Version 3

    In this "how-to" guide I will go over the steps to make Kerberos authentication work with a simple SOAP based web service.


    Follow the article mentioned here Setup KDC for Kerberos Testing or get keytabs for Principles based on your enterprise Kerberos system.

    Now edit the standalone.xml file in the "standalone/configuration" directory of the JBoss EAP and add the following fragments. Make sure you have copied the keytabs and krb5.conf file to known locations as defined in the below configuration.

            <property name="" value="/etc/krb5.conf"/>
            <property name="" value="true"/>
            <property name="" value="true"/>
            <property name="" value="false"/>


    right after the "<extensions>" element add the following in the "security-domains" configuration:


        <security-domain name="host" cache-type="default">
                <login-module code="Kerberos" flag="required">
                    <module-option name="storeKey" value="true"/>
                    <module-option name="useKeyTab" value="true"/>
                    <module-option name="keyTab" value="/path/to/bob.keytab"/>
                    <module-option name="principal" value="bob/"/>
                    <module-option name="doNotPrompt" value="true"/>
                    <module-option name="debug" value="true"/>


    Save the file, and start the JBoss EAP  server using:


    <jboss-as>/bin/ -c standalone.xml -b


    SOAP Web Service Application

    For a sample web service take a look at ws-security-examples/KerberosToken

    The two files you want to pay attention to here are ws-security-examples/jbossws-cxf.xml (where you can add Kerberos configuration details) and the other is the WSDL file itself ws-security-examples/hello-kerberos-security.wsdl

    which defines the policy details. I have chosen the most basic one for simplicity. There are other Kerberos examples here…

    Basically in the above application I took the WSDL file run "" on it, then provided the implementation for the service interface. The JBoss Web Services and cxf specific additional configuration must also be added. You can find other examples from JBoss WS project's testcases…  This link also shows you how to configure for other Kerberos scenarios too.



    For testing you can use SOAP UI kind of tool, but I have not tried to verify through it. You can write java based program for it. You will need a JAAS configuration file like:


    Client { required 


    and following system properties on the java executable.



    In the following articles I will show you how I accessed this service through Teiid.


    A "how to" guide to kerberos "delegation" based autentication to SOAP Web Service using Teiid

    How to implement Kerberos authentication to a SOAP Web Service using Teiid



    How to implement Kerberos authentication with Teiid over JDBC