Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6534

Kerberos delegation not possible if Authorization given

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.4, 3.1, 3.0.5, 3.1.1, 3.0.6, 3.1.2, 3.1.3
    • Fix Version/s: 3.1.3, 3.0.7
    • Component/s: Transports
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Issue discovered while migrating from version 3.0.2 to 3.1.2.

      In documentation it's say that to enable kerberos you have to give the informations policy for Authorization and AuthorizationType:

      <conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
        xmlns="http://cxf.apache.org/transports/http/configuration">
        <authorization>
           <AuthorizationType>Negotiate</AuthorizationType>
           <Authorization>CXFClient</Authorization>
        </authorization>
      </conduit>
      

      And for delegation it's not necessary to give the Authorization field.
      But If you give a policy with both of them, It will never try to do delegation, resulting in my application not working anymore (browser -> unix(wildfly) -> windows 2012 by kerberos delegation).

      After a look to the source code, it seems the problem is due to a change in version 3.0.4 for the file AbstractSpnegoAuthSupplier.java:

          private byte[] getToken(AuthorizationPolicy authPolicy, 
                                  String spn, 
                                  Oid oid,
                                  Message message) throws GSSException, 
              LoginException {
              
              Subject subject = null;
              if (authPolicy != null) {
                  String contextName = authPolicy.getAuthorization();
                  if (contextName == null) {
                      contextName = "";
                  }
              
                  if (!(StringUtils.isEmpty(authPolicy.getUserName())
                      && StringUtils.isEmpty(contextName) && loginConfig == null)) {
                      CallbackHandler callbackHandler = getUsernamePasswordHandler(
                          authPolicy.getUserName(), authPolicy.getPassword());
                      LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig);
                      lc.login();
                      subject = lc.getSubject();
                  }
              }
                                                                       
              GSSManager manager = GSSManager.getInstance();
      

      If the contextName is not null, it will always try to use getUsernamePasswordHandler resulting in a loginException.

      Workaround : not specifying an authorization

      Possible fix :

      if (authPolicy != null && !isCredDelegationRequired(message)) {
      

      Do not hesitate to tell me if there is another way to do it.

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              Bonky42 Bernard Chesnoy
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: