Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-251

Support WSS Kerberos Token Profile

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.6.2
    • Component/s: None
    • Labels:
      None

      Description

      Currently wss4j does not support the kerberos token profile.
      In most windows enterprise environments and in some unix environments kerberos is available by default. So it would be nice to have this feature to allow single sign on for clients to e.g. webservices.

      I can post sample code that shows how to create a service ticket on the client and how to validate it on the server. Would this help?

        Issue Links

          Activity

          Show
          chris@die-schneider.net Christian Schneider added a comment - Forgot the link to the specification: http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdf
          Hide
          coheigea Colm O hEigeartaigh added a comment -

          Hi Christian,

          Supporting the Kerberos Token Profile seems like a good thing to do for WSS4J 1.6. It shouldn't be too hard to do - there's some support for sending a Kerberos Ticket in a BinarySecurityToken already, but no support for using the key for signature/encryption.

          Colm.

          Show
          coheigea Colm O hEigeartaigh added a comment - Hi Christian, Supporting the Kerberos Token Profile seems like a good thing to do for WSS4J 1.6. It shouldn't be too hard to do - there's some support for sending a Kerberos Ticket in a BinarySecurityToken already, but no support for using the key for signature/encryption. Colm.
          Hide
          prabath Prabath Siriwardena added a comment - - edited

          Hi Colm/Christian;

          I have implemented this on top of wss4j 1.5.8 and tested with Rampart 1.5 [with the Kerberos patch] - will provide a patch soon..

          Thanks & regards,
          -Prabath

          Show
          prabath Prabath Siriwardena added a comment - - edited Hi Colm/Christian; I have implemented this on top of wss4j 1.5.8 and tested with Rampart 1.5 [with the Kerberos patch] - will provide a patch soon.. Thanks & regards, -Prabath
          Hide
          chris@die-schneider.net Christian Schneider added a comment -

          Hi Prabath,

          this sounds great. Looking forward to you patch.

          Thanks

          Christian

          Show
          chris@die-schneider.net Christian Schneider added a comment - Hi Prabath, this sounds great. Looking forward to you patch. Thanks Christian
          Hide
          coheigea Colm O hEigeartaigh added a comment -

          Hi Prabath,

          Any update on this patch?

          Thanks,

          Colm.

          Show
          coheigea Colm O hEigeartaigh added a comment - Hi Prabath, Any update on this patch? Thanks, Colm.
          Hide
          prabath Prabath Siriwardena added a comment -

          Hi Colm,

          Sorry - got busy with some other stuff - I will provide the patch with test cases within next two weeks for sure...

          Thanks & regards,
          -Prabath

          Show
          prabath Prabath Siriwardena added a comment - Hi Colm, Sorry - got busy with some other stuff - I will provide the patch with test cases within next two weeks for sure... Thanks & regards, -Prabath
          Hide
          coheigea Colm O hEigeartaigh added a comment -


          As I've received no patch for this issue, I'm removing the fix-for version to be 1.6.

          Show
          coheigea Colm O hEigeartaigh added a comment - As I've received no patch for this issue, I'm removing the fix-for version to be 1.6.
          Hide
          pkral Pavel Kral added a comment -

          Is there real plan to implement this into 1.6.2 ?

          There are blog series:
          http://thejavamonkey.blogspot.com/2008/09/axis-2-kerberos-web-services-featuring.html

          There is also wss4j-1.5.3-kerb source tree with some TODOs, but code seems to be pretty functional:
          http://wss4j-kerberos.svn.sourceforge.net/viewvc/wss4j-kerberos/

          Maybe I'll try to backport it to 1.5.8 for usage with spring-ws, but imho someone already did this.

          Show
          pkral Pavel Kral added a comment - Is there real plan to implement this into 1.6.2 ? There are blog series: http://thejavamonkey.blogspot.com/2008/09/axis-2-kerberos-web-services-featuring.html There is also wss4j-1.5.3-kerb source tree with some TODOs, but code seems to be pretty functional: http://wss4j-kerberos.svn.sourceforge.net/viewvc/wss4j-kerberos/ Maybe I'll try to backport it to 1.5.8 for usage with spring-ws, but imho someone already did this.
          Hide
          coheigea Colm O hEigeartaigh added a comment -

          Hi Pavel,

          Yes, there will be support in 1.6.2 for the Kerberos Token Profile. I'm not planning to support using the secret key to encrypt/sign data until 1.6.3 though.

          I hadn't seen the 1.5.3 Kerberos port. I've taken a different approach in 1.6.2 - I'm not planning to support this via WS-Handler, although if there is demand for it I will reconsider. On the outbound side there is a new BinarySecurity type (KerberosSecurity) that provides a method to obtain a Kerberos Token. It's up to the user to call this method and deal with the token accordingly. CXF 2.4.2-SNAPSHOT does this, and currently supports the KerberosToken Security Policy as as SupportingToken and SignedSupportingToken.

          Colm.

          Show
          coheigea Colm O hEigeartaigh added a comment - Hi Pavel, Yes, there will be support in 1.6.2 for the Kerberos Token Profile. I'm not planning to support using the secret key to encrypt/sign data until 1.6.3 though. I hadn't seen the 1.5.3 Kerberos port. I've taken a different approach in 1.6.2 - I'm not planning to support this via WS-Handler, although if there is demand for it I will reconsider. On the outbound side there is a new BinarySecurity type (KerberosSecurity) that provides a method to obtain a Kerberos Token. It's up to the user to call this method and deal with the token accordingly. CXF 2.4.2-SNAPSHOT does this, and currently supports the KerberosToken Security Policy as as SupportingToken and SignedSupportingToken. Colm.
          Hide
          coheigea Colm O hEigeartaigh added a comment -

          This is fixed as far as processing a received Kerberos token is concerned. More work remains to be done to support using the Kerberos token to encrypt/sign - I will plan this for 1.6.3.

          Colm.

          Show
          coheigea Colm O hEigeartaigh added a comment - This is fixed as far as processing a received Kerberos token is concerned. More work remains to be done to support using the Kerberos token to encrypt/sign - I will plan this for 1.6.3. Colm.

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              chris@die-schneider.net Christian Schneider
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development