分享程序员开发的那些事...
更新时间:2023-12-06 08:56:40
我最终找到了解决方案.
I eventually found a solution.
CXF提供了KerberosAuthenticationFilter,但请不要使用CXF 3.0.1 .有一个引发NullPointerException的错误.它已在以下版本中修复(我无法确定是哪个版本).切换到CXF 3.0.8可以解决此问题.
CXF provides KerberosAuthenticationFilter but please do not use CXF 3.0.1. There was a bug raising a NullPointerException. It was fixed in a following version (I could not tell which one). Switching to CXF 3.0.8 fixed the issue.
1)您需要在beans.xml中声明此过滤器:
1) You need to declare this filter in your beans.xml :
<bean id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
<property name="loginContextName" value="mycontext"/>
<property name="servicePrincipalName" value="HTTP/serviceprincipal@MYDOMAIN.COM"/>
</bean>
2)并在端点定义中添加引用(仍在beans.xml中):
2) and add a reference in your endpoint definition (still in beans.xml) :
<jaxrs:server address="/">
<jaxrs:serviceBeans>
<ref bean="bean1" />
<ref bean="bean2" />
<ref bean="bean3" />
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="someProvider" />
<ref bean="someExceptionMappper" />
<ref bean="kerberosFilter" />
</jaxrs:providers>
</jaxrs:server>
3)在Tomcat配置路径($ CATALINA_HOME/conf/)中添加JAAS配置文件jaas.conf:
3) Add JAAS configuration file jaas.conf in Tomcat configuration path ($CATALINA_HOME/conf/) :
mycontext {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/serviceprincipal@MYDOMAIN.COM"
useKeyTab=true
keyTab="/path/to/keytab/HTTP-serviceprincipal.keytab"
debug=true
storeKey=true;
};
4)安装krb5-user并卷曲进行测试:
4) Install krb5-user and curl to test :
$ kinit (to authenticate againt the KDC)
$ klist (to verify)
$ curl --negotiate -u : http://serviceprincipal/rest/someservice
此处,客户端(curl)将向我们受保护的服务器发送请求.服务器将发回包含特定标头的401未经授权状态响应:WWW-Authenticate:Negotiate. 然后,客户端将再次发送请求,但这一次它在其标头元数据中包含一个令牌.现在,响应应该如预期的那样.
Here the client (curl) will send a request to our protected server. The server will send back a 401 Unauthorized Status response containing a specific header : WWW-Authenticate: Negotiate. Then the client will send the request again but this time it contains a token in its header metadata. Now the response should be as expected.
这对我有用.我希望它可以帮助其他人.
This works for me. I hope it helps someone else.
Ramzi