axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "detelin.hadzhiev@softwareag.com (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RAMPART-417) Support for transport binding Kerberos v5 authentication
Date Fri, 19 Sep 2014 21:27:34 GMT

    [ https://issues.apache.org/jira/browse/RAMPART-417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14141333#comment-14141333
] 

detelin.hadzhiev@softwareag.com commented on RAMPART-417:
---------------------------------------------------------

I'm currently out of the office and I will return on Tuesday (29 Sep 2014). For urgent cases
please forward your messages to ''RnD-wM-OSGi-dev" group.


> Support for transport binding Kerberos v5 authentication
> --------------------------------------------------------
>
>                 Key: RAMPART-417
>                 URL: https://issues.apache.org/jira/browse/RAMPART-417
>             Project: Rampart
>          Issue Type: New Feature
>          Components: rampart-core
>    Affects Versions: 1.6.2
>            Reporter: Detelin Yordanov
>            Assignee: Andreas Veithen
>             Fix For: 1.7.0
>
>         Attachments: rampart_kerberos.patch
>
>
> While other web services runtimes (Metro, CXF, WCF) provide some level of support for
Kerberos authentication, Rampart is lacking such at the moment. There are two basic mechanisms
for bringing Kerberos authentication to web services:
> 1. Kerberos authentication over secure transport - transport-level security (https) with
Kerberos token attached as supporting token
> 2. Kerberos authentication using symmetric binding - Kerberos session key is used for
message protection and Kerberos token - for client authentication
> My team developed a Rampart extension that provides support for Kerberos authentication
over secure transport (1) and we are willing to contribute this to the community. This support
requires Kerberos enhancements released with wss4j 1.6.16 and can work with both Java 1.6
and 1.7. We have tested this for interoperability with Apache DS and Active Directory Kerberos
servers. This support can also be used to develop an Axis2 client for a MS .NET web service
that uses [KerberosOverTransport|http://msdn.microsoft.com/en-us/library/aa751836%28v=vs.110%29.asp]
security policy - for this an extension in Axis2 to support WS-AddressingIdentity specification
is needed, see AXIS2-5659.
> I'm attaching a patch with all the necessary changes - it contains two integration tests
using an embedded Apache DS Kerberos server. The patch requires Jetty HTTPS support in Rampart
integration module - this is reported as a separate issue - RAMPART-416.
> Please note that using this with Java 1.6 requires a [KerberosTokenDecoder|http://svn.apache.org/repos/asf/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/KerberosTokenDecoder.java]
implementation to be plugged in. A default implementation that uses Apache DS Kerberos API
is available in wss4j 2.0, so once Rampart updates to this wss4j version, Kerberos authentication
support will be available OOTB for Java 1.6. Since Rampart is currently built with Java 1.6,
Rampart integration module has to include a back-ported version of wss4j's [KerberosTokenDecoder|http://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/kerberos/KerberosTokenDecoderImpl.java]
implementation so that the tests could pass. They are also passing with Java 1.7 without this
decoder implementation in place.
> A new KerberosConfig Rampart configuration extension is available for configuring Kerberos-specific
settings. It has extensive javadoc, but if needed we might add a separate documentation that
explains how to use it. The integration tests demonstrate end-to-end Kerberos authentication
scenario both using Kerberos key table files and Password callback handlers.
> We have also tried the Kerberos authentication scenario with IBM JDK, but encountered
issues in IBM's JGSS implementation. We have followed up with IBM on fixing those, but it
might take some time till this works with IBM JDK. Still, we do not expect any changes to
be needed in Rampart for this to work.
> Any comments or questions on this support are welcome. I will try to provide a patch
for Rampart 1.6 as well, if you think it is valuable to have this support there as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message