Kerberos delegation using GssCredential in JAXWS

[rareddy <ra...@gmail.com>]

Hi,

I have read the
http://mail-archives.apache.org/mod_mbox/cxf-users/201207.mbox/%3C029F19A0A3828F409E2F145593359C0E0BE40E@MSEMBox1.corporate.intra%3E
thread with great interest and as it is exactly what I am trying to achieve.
Just the services are different.

I am working JBoss EAP environment, I have access to the "GSSCredential"
object, I am ready to do the credential delegation to the my SOAP service
which is configured with a policy to accept Kerberos auth. I already
verified that service/auth works when using client configuration as defined
here
http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html

I see the class "AbstractSpnegoAuthSupplier", but I am failing to configure
an extended class of this as interceptor such that it provides
"KerberosClient" object. As "KerberosClient" object also needs the
"SecretKey". From what I understand I have use "KerberosSecurity" class but
do credential negotiation like  "AbstractSpnegoAuthSupplier" then build out
a extended KerberosClient instance and supply in the
"ws-security.kerberos.client" property.

Can anybody suggest any easier way or tell if my thinking above is correct
or not?

Thank you very much for your time.

Ramesh..



--
View this message in context: http://cxf.547215.n5.nabble.com/Kerberos-delegation-using-GssCredential-in-JAXWS-tp5750086.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Kerberos delegation using GssCredential in JAXWS

[Colm O hEigeartaigh <co...@gmail.com>]

Hi Ramesh,

As it happens, I've just written a blog post about kerberos credential
delegation in (the latest versions) of CXF:

http://coheigea.blogspot.ie/2014/10/kerberos-credential-delegation-support.html

The way it works is essentially that the delegated GSSCredential object is
stored during validation, and then set via the property
"ws-security.delegated.credential". This is then used by the KerberosClient
to get a new ticket "on behalf of" this credential. You need to set the
correct boolean parameters to enable delegation though as covered in the
blog post.

Colm.

On Mon, Oct 20, 2014 at 9:27 PM, rareddy <ra...@gmail.com> wrote:

> Hi,
>
> I have read the
>
> http://mail-archives.apache.org/mod_mbox/cxf-users/201207.mbox/%3C029F19A0A3828F409E2F145593359C0E0BE40E@MSEMBox1.corporate.intra%3E
> thread with great interest and as it is exactly what I am trying to
> achieve.
> Just the services are different.
>
> I am working JBoss EAP environment, I have access to the "GSSCredential"
> object, I am ready to do the credential delegation to the my SOAP service
> which is configured with a policy to accept Kerberos auth. I already
> verified that service/auth works when using client configuration as defined
> here
>
> http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html
>
> I see the class "AbstractSpnegoAuthSupplier", but I am failing to configure
> an extended class of this as interceptor such that it provides
> "KerberosClient" object. As "KerberosClient" object also needs the
> "SecretKey". From what I understand I have use "KerberosSecurity" class but
> do credential negotiation like  "AbstractSpnegoAuthSupplier" then build out
> a extended KerberosClient instance and supply in the
> "ws-security.kerberos.client" property.
>
> Can anybody suggest any easier way or tell if my thinking above is correct
> or not?
>
> Thank you very much for your time.
>
> Ramesh..
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Kerberos-delegation-using-GssCredential-in-JAXWS-tp5750086.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>

Re: Kerberos delegation using GssCredential in JAXWS

[Colm O hEigeartaigh <co...@apache.org>]

> 1) which CXF and WSS4J versions that I need to look out for this
functionality?

The latest versions, 3.0.2 + 2.7.13.

> 2) I am confused about how I can inject the "GSSCredential" into message
> context as required by this call "message
>
> getContextualProperty(SecurityConstants.DELEGATED_CREDENTIAL)" in
> KerberosClient. I guess what I am asking is how I can get hold of a
message.
> Should I need to write a interceptor?

Well it depends on where the credential comes from. If you are receiving it
via WS-Security, then this is done automatically for you. Otherwise then
you need to set it on the message.

Colm.

On Tue, Oct 21, 2014 at 6:23 PM, rareddy <ra...@gmail.com> wrote:

> Colm,
>
> Thank you for your reply. Very timely blog for me.
>
> Couple questions:
>
> 1) which CXF and WSS4J versions that I need to look out for this
> functionality?
> 2) I am confused about how I can inject the "GSSCredential" into message
> context as required by this call
> "message.getContextualProperty(SecurityConstants.DELEGATED_CREDENTIAL)" in
> KerberosClient. I guess what I am asking is how I can get hold of a
> message.
> Should I need to write a interceptor?
>
> Thanks
>
> Ramesh..
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Kerberos-delegation-using-GssCredential-in-JAXWS-tp5750086p5750136.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Kerberos delegation using GssCredential in JAXWS

[rareddy <ra...@gmail.com>]

Colm,

Thank you for your reply. Very timely blog for me. 

Couple questions: 

1) which CXF and WSS4J versions that I need to look out for this
functionality?
2) I am confused about how I can inject the "GSSCredential" into message
context as required by this call
"message.getContextualProperty(SecurityConstants.DELEGATED_CREDENTIAL)" in
KerberosClient. I guess what I am asking is how I can get hold of a message.
Should I need to write a interceptor? 

Thanks

Ramesh..




--
View this message in context: http://cxf.547215.n5.nabble.com/Kerberos-delegation-using-GssCredential-in-JAXWS-tp5750086p5750136.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Kerberos delegation using GssCredential in JAXWS

[Colm O hEigeartaigh <co...@apache.org>]

Hi Ramesh,

As it happens, I've just written a blog post about kerberos credential
delegation in (the latest versions) of CXF:

http://coheigea.blogspot.ie/2014/10/kerberos-credential-delegation-support.html

The way it works is essentially that the delegated GSSCredential object is
stored during validation, and then set via the property
"ws-security.delegated.
credential". This is then used by the KerberosClient to get a new ticket
"on behalf of" this credential. You need to set the correct boolean
parameters to enable delegation though as covered in the blog post.

Colm.

On Mon, Oct 20, 2014 at 9:27 PM, rareddy <ra...@gmail.com> wrote:

> Hi,
>
> I have read the
>
> http://mail-archives.apache.org/mod_mbox/cxf-users/201207.mbox/%3C029F19A0A3828F409E2F145593359C0E0BE40E@MSEMBox1.corporate.intra%3E
> thread with great interest and as it is exactly what I am trying to
> achieve.
> Just the services are different.
>
> I am working JBoss EAP environment, I have access to the "GSSCredential"
> object, I am ready to do the credential delegation to the my SOAP service
> which is configured with a policy to accept Kerberos auth. I already
> verified that service/auth works when using client configuration as defined
> here
>
> http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html
>
> I see the class "AbstractSpnegoAuthSupplier", but I am failing to configure
> an extended class of this as interceptor such that it provides
> "KerberosClient" object. As "KerberosClient" object also needs the
> "SecretKey". From what I understand I have use "KerberosSecurity" class but
> do credential negotiation like  "AbstractSpnegoAuthSupplier" then build out
> a extended KerberosClient instance and supply in the
> "ws-security.kerberos.client" property.
>
> Can anybody suggest any easier way or tell if my thinking above is correct
> or not?
>
> Thank you very much for your time.
>
> Ramesh..
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Kerberos-delegation-using-GssCredential-in-JAXWS-tp5750086.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com