Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.0.4, 3.1, 3.0.5, 3.1.1, 3.0.6, 3.1.2, 3.1.3
-
None
-
Unknown
Description
Issue discovered while migrating from version 3.0.2 to 3.1.2.
In documentation it's say that to enable kerberos you have to give the informations policy for Authorization and AuthorizationType:
<conduit name="{http://example.com/}HelloWorldServicePort.http-conduit" xmlns="http://cxf.apache.org/transports/http/configuration"> <authorization> <AuthorizationType>Negotiate</AuthorizationType> <Authorization>CXFClient</Authorization> </authorization> </conduit>
And for delegation it's not necessary to give the Authorization field.
But If you give a policy with both of them, It will never try to do delegation, resulting in my application not working anymore (browser -> unix(wildfly) -> windows 2012 by kerberos delegation).
After a look to the source code, it seems the problem is due to a change in version 3.0.4 for the file AbstractSpnegoAuthSupplier.java:
private byte[] getToken(AuthorizationPolicy authPolicy, String spn, Oid oid, Message message) throws GSSException, LoginException { Subject subject = null; if (authPolicy != null) { String contextName = authPolicy.getAuthorization(); if (contextName == null) { contextName = ""; } if (!(StringUtils.isEmpty(authPolicy.getUserName()) && StringUtils.isEmpty(contextName) && loginConfig == null)) { CallbackHandler callbackHandler = getUsernamePasswordHandler( authPolicy.getUserName(), authPolicy.getPassword()); LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig); lc.login(); subject = lc.getSubject(); } } GSSManager manager = GSSManager.getInstance();
If the contextName is not null, it will always try to use getUsernamePasswordHandler resulting in a loginException.
Workaround : not specifying an authorization
Possible fix :
if (authPolicy != null && !isCredDelegationRequired(message)) {
Do not hesitate to tell me if there is another way to do it.