axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Detelin Yordanov (JIRA)" <>
Subject [jira] [Commented] (RAMPART-417) Support for transport binding Kerberos v5 authentication
Date Wed, 14 Jan 2015 08:25:34 GMT


Detelin Yordanov commented on RAMPART-417:

Hi Raghu,
  The patch should apply cleanly on Rampart trunk using any svn client, do you have issues
applying it? The Kerberos authentication support in the patch addresses only Kerberos  authentication
over secure transport (point 1. in the description). Kerberos authentication over symmetric
binding (as in the wsdl you have attached) is not addressed.
Please have a look at the patch - it contains an integration test with two test services that
use Kerberos authentication over transport binding. The patch consists of the following pieces:

1. Extension to Rampart's policy builders to handle KerberosToken assertion
2. A new KerberosConfig configuration assertion (extension to RampartConfig assertion) that
hosts Kerberos-specific settings
3. Modification of Rampart's TransportBindingBuilder to handle Kerberos supporting tokens
- this would read Kerberos configuration, obtain a Kerberos token using WSS4J's KerberosSecurity
API and generate a signature using the secret key found in the token
4. Unit/integration tests

Regarding documentation - what is the format of the documentation that you expect? Could you
point me to similar documentation so that I can get an idea?


> Support for transport binding Kerberos v5 authentication
> --------------------------------------------------------
>                 Key: RAMPART-417
>                 URL:
>             Project: Rampart
>          Issue Type: New Feature
>          Components: rampart-core
>    Affects Versions: 1.6.2
>            Reporter: Detelin Yordanov
>            Assignee: Andreas Veithen
>             Fix For: 1.7.0
>         Attachments: ImportService.wsdl, rampart_kerberos.patch
> While other web services runtimes (Metro, CXF, WCF) provide some level of support for
Kerberos authentication, Rampart is lacking such at the moment. There are two basic mechanisms
for bringing Kerberos authentication to web services:
> 1. Kerberos authentication over secure transport - transport-level security (https) with
Kerberos token attached as supporting token
> 2. Kerberos authentication using symmetric binding - Kerberos session key is used for
message protection and Kerberos token - for client authentication
> My team developed a Rampart extension that provides support for Kerberos authentication
over secure transport (1) and we are willing to contribute this to the community. This support
requires Kerberos enhancements released with wss4j 1.6.16 and can work with both Java 1.6
and 1.7. We have tested this for interoperability with Apache DS and Active Directory Kerberos
servers. This support can also be used to develop an Axis2 client for a MS .NET web service
that uses [KerberosOverTransport|]
security policy - for this an extension in Axis2 to support WS-AddressingIdentity specification
is needed, see AXIS2-5659.
> I'm attaching a patch with all the necessary changes - it contains two integration tests
using an embedded Apache DS Kerberos server. The patch requires Jetty HTTPS support in Rampart
integration module - this is reported as a separate issue - RAMPART-416.
> Please note that using this with Java 1.6 requires a [KerberosTokenDecoder|]
implementation to be plugged in. A default implementation that uses Apache DS Kerberos API
is available in wss4j 2.0, so once Rampart updates to this wss4j version, Kerberos authentication
support will be available OOTB for Java 1.6. Since Rampart is currently built with Java 1.6,
Rampart integration module has to include a back-ported version of wss4j's [KerberosTokenDecoder|]
implementation so that the tests could pass. They are also passing with Java 1.7 without this
decoder implementation in place.
> A new KerberosConfig Rampart configuration extension is available for configuring Kerberos-specific
settings. It has extensive javadoc, but if needed we might add a separate documentation that
explains how to use it. The integration tests demonstrate end-to-end Kerberos authentication
scenario both using Kerberos key table files and Password callback handlers.
> We have also tried the Kerberos authentication scenario with IBM JDK, but encountered
issues in IBM's JGSS implementation. We have followed up with IBM on fixing those, but it
might take some time till this works with IBM JDK. Still, we do not expect any changes to
be needed in Rampart for this to work.
> Any comments or questions on this support are welcome. I will try to provide a patch
for Rampart 1.6 as well, if you think it is valuable to have this support there as well.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message