CXF supports Spnego authentication using the standard AuthPolicy mechanism. Spnego is activated by setting the AuthPolicy.authorizationType to 'Negotiate'. If userName is left blank then single sign on is used with the TGT from e.g. Windows Login. If userName is set then a new LoginContext is established and the ticket is created out of this. By default the SpnegoAuthSupplier uses the OID for Spnego. Some servers require the OID for Kerberos. This can be activated by setting the contextual property auth.spnego.useKerberosOid to 'true'.
Kerberos Config: Make sure that krb5.conf/krb5.ini is configured correctly for the Kerberos realm you want to authenticate against and supply it to your application by setting the java.security.krb5.conf system property
Login Config: Create a file login.conf and supply it to CXF using the System property java.security.auth.login.config. The file should contain:
CXFClient {
com.sun.security.auth.module.Krb5LoginModule //
required client=TRUE useTicketCache=true;
};
Sample config: Make sure the Authorization element contains the same name as the Section in the login.conf (here: CXFClient).
<!-- HTTP conduit configuration for spnego with single sign on -->
<conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
xmlns="http://cxf.apache.org/transports/http/configuration">
<authorization>
<AuthorizationType>Negotiate</AuthorizationType>
<Authorization>CXFClient</Authorization>
</authorization>
</conduit>
You can use UserName and Password in the above xml config if you want to log in explicitly. If you want to use the cached Ticket Granting Ticket then do not supply them. On Windows you will also have to make sure you allow the TGT to be used in Java. See: http://www.javaactivedirectory.com/?page_id=93 for more information.
<!-- Switching to Kerberos OID instead of Spnego -->
<jaxws:client>
<jaxws:properties>
<entry key="auth.spnego.useKerberosOid" value="true"/>
</jaxws:properties>
</jaxws:client>