[
https://issues.apache.org/jira/browse/RAMPART-417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14276644#comment-14276644
]
Detelin Yordanov commented on RAMPART-417:
------------------------------------------
Hi Raghu,
The patch should apply cleanly on Rampart trunk using any svn client, do you
have issues applying it? The Kerberos authentication support in the patch
addresses only Kerberos authentication over secure transport (point 1. in the
description). Kerberos authentication over symmetric binding (as in the wsdl
you have attached) is not addressed.
Please have a look at the patch - it contains an integration test with two test
services that use Kerberos authentication over transport binding. The patch
consists of the following pieces:
1. Extension to Rampart's policy builders to handle KerberosToken assertion
2. A new KerberosConfig configuration assertion (extension to RampartConfig
assertion) that hosts Kerberos-specific settings
3. Modification of Rampart's TransportBindingBuilder to handle Kerberos
supporting tokens - this would read Kerberos configuration, obtain a Kerberos
token using WSS4J's KerberosSecurity API and generate a signature using the
secret key found in the token
4. Unit/integration tests
Regarding documentation - what is the format of the documentation that you
expect? Could you point me to similar documentation so that I can get an idea?
Thanks,
Detelin
> Support for transport binding Kerberos v5 authentication
> --------------------------------------------------------
>
> Key: RAMPART-417
> URL: https://issues.apache.org/jira/browse/RAMPART-417
> Project: Rampart
> Issue Type: New Feature
> Components: rampart-core
> Affects Versions: 1.6.2
> Reporter: Detelin Yordanov
> Assignee: Andreas Veithen
> Fix For: 1.7.0
>
> Attachments: ImportService.wsdl, rampart_kerberos.patch
>
>
> While other web services runtimes (Metro, CXF, WCF) provide some level of
> support for Kerberos authentication, Rampart is lacking such at the moment.
> There are two basic mechanisms for bringing Kerberos authentication to web
> services:
> 1. Kerberos authentication over secure transport - transport-level security
> (https) with Kerberos token attached as supporting token
> 2. Kerberos authentication using symmetric binding - Kerberos session key is
> used for message protection and Kerberos token - for client authentication
> My team developed a Rampart extension that provides support for Kerberos
> authentication over secure transport (1) and we are willing to contribute
> this to the community. This support requires Kerberos enhancements released
> with wss4j 1.6.16 and can work with both Java 1.6 and 1.7. We have tested
> this for interoperability with Apache DS and Active Directory Kerberos
> servers. This support can also be used to develop an Axis2 client for a MS
> .NET web service that uses
> [KerberosOverTransport|http://msdn.microsoft.com/en-us/library/aa751836%28v=vs.110%29.asp]
> security policy - for this an extension in Axis2 to support
> WS-AddressingIdentity specification is needed, see AXIS2-5659.
> I'm attaching a patch with all the necessary changes - it contains two
> integration tests using an embedded Apache DS Kerberos server. The patch
> requires Jetty HTTPS support in Rampart integration module - this is reported
> as a separate issue - RAMPART-416.
> Please note that using this with Java 1.6 requires a
> [KerberosTokenDecoder|http://svn.apache.org/repos/asf/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/KerberosTokenDecoder.java]
> implementation to be plugged in. A default implementation that uses Apache
> DS Kerberos API is available in wss4j 2.0, so once Rampart updates to this
> wss4j version, Kerberos authentication support will be available OOTB for
> Java 1.6. Since Rampart is currently built with Java 1.6, Rampart integration
> module has to include a back-ported version of wss4j's
> [KerberosTokenDecoder|http://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java]
> implementation so that the tests could pass. They are also passing with Java
> 1.7 without this decoder implementation in place.
> A new KerberosConfig Rampart configuration extension is available for
> configuring Kerberos-specific settings. It has extensive javadoc, but if
> needed we might add a separate documentation that explains how to use it. The
> integration tests demonstrate end-to-end Kerberos authentication scenario
> both using Kerberos key table files and Password callback handlers.
> We have also tried the Kerberos authentication scenario with IBM JDK, but
> encountered issues in IBM's JGSS implementation. We have followed up with IBM
> on fixing those, but it might take some time till this works with IBM JDK.
> Still, we do not expect any changes to be needed in Rampart for this to work.
> Any comments or questions on this support are welcome. I will try to provide
> a patch for Rampart 1.6 as well, if you think it is valuable to have this
> support there as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
