[
https://issues.apache.org/jira/browse/RAMPART-417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Detelin Yordanov updated RAMPART-417:
-------------------------------------
Attachment: rampart_kerberos.patch
> Support for transport binding Kerberos v5 authentication
> --------------------------------------------------------
>
> Key: RAMPART-417
> URL: https://issues.apache.org/jira/browse/RAMPART-417
> Project: Rampart
> Issue Type: New Feature
> Components: rampart-core
> Affects Versions: 1.6.2
> Reporter: Detelin Yordanov
> Fix For: 1.7.0
>
> Attachments: rampart_kerberos.patch
>
>
> While other web services runtimes (Metro, CXF, WCF) provide some level of
> support for Kerberos authentication, Rampart is lacking such at the moment.
> There are two basic mechanisms for bringing Kerberos authentication to web
> services:
> 1. Kerberos authentication over secure transport - transport-level security
> (https) with Kerberos token attached as supporting token
> 2. Kerberos authentication using symmetric binding - Kerberos session key is
> used for message protection and Kerberos token - for client authentication
> My team developed a Rampart extension that provides support for Kerberos
> authentication over secure transport (1) and we are willing to contribute
> this to the community. This support requires Kerberos enhancements released
> with wss4j 1.6.16 and can work with both Java 1.6 and 1.7. We have tested
> this for interoperability with Apache DS and Active Directory Kerberos
> servers. This support can also be used to develop an Axis2 client for a MS
> .NET web service that uses
> [KerberosOverTransport|http://msdn.microsoft.com/en-us/library/aa751836%28v=vs.110%29.asp]
> security policy - for this an extension in Axis2 to support
> WS-AddressingIdentity specification is needed, see AXIS2-5659.
> I'm attaching a patch with all the necessary changes - it contains two
> integration tests using an embedded Apache DS Kerberos server. The patch
> requires Jetty HTTPS support in Rampart integration module - this is reported
> as a separate issue - RAMPART-416.
> Please note that using this with Java 1.6 requires a
> [KerberosTokenDecoder|http://svn.apache.org/repos/asf/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/KerberosTokenDecoder.java]
> implementation to be plugged in. A default implementation that uses Apache
> DS Kerberos API is available in wss4j 2.0, so once Rampart updates to this
> wss4j version, Kerberos authentication support will be available OOTB for
> Java 1.6. Since Rampart is currently built with Java 1.6, Rampart integration
> module has to include a back-ported version of wss4j's
> [KerberosTokenDecoder|http://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java]
> implementation so that the tests could pass. They are also passing with Java
> 1.7 without this decoder implementation in place.
> A new KerberosConfig Rampart configuration extension is available for
> configuring Kerberos-specific settings. It has extensive javadoc, but if
> needed we might add a separate documentation that explains how to use it. The
> integration tests demonstrate end-to-end Kerberos authentication scenario
> both using Kerberos key table files and Password callback handlers.
> We have also tried the Kerberos authentication scenario with IBM JDK, but
> encountered issues in IBM's JGSS implementation. We have followed up with IBM
> on fixing those, but it might take some time till this works with IBM JDK.
> Still, we do not expect any changes to be needed in Rampart for this to work.
> Any comments or questions on this support are welcome. I will try to provide
> a patch for Rampart 1.6 as well, if you think it is valuable to have this
> support there as well.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
