Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-417

Support for transport binding Kerberos v5 authentication



    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.2
    • Fix Version/s: 1.8.0
    • Component/s: rampart-core
    • Labels:


      While other web services runtimes (Metro, CXF, WCF) provide some level of support for Kerberos authentication, Rampart is lacking such at the moment. There are two basic mechanisms for bringing Kerberos authentication to web services:
      1. Kerberos authentication over secure transport - transport-level security (https) with Kerberos token attached as supporting token
      2. Kerberos authentication using symmetric binding - Kerberos session key is used for message protection and Kerberos token - for client authentication

      My team developed a Rampart extension that provides support for Kerberos authentication over secure transport (1) and we are willing to contribute this to the community. This support requires Kerberos enhancements released with wss4j 1.6.16 and can work with both Java 1.6 and 1.7. We have tested this for interoperability with Apache DS and Active Directory Kerberos servers. This support can also be used to develop an Axis2 client for a MS .NET web service that uses KerberosOverTransport security policy - for this an extension in Axis2 to support WS-AddressingIdentity specification is needed, see AXIS2-5659.

      I'm attaching a patch with all the necessary changes - it contains two integration tests using an embedded Apache DS Kerberos server. The patch requires Jetty HTTPS support in Rampart integration module - this is reported as a separate issue - RAMPART-416.

      Please note that using this with Java 1.6 requires a KerberosTokenDecoder implementation to be plugged in. A default implementation that uses Apache DS Kerberos API is available in wss4j 2.0, so once Rampart updates to this wss4j version, Kerberos authentication support will be available OOTB for Java 1.6. Since Rampart is currently built with Java 1.6, Rampart integration module has to include a back-ported version of wss4j's KerberosTokenDecoder implementation so that the tests could pass. They are also passing with Java 1.7 without this decoder implementation in place.

      A new KerberosConfig Rampart configuration extension is available for configuring Kerberos-specific settings. It has extensive javadoc, but if needed we might add a separate documentation that explains how to use it. The integration tests demonstrate end-to-end Kerberos authentication scenario both using Kerberos key table files and Password callback handlers.

      We have also tried the Kerberos authentication scenario with IBM JDK, but encountered issues in IBM's JGSS implementation. We have followed up with IBM on fixing those, but it might take some time till this works with IBM JDK. Still, we do not expect any changes to be needed in Rampart for this to work.

      Any comments or questions on this support are welcome. I will try to provide a patch for Rampart 1.6 as well, if you think it is valuable to have this support there as well.


        1. ImportService.wsdl
          36 kB
          Raghu Kodumuri
        2. rampart_kerberos.patch
          154 kB
          Detelin Yordanov

          Issue Links



              • Assignee:
                veithen Andreas Veithen
                detyo Detelin Yordanov
              • Votes:
                3 Vote for this issue
                6 Start watching this issue


                • Created: