In this "how-to" guide I will go over the steps to make Kerberos authentication work with a simple SOAP based web service.
Follow the article mentioned here Setup KDC for Kerberos Testing or get keytabs for Principles based on your enterprise Kerberos system.
Now edit the standalone.xml file in the "standalone/configuration" directory of the JBoss EAP and add the following fragments. Make sure you have copied the keytabs and krb5.conf file to known locations as defined in the below configuration.
<system-properties> <property name="java.security.krb5.conf" value="/etc/krb5.conf"/> <property name="java.security.krb5.debug" value="true"/> <property name="java.security.disable.secdomain.option" value="true"/> <property name="javax.security.auth.useSubjectCredsOnly" value="false"/> </system-properties>
right after the "<extensions>" element add the following in the "security-domains" configuration:
<security-domain name="host" cache-type="default"> <authentication> <login-module code="Kerberos" flag="required"> <module-option name="storeKey" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="keyTab" value="/path/to/bob.keytab"/> <module-option name="principal" value="bob/primary.example.com@EXAMPLE.COM"/> <module-option name="doNotPrompt" value="true"/> <module-option name="debug" value="true"/> </login-module> </authentication> </security-domain>
Save the file, and start the JBoss EAP server using:
<jboss-as>/bin/standalone.sh -c standalone.xml -b primary.example.com
SOAP Web Service Application
For a sample web service take a look at ws-security-examples/KerberosToken
The two files you want to pay attention to here are ws-security-examples/jbossws-cxf.xml (where you can add Kerberos configuration details) and the other is the WSDL file itself ws-security-examples/hello-kerberos-security.wsdl
which defines the policy details. I have chosen the most basic one for simplicity. There are other Kerberos examples here http://anonsvn.jboss.org/repos/jbossws/stack/cxf/trunk/modules/testsuite/cxf-spring-tests/src/test/java/org/jboss/test/w…
Basically in the above application I took the WSDL file run "wsconsume.sh" on it, then provided the implementation for the service interface. The JBoss Web Services and cxf specific additional configuration must also be added. You can find other examples from JBoss WS project's testcases http://anonsvn.jboss.org/repos/jbossws/stack/cxf/trunk/modules/testsuite/cxf-spring-tests/src/test/java/org/jboss/test/w… This link also shows you how to configure for other Kerberos scenarios too.
Testing
For testing you can use SOAP UI kind of tool, but I have not tried to verify through it. You can write java based program for it. You will need a JAAS configuration file like:
Client { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true storeKey=true useKeyTab=true keyTab="/path/to/alice.keytab" doNotPrompt=true debug=true principal="alice@EXAMPLE.COM"; };
and following system properties on the java executable.
-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/path/to/client.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=true
In the following articles I will show you how I accessed this service through Teiid.
A "how to" guide to kerberos "delegation" based autentication to SOAP Web Service using Teiid
How to implement Kerberos authentication to a SOAP Web Service using Teiid
References:
How to implement Kerberos authentication with Teiid over JDBC
Ramesh..
Comments