Friday Feb 01, 2008

Kerberos token based WS Security Scenarios on Tomcat

My previous blog Running Kerberos Token Profile scenario with Metro showed how to run kerberos token based WS-Security scenarios on Glassfish. Here I show the small changes you need to do to run it on Tomcat. The steps essentially boil down to specifying the location of JAAS login config file where login modules for Kerberos are stored. Glassfish picks the login modules from $GLASSFISH_HOME/domains/domain1/config/login.conf, in Tomcat we need to specify the file explicitly using java.security.auth.login.config system property.

Here are the complete steps:

  1. Create a file jaas.conf , and place it in $CATALINA_HOME/conf. Here's what jaas.conf looks like:
            KerberosClient { 
                com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true; 
            };
    
            KerberosServer { 
                com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/krb5.keytab" doNotPrompt=true storeKey=true principal="websvc/service@INDIA.SUN.COM"; 
            };
            
  2. Add following line to the catalina.sh script (or specify the mentioned JAVA_OPTS property):
            JAVA_OPTS="$JAVA_OPTS "-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf
            
  3. Specify the following system property in your client code:
        -Djava.security.policy=${tomcat.home}/conf/catalina.policy
        -Djava.security.auth.login.config=${tomcat.home}/conf/jaas.conf
        
About

ashutoshshahi

Search

Categories
Archives
« August 2015
SunMonTueWedThuFriSat
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
     
Today
Bookmarks
Blogroll

No bookmarks in folder