In this "how-to" guide I will go over the steps to make Kerberos authentication work with a simple SOAP based web service.

Follow the article mentioned here Setup KDC for Kerberos Testing or get keytabs for Principles based on your enterprise Kerberos system.

Now edit the standalone.xml file in the "standalone/configuration" directory of the JBoss EAP and add the following fragments. Make sure you have copied the keytabs and krb5.conf file to known locations as defined in the below configuration.

    <system-properties>
        <property name="java.security.krb5.conf" value="/etc/krb5.conf"/>
        <property name="java.security.krb5.debug" value="true"/>
        <property name="java.security.disable.secdomain.option" value="true"/>
        <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
    </system-properties>

right after the "<extensions>" element add the following in the "security-domains" configuration:

    <security-domain name="host" cache-type="default">
        <authentication>
            <login-module code="Kerberos" flag="required">
                <module-option name="storeKey" value="true"/>
                <module-option name="useKeyTab" value="true"/>
                <module-option name="keyTab" value="/path/to/bob.keytab"/>
                <module-option name="principal" value="bob/primary.example.com@EXAMPLE.COM"/>
                <module-option name="doNotPrompt" value="true"/>
                <module-option name="debug" value="true"/>
            </login-module>
        </authentication>
    </security-domain>

Save the file, and start the JBoss EAP  server using:

<jboss-as>/bin/standalone.sh -c standalone.xml -b primary.example.com

SOAP Web Service Application

For a sample web service take a look at ws-security-examples/KerberosToken

The two files you want to pay attention to here are ws-security-examples/jbossws-cxf.xml (where you can add Kerberos configuration details) and the other is the WSDL file itself ws-security-examples/hello-kerberos-security.wsdl

which defines the policy details. I have chosen the most basic one for simplicity. There are other Kerberos examples here http://anonsvn.jboss.org/repos/jbossws/stack/cxf/trunk/modules/testsuite/cxf-spring-tests/src/test/java/org/jboss/test/w…

Basically in the above application I took the WSDL file run "wsconsume.sh" on it, then provided the implementation for the service interface. The JBoss Web Services and cxf specific additional configuration must also be added. You can find other examples from JBoss WS project's testcases http://anonsvn.jboss.org/repos/jbossws/stack/cxf/trunk/modules/testsuite/cxf-spring-tests/src/test/java/org/jboss/test/w…  This link also shows you how to configure for other Kerberos scenarios too.

Testing

For testing you can use SOAP UI kind of tool, but I have not tried to verify through it. You can write java based program for it. You will need a JAAS configuration file like:

Client { 
    com.sun.security.auth.module.Krb5LoginModule required 
    useTicketCache=true 
    storeKey=true 
    useKeyTab=true 
    keyTab="/path/to/alice.keytab" 
    doNotPrompt=true 
    debug=true 
    principal="alice@EXAMPLE.COM";  
};

and following system properties on the java executable.

-Djava.security.krb5.conf=/etc/krb5.conf 
-Djava.security.auth.login.config=/path/to/client.conf 
-Djavax.security.auth.useSubjectCredsOnly=false 
-Dsun.security.krb5.debug=true

In the following articles I will show you how I accessed this service through Teiid.

A "how to" guide to kerberos "delegation" based autentication to SOAP Web Service using Teiid

How to implement Kerberos authentication to a SOAP Web Service using Teiid

References:

How to implement Kerberos authentication with Teiid over JDBC

Ramesh..