Detelin Yordanov created RAMPART-417:
----------------------------------------
Summary: Support for transport binding Kerberos v5 authentication
Key: RAMPART-417
URL: https://issues.apache.org/jira/browse/RAMPART-417
Project: Rampart
Issue Type: New Feature
Components: rampart-core
Affects Versions: 1.6.2
Reporter: Detelin Yordanov
Fix For: 1.7.0
While other web services runtimes (Metro, CXF, WCF) provide some level of
support for Kerberos authentication, Rampart is lacking such at the moment.
There are two basic mechanisms for bringing Kerberos authentication to web
services:
1. Kerberos authentication over secure transport - transport-level security
(https) with Kerberos token attached as supporting token
2. Kerberos authentication using symmetric binding - Kerberos session key is
used for message protection and Kerberos token - for client authentication
My team developed a Rampart extension that provides support for Kerberos
authentication over secure transport (1) and we are willing to contribute this
to the community. This support requires Kerberos enhancements released with
wss4j 1.6.16 and can work with both Java 1.6 and 1.7. We have tested this for
interoperability with Apache DS and Active Directory Kerberos servers. This
support can also be used to develop an Axis2 client for a MS .NET web service
that uses
[KerberosOverTransport|http://msdn.microsoft.com/en-us/library/aa751836%28v=vs.110%29.asp]
security policy - for this an extension in Axis2 to support
WS-AddressingIdentity specification is needed, see AXIS2-5659.
I'm attaching a patch with all the necessary changes - it contains two
integration tests using an embedded Apache DS Kerberos server. The patch
requires Jetty HTTPS support in Rampart integration module - this is reported
as a separate issue - RAMPART-416.
Please note that using this with Java 1.6 requires a
[KerberosTokenDecoder|http://svn.apache.org/repos/asf/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/KerberosTokenDecoder.java]
implementation to be plugged in. A default implementation that uses Apache DS
Kerberos API is available in wss4j 2.0, so once Rampart updates to this wss4j
version, Kerberos authentication support will be available OOTB for Java 1.6.
Since Rampart is currently built with Java 1.6, Rampart integration module has
to include a back-ported version of wss4j's
[KerberosTokenDecoder|http://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java]
implementation so that the tests could pass. They are also passing with Java
1.7 without this decoder implementation in place.
A new KerberosConfig Rampart configuration extension is available for
configuring Kerberos-specific settings. It has extensive javadoc, but if needed
we might add a separate documentation that explains how to use it. The
integration tests demonstrate end-to-end Kerberos authentication scenario both
using Kerberos key table files and Password callback handlers.
We have also tried the Kerberos authentication scenario with IBM JDK, but
encountered issues in IBM's JGSS implementation. We have followed up with IBM
on fixing those, but it might take some time till this works with IBM JDK.
Still, we do not expect any changes to be needed in Rampart for this to work.
Any comments or questions on this support are welcome. I will try to provide a
patch for Rampart 1.6 as well, if you think it is valuable to have this support
there as well.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
