Kerberos token based WS Security Scenarios on Tomcat

My previous blog Running Kerberos Token Profile scenario with Metro showed how to run kerberos token based WS-Security scenarios on Glassfish. Here I show the small changes you need to do to run it on Tomcat. The steps essentially boil down to specifying the location of JAAS login config file where login modules for Kerberos are stored. Glassfish picks the login modules from $GLASSFISH_HOME/domains/domain1/config/login.conf, in Tomcat we need to specify the file explicitly using java.security.auth.login.config system property.

Here are the complete steps:

  1. Create a file jaas.conf , and place it in $CATALINA_HOME/conf. Here's what jaas.conf looks like:
            KerberosClient { 
                com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true; 
            };
    
            KerberosServer { 
                com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/krb5.keytab" doNotPrompt=true storeKey=true principal="websvc/service@INDIA.SUN.COM"; 
            };
            
  2. Add following line to the catalina.sh script (or specify the mentioned JAVA_OPTS property):
            JAVA_OPTS="$JAVA_OPTS "-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf
            
  3. Specify the following system property in your client code:
        -Djava.security.policy=${tomcat.home}/conf/catalina.policy
        -Djava.security.auth.login.config=${tomcat.home}/conf/jaas.conf
        
Comments:

Hi,

I'm trying to develop WebService with Kerberos. When i use arcfour, all is correct. But with other crypto algo, i have :

glassfish log:

[#|2009-03-18T15:53:51.833+0100|SEVERE|sun-appserver2.1|com.sun.xml.wss.logging.impl.opt.crypto|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=643be549-98af-48e6-93ec-90b022b8a311;|WSS1925: No CipherValue found in CipherData|#]

[#|2009-03-18T15:53:51.838+0100|SEVERE|sun-appserver2.1|com.sun.xml.wss.provider.wsit|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=643be549-98af-48e6-93ec-90b022b8a311;|WSITPVD0035: Error in Verifying Security in Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: WSS1925: No CipherValue found in CipherData
at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:134)
at com.sun.xml.ws.security.opt.impl.incoming.processor.CipherDataProcessor.readAsStream(CipherDataProcessor.java:176

On the client side :
Mar 18, 2009 3:53:49 PM com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor encryptData
SEVERE: WSS1906: Invalid key provided for encryption/decryption.

I don't understand why?

Posted by ellis2323 on March 18, 2009 at 01:35 PM IST #

Hi,

I have been out of touch with this for quite a while, but as far as I remember you need to install the strong encryption jars. Look at Other downloads at the bottom at:
http://java.sun.com/javase/downloads/index.jsp

Ashutosh

Posted by Ashutosh Shahi on March 26, 2009 at 11:50 AM IST #

Hi Ashutosh,

We have a requirement where our web service (JDK1.6, Metro and JBoss) need to consume a AD token from client and validate that token against AD before proceeding with other activity. I am really struggling to make it work for last couple of days but nothing is working.

I have created the keytab file, updated login-config.xml to include the keytab file but nothing seems working. Can you please help.

Thank you very much.

Best Regards - Roy

Posted by Roy on February 01, 2011 at 09:58 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

ashutoshshahi

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks
Blogroll

No bookmarks in folder