Hi,
Though I'm not an expert in this area, but I found something related
and should be helpful for you. Take a look at related blogs[1] and
[2], also the system test about it from [3], those should be a good
start for you.
[1]http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html
[2]http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html
[3]https://svn.apache.org/repos/asf/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
Freeman
On 2012-4-17, at 下午9:32, Henk-Jan wrote:
First, I want to apologize for my lack of experience with java
(including
spring, spring-security, cxf, etc). I might also be asking this
question in
the wrong place, but I'm happy with all the help I can get. I
posted this
same question at the spring forum, if they come up with a solution
I'll
follow up with the conclusion.
I want to create the following situation: A user accesses a website
hosted
by IIS. From IIS, a WCF service is called, which will call a web
service
developed using CXF. This service will forward the request to a
WebSphere
Enterprise Service Bus, which will forward the message to a WebSphere
Process Server.
IIS (Windows) -> WCF web service (.NET) -> CXF web service (Java) ->
WESB ->
WPS
The WebSphere Process Server should be able to identify the user
using a
Kerberos token. Therefore, the Kerberos token should be propagated
throughout the whole chain.
As I have no control over the ESB, I started out with the following
scenario:
[1] IIS -> [2] WCF webservice -> [3] CXF webservice -> [4] CXF
webservice
The user credentials are propagated from [1] -> [2] -> [3]. However,
I’m
unable to call [4], the exception is “Access is denied (user is
anonymous)”.
In the CXF service [3], I have a KerberosServiceRequestToken, which
contains
a valid token (e.g. getToken() returns a binary array). However, I
have no
clue how to invoke the next service using this information (should I
create
a new LoginContext somehow?).
Another poblem is the way the Kerberos token is exchanged.
Currently, the
token is transmitted over the transport layer (e.g. as a HTTP Header
as part
of the Negotiation Challenge). WPS expects the Kerberos token to be
contained within the SOAP-header. Using WCF, this is straigthforward
to
implement. However, I haven’t been able to configure CXF to
correctly
process the soap header. Does anybody know if this is even possible?
Thanks in advance,
Henk-Jan.
--
View this message in context:
http://cxf.547215.n5.nabble.com/Kerberos-and-credential-propagation-tp5646577p5646577.html
Sent from the cxf-user mailing list archive at Nabble.com.
---------------------------------------------
Freeman Fang
FuseSource
Email:[email protected]
Web: fusesource.com
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: http://weibo.com/u/1473905042
