小贝子编程

CXF - 如何使用 CXF 3.2.6 正确配置 Spnego



我正在尝试创建一个CXF soap Web服务客户端,以使用经过Kerberos身份验证的SharePoint实例进行肥皂调用。

我导入以下内容:

  • org.apache.cxf:cxf-rt-frontend-jaxws:3.2.6
  • org.apache.cxf:cxf-rt-transports-http:3.2.6
  • org.apache.cxf:cxf-rt-transports-http-hc:3.2.6
  • org.apache.cxf:cxf-rt-ws-security:3.2.6

这是我的Java程序。

import crawler.common.sharepoint.stubs.lists.Lists;
import crawler.common.sharepoint.stubs.lists.ListsSoap;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.transport.http.asyncclient.AsyncHTTPConduit;
import org.apache.cxf.transport.http.auth.HttpAuthHeader;
import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
import org.apache.cxf.ws.security.wss4j.KerberosTokenInterceptor;
import javax.xml.ws.BindingProvider;
import javax.xml.ws.Service;
public class SharepointKerberosTesterClient {
public static void main(String[] args) {
System.setProperty("java.security.krb5.conf", "/home/ndipiazza/xxxx/spnego-http-client/krb5.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("java.security.auth.login.config", "/home/ndipiazza/xxxx/spnego-http-client/login.conf");
String endpoint = "http://win-qbfsb933r5p/_vti_bin/Lists.asmx";
Service service = Service.create(Lists.SERVICE);
ListsSoap soap = service.getPort(ListsSoap.class);
BindingProvider bindingProvider = (BindingProvider) soap;
bindingProvider.getRequestContext().put(AsyncHTTPConduit.USE_ASYNC,
Boolean.TRUE);
bindingProvider.getRequestContext().put(
BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpoint);
Client client = ClientProxy.getClient(bindingProvider);
client.getEndpoint().put("org.apache.cxf.stax.maxChildElements", System.getProperty("org.apache.cxf.stax.maxChildElements") != null
? System.getProperty("org.apache.cxf.stax.maxChildElements") : "5000000");
HTTPConduit http = (HTTPConduit) client.getConduit();
AuthorizationPolicy authorization = new AuthorizationPolicy();
authorization.setAuthorization("SharePoint");
authorization.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
http.setAuthorization(authorization);
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setAllowChunking(false);
httpClientPolicy.setAutoRedirect(true);
TLSClientParameters tlsClientParameters = new TLSClientParameters();
tlsClientParameters.setDisableCNCheck(true);
http.setTlsClientParameters(tlsClientParameters);
http.setClient(httpClientPolicy);
System.out.println("Size of lists: " + soap.getListCollection().getContent().size());
}
}

如果您看一下此示例,http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-AuthorizationPolicy 有一个特殊的类KerberosAuthOutInterceptor能够根据需要添加协商授权标头。

但是在 CXF 的 3.1.x 和 3.2.x 版本中,这似乎不存在。

相反,我认为我应该使用一种 https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java。

但是我不知道如何使用拦截器提供程序。有谁知道如何将其与 CXF 的编程(非 xml(声明一起使用?

SharePoint部署在 IIS 上,IIS 绝对可以执行 Kerberos 身份验证。所以我怀疑这是一个 SharePoint 问题 - 你能分享你为什么这么认为的见解吗?我调试它的方法是我会用标志-Dsun.security.krb5.debug=true启动你的客户端(不是肯定的,这将适用于你正在使用的类(。但是尝试窥探标头,服务器应该发送 WWW-Authenticate。客户端提供的响应(可以在 SharePoint 服务器上的调试日志中查看(应为 Kerberos 的 YII 或 NTLM 的 TIRM。因此,如果您的 Kerberos 配置以 TIRM 开头,则您的配置存在问题。您可能需要通过 IIS 启用连接调试才能查看此信息。

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium