CXF -如何使用CXF 3.2.6正确配置Spnego

Question

我正在尝试创建一个create服务客户端，以便使用一个通过Kerberos身份验证的SharePoint实例进行soap调用。

我进口以下产品：

• Org.apache.cxf:cxf前端-jaxws:3.2.6
• org.apache.cxf:cxf-rt-transports-http:3.2.6
• org.apache.cxf:cxf-rt-transports-http-hc:3.2.6
• Org.apache.cxf:cxf-rt安全性:3.2.6

这是我的java程序。

import crawler.common.sharepoint.stubs.lists.Lists;
import crawler.common.sharepoint.stubs.lists.ListsSoap;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.transport.http.asyncclient.AsyncHTTPConduit;
import org.apache.cxf.transport.http.auth.HttpAuthHeader;
import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
import org.apache.cxf.ws.security.wss4j.KerberosTokenInterceptor;

import javax.xml.ws.BindingProvider;
import javax.xml.ws.Service;

public class SharepointKerberosTesterClient {

  public static void main(String[] args) {
    System.setProperty("java.security.krb5.conf", "/home/ndipiazza/xxxx/spnego-http-client/krb5.conf");
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    System.setProperty("java.security.auth.login.config", "/home/ndipiazza/xxxx/spnego-http-client/login.conf");

    String endpoint = "http://win-qbfsb933r5p/_vti_bin/Lists.asmx";
    Service service = Service.create(Lists.SERVICE);
    ListsSoap soap = service.getPort(ListsSoap.class);
    BindingProvider bindingProvider = (BindingProvider) soap;

    bindingProvider.getRequestContext().put(AsyncHTTPConduit.USE_ASYNC,
        Boolean.TRUE);
    bindingProvider.getRequestContext().put(
        BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpoint);

    Client client = ClientProxy.getClient(bindingProvider);
    client.getEndpoint().put("org.apache.cxf.stax.maxChildElements", System.getProperty("org.apache.cxf.stax.maxChildElements") != null
        ? System.getProperty("org.apache.cxf.stax.maxChildElements") : "5000000");
    HTTPConduit http = (HTTPConduit) client.getConduit();

    AuthorizationPolicy authorization = new AuthorizationPolicy();
    authorization.setAuthorization("SharePoint");
    authorization.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
    http.setAuthorization(authorization);

    HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
    httpClientPolicy.setAllowChunking(false);
    httpClientPolicy.setAutoRedirect(true);

    TLSClientParameters tlsClientParameters = new TLSClientParameters();
    tlsClientParameters.setDisableCNCheck(true);

    http.setTlsClientParameters(tlsClientParameters);

    http.setClient(httpClientPolicy);

    System.out.println("Size of lists: " + soap.getListCollection().getContent().size());

  }
}

如果您查看这个示例，http://cxf.apache.org/docs/jaxrs-kerberos.html#JAXRSKerberos-AuthorizationPolicy有一个特殊的类KerberosAuthOutInterceptor，它可以根据需要添加协商授权头。

但在3.1.x和3.2.x版本的CXF似乎并不存在。

相反，我认为我应该使用一个https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java。

但我不知道如何使用拦截器提供程序。有人知道如何在CXF的编程(非xml)声明中使用这一点吗？

Answer 1

SharePoint部署在IIS上，IIS绝对可以进行Kerberos身份验证。因此，我怀疑这是一个SharePoint问题--你能分享一下你为什么这么认为的见解吗？调试这一点的方式是，我将使用标志-Dsun.security.krb5.debug=true启动您的客户机(而不是使用您所使用的类的肯定值)。但是试图窥探头部，服务器应该发送WWW认证。客户端提供的响应(您可以在SharePoint服务器的调试日志中查看)对于Kerberos应该是YII，对于NTLM应该是TIRM。因此，如果您的Kerberos配置以TIRM开头，则会出现问题。您可能必须通过IIS启用连接调试才能查看此信息。