Restful service with CXF and Kerberos authentication

Question

Having a hard time trying to protect an existing CXF JAX-RS service with Kerberos authentication.

I went through what seems to be the reference documentation : http://cxf.apache.org/docs/jaxrs-kerberos.html but it did not help much.

I'm actually trying to configure Tomcat+CXF to reproduce this kind of Apache configuration (which works) :

<Directory /var/www/>
AuthType Kerberos
KrbServiceName HTTP/fqdn@realm
Krb5Keytab /path/to/file.keytab
Require valid-user
</Directory>

jaas.conf and krb5.conf were configured. The KerberosAuthenticationFilter was declared and referenced in CXF configuration as well. But I could not even reach the point where I get a 401 Forbidden status code.

I am stuck. Any help would be very much appreciated.

Answer 1

You have to think about this:

1. Use this this authenticator. Preferably from trunk or for Apache Web Server this.
2. If CXF uses Apache HTTP Client, forget it. The current code is terrible. See HTTPCLIENT-1625.

Answer 2

I eventually found a solution.

CXF provides KerberosAuthenticationFilter but please do not use CXF 3.0.1. There was a bug raising a NullPointerException. It was fixed in a following version (I could not tell which one). Switching to CXF 3.0.8 fixed the issue.

1) You need to declare this filter in your beans.xml :

<bean id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
    <property name="loginContextName" value="mycontext"/>
    <property name="servicePrincipalName" value="HTTP/[email protected]"/>
</bean>

2) and add a reference in your endpoint definition (still in beans.xml) :

<jaxrs:server address="/">
    <jaxrs:serviceBeans>
        <ref bean="bean1" />
        <ref bean="bean2" />
        <ref bean="bean3" />
    </jaxrs:serviceBeans>
    <jaxrs:providers>
        <ref bean="someProvider" />
        <ref bean="someExceptionMappper" />
        <ref bean="kerberosFilter" />
    </jaxrs:providers>
</jaxrs:server>

3) Add JAAS configuration file jaas.conf in Tomcat configuration path ($CATALINA_HOME/conf/) :

mycontext {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/[email protected]"
    useKeyTab=true
    keyTab="/path/to/keytab/HTTP-serviceprincipal.keytab"
    debug=true
    storeKey=true;
};

4) Install krb5-user and curl to test :

$ kinit (to authenticate againt the KDC)
$ klist (to verify)
$ curl --negotiate -u : http://serviceprincipal/rest/someservice

Here the client (curl) will send a request to our protected server. The server will send back a 401 Unauthorized Status response containing a specific header : WWW-Authenticate: Negotiate. Then the client will send the request again but this time it contains a token in its header metadata. Now the response should be as expected.

This works for me. I hope it helps someone else.

Ramzi