使用CXF和Kerberos/NTLM身份验证的Java Webapp提供的SharePoint Webservice [英] SharePoint Webservice from Java Webapp using CXF with Kerberos/NTLM authentication

问题描述

我有一个来自Web应用程序的Java EE Web应用程序，我必须使用一个SharePoint Web服务，该服务希望获得Kerberos/NTLM身份验证.我正在使用CXF来消费Web服务，并且它自己使用Windows Integrated Authentication进行身份验证的Web应用程序.

I have a Java EE web application from the web app I have to consume a SharePoint web-service which expects Kerberos/NTLM authentication how can I achieve. I am using CXF for consuming web-service and the web application it self uses Windows Integrated Authentication for authentication.

推荐答案

看看SPNEGO协议，这就是Sharepoint(技术上为IIS)用于单点登录身份验证的内容.我不熟悉CXF，但是通常大多数WebServices平台都允许您在请求中提供其他标头.基本上，您需要的是:

Take a look at the SPNEGO protocol, this is what Sharepoint ( technically IIS ) uses for Single Sign On authentication. I am not familar with CXF, but generally most of the WebServices platforms allow you to supply additional headers with your request. Basically what you need is:

1.  Get authentication token for the sharepoint from user session  

2.  Use JAAS to generate tokens.

在此处查看 http://appliedcrypto.com/spnego/spnego_jaasclient.html 并在此处 http://docs.oracle. com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html 了解更多详细信息.

Look here http://appliedcrypto.com/spnego/spnego_jaasclient.html and here http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html for more details.

对于要对浏览器用户进行身份验证以进行共享点的情况.您必须在您的Web应用程序中实现SPNEGO协议，例如，您可以使用此包来执行此操作.大多数现代应用服务器都支持SPNEGO协议[JBoss，WebSphere].实施SPNEGO协议后，您可以从授权"标头中获取kerberos令牌.

For the case when you want to authenticate browser users to sharepoint. You have to implement SPNEGO protocol in your web app for example you can use this package do it you. Most of the modern app servers support SPNEGO protocol [ JBoss, WebSphere ]. After you implemented SPNEGO protocol, you can grab the kerberos token from 'Authorization' header.

然后您有两个选择:

1. 如果您以与SharePoint前端相同的身份运行Web应用，则只需向共享点重新发送相同的令牌即可.

1. In case you run your web-app with the same identity as the SharePoint front-end you can just resend the same token to the sharepoint.

如果您以其他身份运行，则必须使用用户的令牌进入活动目录并代表用户请求共享点服务的票证.必须信任您的Web应用程序所运行的帐户，以便在Active Directory中进行委派

In case you running as a different identity, you have to use the user's token to go to active directory and request a ticket for sharepoint service on behalf of your user. The account that your web-app runs under has to be trusted for delegation in Active Directory

此外，我不确定SharePoint是否在SOAP标头中接受kerberos令牌，我相信您必须使用HTTP标头进行身份验证.

Also, I am not sure that SharePoint accepts kerberos tokens within SOAP headers, I believe you have to authenticate using HTTP headers.

此问题可能对您有帮助

如果您想使用单点登录功能，这意味着使用当前用户身份，请看一下

If you want to use single sign on feature meaning using current user identity take a look here

这篇关于使用CXF和Kerberos/NTLM身份验证的Java Webapp提供的SharePoint Webservice的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！