WS-Security with Kerberos tokens? (Albert Lunde)

Thomas Maslen Thomas.Maslen at software.dell.com
Thu Jul 18 14:52:18 EDT 2013


Albert Lunde <atlunde at panix.com> wrote:

> I am looking for information about implementations of Kerberos tokens
> for WS-Security.

i.e. the "WS-Security Kerberos Token Profile" (along with all the related
WS-* specs)?  Since you mentioned WS-Security I assume that's what
you meant, but note that there are also some cases (including, I think,
some Microsoft web services) that use Kerberos but don't use the
WS-Security Kerberos Token Profile -- instead they just use "HTTP
Negotiate authentication", i.e. a Kerberos token (usually with SPNEGO
gift-wrapping) in an "Authorization: Negotiate" header of the HTTP request
that transports the web-service call.  Yes, it's pretty cheesy and it's
almost certainly bogus unless you run it over HTTPS, but it's not
unheard-of.


> I am particularly interested in open source implementations, but since
> one of the use cases I am interested in is authenticating WS-Security
> against Active Directory, there might be a mix of licenses involved.
> 
> Apache CFX seems to rely on
> 
> "Apache WSS4J - Web Services Security for Java"
> 
> http://ws.apache.org/wss4j/
> 
> What else is out there?

For Java, also have a look at this stack from Sun/Oracle:

    https://metro.java.net/

I mention this stack because Sun put a lot of effort into making sure that
it interoperates well with Microsoft's WCF stack (in .NET 3.0 and above).

The fact that it supports the WS-Security Kerberos Token Profile doesn't
exactly leap out at one, but it is there, including an example:

    https://metro.java.net/guide/ch12.html#gfzhh

If you decide to try it, my 0.02 is that the (relatively) easy way to start
out is to run Netbeans, which includes a copy of Metro and has sundry
IDE wizardry to generate the appropriate Metro config files for various
WS-Security configurations, including Kerberos.  Once it all works in
Netbeans then, if you prefer, just use Metro directly.



Thomas.Maslen at software.dell.com
[Speaking for myself, not for my employer]



More information about the Kerberos mailing list