WS-Security with Kerberos tokens? (Albert Lunde)
Thomas Maslen
Thomas.Maslen at software.dell.com
Thu Jul 18 14:52:18 EDT 2013
Albert Lunde <atlunde at panix.com> wrote:
> I am looking for information about implementations of Kerberos tokens
> for WS-Security.
i.e. the "WS-Security Kerberos Token Profile" (along with all the related
WS-* specs)? Since you mentioned WS-Security I assume that's what
you meant, but note that there are also some cases (including, I think,
some Microsoft web services) that use Kerberos but don't use the
WS-Security Kerberos Token Profile -- instead they just use "HTTP
Negotiate authentication", i.e. a Kerberos token (usually with SPNEGO
gift-wrapping) in an "Authorization: Negotiate" header of the HTTP request
that transports the web-service call. Yes, it's pretty cheesy and it's
almost certainly bogus unless you run it over HTTPS, but it's not
unheard-of.
> I am particularly interested in open source implementations, but since
> one of the use cases I am interested in is authenticating WS-Security
> against Active Directory, there might be a mix of licenses involved.
>
> Apache CFX seems to rely on
>
> "Apache WSS4J - Web Services Security for Java"
>
> http://ws.apache.org/wss4j/
>
> What else is out there?
For Java, also have a look at this stack from Sun/Oracle:
https://metro.java.net/
I mention this stack because Sun put a lot of effort into making sure that
it interoperates well with Microsoft's WCF stack (in .NET 3.0 and above).
The fact that it supports the WS-Security Kerberos Token Profile doesn't
exactly leap out at one, but it is there, including an example:
https://metro.java.net/guide/ch12.html#gfzhh
If you decide to try it, my 0.02 is that the (relatively) easy way to start
out is to run Netbeans, which includes a copy of Metro and has sundry
IDE wizardry to generate the appropriate Metro config files for various
WS-Security configurations, including Kerberos. Once it all works in
Netbeans then, if you prefer, just use Metro directly.
Thomas.Maslen at software.dell.com
[Speaking for myself, not for my employer]
More information about the Kerberos
mailing list