservice

此处,客户端(curl)将向我们受保护的服务器发送请求.服务器将发回包含特定标头的401未经授权状态响应:WWW-Authenticate:Negotiate. 然后,客户端将再次发送请求,但这一次它在其标头元数据中包含一个令牌.现在,响应应该如预期的那样.

Here the client (curl) will send a request to our protected server. The server will send back a 401 Unauthorized Status response containing a specific header : WWW-Authenticate: Negotiate. Then the client will send the request again but this time it contains a token in its header metadata. Now the response should be as expected.

这对我有用.我希望它可以帮助其他人.

This works for me. I hope it helps someone else.

Ramzi

相关推荐