How to implement a SOAP Web Service with Kerberos authentication in JBoss EAP

Version 3

    In this "how-to" guide I will go over the steps to make Kerberos authentication work with a simple SOAP based web service.

     

    Follow the article mentioned here Setup KDC for Kerberos Testing or get keytabs for Principles based on your enterprise Kerberos system.


    Now edit the standalone.xml file in the "standalone/configuration" directory of the JBoss EAP and add the following fragments. Make sure you have copied the keytabs and krb5.conf file to known locations as defined in the below configuration.


        <system-properties>
            <property name="java.security.krb5.conf" value="/etc/krb5.conf"/>
            <property name="java.security.krb5.debug" value="true"/>
            <property name="java.security.disable.secdomain.option" value="true"/>
            <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
        </system-properties>
    
    
    
    
    

     

    right after the "<extensions>" element add the following in the "security-domains" configuration:

     

        <security-domain name="host" cache-type="default">
            <authentication>
                <login-module code="Kerberos" flag="required">
                    <module-option name="storeKey" value="true"/>
                    <module-option name="useKeyTab" value="true"/>
                    <module-option name="keyTab" value="/path/to/bob.keytab"/>
                    <module-option name="principal" value="bob/primary.example.com@EXAMPLE.COM"/>
                    <module-option name="doNotPrompt" value="true"/>
                    <module-option name="debug" value="true"/>
                </login-module>
            </authentication>
        </security-domain>
    
    
    
    
    

     

    Save the file, and start the JBoss EAP  server using:

     

    <jboss-as>/bin/standalone.sh -c standalone.xml -b primary.example.com
    
    
    
    
    

     

    SOAP Web Service Application


    For a sample web service take a look at ws-security-examples/KerberosToken


    The two files you want to pay attention to here are ws-security-examples/jbossws-cxf.xml (where you can add Kerberos configuration details) and the other is the WSDL file itself ws-security-examples/hello-kerberos-security.wsdl

    which defines the policy details. I have chosen the most basic one for simplicity. There are other Kerberos examples here http://anonsvn.jboss.org/repos/jbossws/stack/cxf/trunk/modules/testsuite/cxf-spring-tests/src/test/java/org/jboss/test/w…


    Basically in the above application I took the WSDL file run "wsconsume.sh" on it, then provided the implementation for the service interface. The JBoss Web Services and cxf specific additional configuration must also be added. You can find other examples from JBoss WS project's testcases http://anonsvn.jboss.org/repos/jbossws/stack/cxf/trunk/modules/testsuite/cxf-spring-tests/src/test/java/org/jboss/test/w…  This link also shows you how to configure for other Kerberos scenarios too.

     

    Testing


    For testing you can use SOAP UI kind of tool, but I have not tried to verify through it. You can write java based program for it. You will need a JAAS configuration file like:

     

    Client { 
        com.sun.security.auth.module.Krb5LoginModule required 
        useTicketCache=true 
        storeKey=true 
        useKeyTab=true 
        keyTab="/path/to/alice.keytab" 
        doNotPrompt=true 
        debug=true 
        principal="alice@EXAMPLE.COM";  
    };
    
    

     

    and following system properties on the java executable.

     

    -Djava.security.krb5.conf=/etc/krb5.conf 
    -Djava.security.auth.login.config=/path/to/client.conf 
    -Djavax.security.auth.useSubjectCredsOnly=false 
    -Dsun.security.krb5.debug=true
    
    

     

    In the following articles I will show you how I accessed this service through Teiid.

     

    A "how to" guide to kerberos "delegation" based autentication to SOAP Web Service using Teiid

    How to implement Kerberos authentication to a SOAP Web Service using Teiid

     

    References:

    How to implement Kerberos authentication with Teiid over JDBC

     

    Ramesh..