[jira] [Commented] (RAMPART-417) Support for transport binding Kerberos v5 authentication

Sun, 07 Sep 2014 15:21:47 -0700 

    [ 
https://issues.apache.org/jira/browse/RAMPART-417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14125073#comment-14125073
 ] 

Andreas Veithen commented on RAMPART-417:
-----------------------------------------

I'm a bit worried about the invocation of the ktutil commend. This will make 
the build less robust. For example, right now the build fails on Mac OS X:

{noformat}
[INFO] --- exec-maven-plugin:1.3.1:exec (generate-client-keytab) @ 
rampart-integration ---
Downloading: 
http://repo.maven.apache.org/maven2/org/apache/commons/commons-exec/1.2/commons-exec-1.2.pom
Downloaded: 
http://repo.maven.apache.org/maven2/org/apache/commons/commons-exec/1.2/commons-exec-1.2.pom
 (11 KB at 205.2 KB/sec)
Downloading: 
http://repo.maven.apache.org/maven2/org/apache/commons/commons-parent/32/commons-parent-32.pom
Downloaded: 
http://repo.maven.apache.org/maven2/org/apache/commons/commons-parent/32/commons-parent-32.pom
 (52 KB at 937.2 KB/sec)
Downloading: 
http://repo.maven.apache.org/maven2/org/apache/commons/commons-exec/1.2/commons-exec-1.2.jar
Downloaded: 
http://repo.maven.apache.org/maven2/org/apache/commons/commons-exec/1.2/commons-exec-1.2.jar
 (53 KB at 1033.0 KB/sec)
Usage: ktutil [-hv] [--version] [--help] [--keytab=keytab to operate on]
   [-k keytab to operate on] [--verbose] command
-k keytab to operate on, --keytab=keytab to operate on keytab
-v, --verbose                                          verbose
Usage: ktutil [-hv] [--version] [--help] [--keytab=keytab to operate on]
   [-k keytab to operate on] [--verbose] command
-k keytab to operate on, --keytab=keytab to operate on keytab
-v, --verbose                                          verbose
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] Apache Rampart .................................... SUCCESS [  4.803 s]
[INFO] Rampart - Policy .................................. SUCCESS [ 16.745 s]
[INFO] Rampart - Trust ................................... SUCCESS [ 14.373 s]
[INFO] Rampart - Core .................................... SUCCESS [ 10.527 s]
[INFO] Javadoc ........................................... SUCCESS [  0.470 s]
[INFO] Rampart - Test Suite .............................. SUCCESS [  8.489 s]
[INFO] Rampart - Mar ..................................... SUCCESS [  2.714 s]
[INFO] Rampart - Trust-Mar ............................... SUCCESS [  0.880 s]
[INFO] Rampart - Integration ............................. FAILURE [ 30.631 s]
[INFO] Rampart - Samples ................................. SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:30 min
[INFO] Finished at: 2014-09-07T23:06:09+00:00
[INFO] Final Memory: 98M/265M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:1.3.1:exec 
(generate-client-keytab) on project rampart-integration: Command execution 
failed. Process exited with an error: 1 (Exit value: 1) -> [Help 1]
{noformat}

Is there no alternative solution?

> Support for transport binding Kerberos v5 authentication
> --------------------------------------------------------
>
>                 Key: RAMPART-417
>                 URL: https://issues.apache.org/jira/browse/RAMPART-417
>             Project: Rampart
>          Issue Type: New Feature
>          Components: rampart-core
>    Affects Versions: 1.6.2
>            Reporter: Detelin Yordanov
>            Assignee: Andreas Veithen
>             Fix For: 1.7.0
>
>         Attachments: rampart_kerberos.patch
>
>
> While other web services runtimes (Metro, CXF, WCF) provide some level of 
> support for Kerberos authentication, Rampart is lacking such at the moment. 
> There are two basic mechanisms for bringing Kerberos authentication to web 
> services:
> 1. Kerberos authentication over secure transport - transport-level security 
> (https) with Kerberos token attached as supporting token
> 2. Kerberos authentication using symmetric binding - Kerberos session key is 
> used for message protection and Kerberos token - for client authentication
> My team developed a Rampart extension that provides support for Kerberos 
> authentication over secure transport (1) and we are willing to contribute 
> this to the community. This support requires Kerberos enhancements released 
> with wss4j 1.6.16 and can work with both Java 1.6 and 1.7. We have tested 
> this for interoperability with Apache DS and Active Directory Kerberos 
> servers. This support can also be used to develop an Axis2 client for a MS 
> .NET web service that uses 
> [KerberosOverTransport|http://msdn.microsoft.com/en-us/library/aa751836%28v=vs.110%29.asp]
>  security policy - for this an extension in Axis2 to support 
> WS-AddressingIdentity specification is needed, see AXIS2-5659.
> I'm attaching a patch with all the necessary changes - it contains two 
> integration tests using an embedded Apache DS Kerberos server. The patch 
> requires Jetty HTTPS support in Rampart integration module - this is reported 
> as a separate issue - RAMPART-416.
> Please note that using this with Java 1.6 requires a 
> [KerberosTokenDecoder|http://svn.apache.org/repos/asf/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/KerberosTokenDecoder.java]
>  implementation to be plugged in. A default implementation that uses Apache 
> DS Kerberos API is available in wss4j 2.0, so once Rampart updates to this 
> wss4j version, Kerberos authentication support will be available OOTB for 
> Java 1.6. Since Rampart is currently built with Java 1.6, Rampart integration 
> module has to include a back-ported version of wss4j's 
> [KerberosTokenDecoder|http://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java]
>  implementation so that the tests could pass. They are also passing with Java 
> 1.7 without this decoder implementation in place.
> A new KerberosConfig Rampart configuration extension is available for 
> configuring Kerberos-specific settings. It has extensive javadoc, but if 
> needed we might add a separate documentation that explains how to use it. The 
> integration tests demonstrate end-to-end Kerberos authentication scenario 
> both using Kerberos key table files and Password callback handlers.
> We have also tried the Kerberos authentication scenario with IBM JDK, but 
> encountered issues in IBM's JGSS implementation. We have followed up with IBM 
> on fixing those, but it might take some time till this works with IBM JDK. 
> Still, we do not expect any changes to be needed in Rampart for this to work.
> Any comments or questions on this support are welcome. I will try to provide 
> a patch for Rampart 1.6 as well, if you think it is valuable to have this 
> support there as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to