stackoom
  简体   繁体   中英

CXF - How to properly configure Spnego with CXF 3.2.6

 原文  2018-08-22 19:52:18       java/ authentication/ cxf/ kerberos/ spnego

Question

I'm trying to do create a CXF soap web service client to make soap calls with a Kerberos authenticated SharePoint instance.

I import the following:

  • org.apache.cxf:cxf-rt-frontend-jaxws:3.2.6
  • org.apache.cxf:cxf-rt-transports-http:3.2.6
  • org.apache.cxf:cxf-rt-transports-http-hc:3.2.6
  • org.apache.cxf:cxf-rt-ws-security:3.2.6

Here is my java program.

import crawler.common.sharepoint.stubs.lists.Lists;
import crawler.common.sharepoint.stubs.lists.ListsSoap;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.transport.http.asyncclient.AsyncHTTPConduit;
import org.apache.cxf.transport.http.auth.HttpAuthHeader;
import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
import org.apache.cxf.ws.security.wss4j.KerberosTokenInterceptor;

import javax.xml.ws.BindingProvider;
import javax.xml.ws.Service;

public class SharepointKerberosTesterClient {

  public static void main(String[] args) {
    System.setProperty("java.security.krb5.conf", "/home/ndipiazza/xxxx/spnego-http-client/krb5.conf");
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    System.setProperty("java.security.auth.login.config", "/home/ndipiazza/xxxx/spnego-http-client/login.conf");

    String endpoint = "http://win-qbfsb933r5p/_vti_bin/Lists.asmx";
    Service service = Service.create(Lists.SERVICE);
    ListsSoap soap = service.getPort(ListsSoap.class);
    BindingProvider bindingProvider = (BindingProvider) soap;

    bindingProvider.getRequestContext().put(AsyncHTTPConduit.USE_ASYNC,
        Boolean.TRUE);
    bindingProvider.getRequestContext().put(
        BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpoint);

    Client client = ClientProxy.getClient(bindingProvider);
    client.getEndpoint().put("org.apache.cxf.stax.maxChildElements", System.getProperty("org.apache.cxf.stax.maxChildElements") != null
        ? System.getProperty("org.apache.cxf.stax.maxChildElements") : "5000000");
    HTTPConduit http = (HTTPConduit) client.getConduit();

    AuthorizationPolicy authorization = new AuthorizationPolicy();
    authorization.setAuthorization("SharePoint");
    authorization.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
    http.setAuthorization(authorization);

    HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
    httpClientPolicy.setAllowChunking(false);
    httpClientPolicy.setAutoRedirect(true);

    TLSClientParameters tlsClientParameters = new TLSClientParameters();
    tlsClientParameters.setDisableCNCheck(true);

    http.setTlsClientParameters(tlsClientParameters);

    http.setClient(httpClientPolicy);

    System.out.println("Size of lists: " + soap.getListCollection().getContent().size());

  }
}

If you take a look at this example, http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-AuthorizationPolicy there is a special class KerberosAuthOutInterceptor that is able to add the Negotiate Authorization headers as required.

But in 3.1.x and 3.2.x versions of CXF that doesn't seem to exist.

Instead there is a https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java that I think I am supposed to use.

But I do not know how to use an interceptor provider. Does anyone know how to use this with the programmatic (non-xml) declaration of CXF?

1 answers

solution1
 1  2018-08-22 20:29:15

SharePoint is deployed on IIS, and IIS can definitely do Kerberos authentication. So I doubt it is a SharePoint issue - can you share your insight into why you think so? The way I would debug this is I would start your client with the flag -Dsun.security.krb5.debug=true (not positive that will work with the class you are using). But try to snoop the header, the server should be sending WWW-Authenticate. The response provided by the client (which you can view in debug logs on the SharePoint server) should be YII for Kerberos or TIRM for NTLM. So you've got a problem with your Kerberos configuration if it starts with TIRM. You'd probably have to enable connection debugging through IIS to view this information.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to configure CXF in TomEE How to configure the timeout on a camel cxf endpoint How to configure CXF to not worry about unknown elements? How to configure Camel CXF with Basic authentication How to configure Multiple .wsdl in CXF Maven Plugin Apache CXF Service: How to configure Handler Chain without @HandlerChain annotation? How to configure CXF web services so that Glassfish can monitor them CXF in Karaf: how to configure bean validation on subresources (preferably using Blueprint)? How to configure Apache CXF/Jetty Thread Pool Size How can I configure Apache CXF ignoreNamespaces in TomEE+?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM