Announcement Announcement Module
No announcement yet.
Kerberos and credential propagation Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Kerberos and credential propagation

    First, I want to apologize for my lack of experience with java (including spring, spring-security, cxf, etc). I might also be asking this question in the wrong place, but I'm happy with all the help I can get.

    I want to create the following situation: A user accesses a website hosted by IIS. From IIS, a WCF service is called, which will call a web service developed using CXF. This service will forward the request to a WebSphere Enterprise Service Bus, which will forward the message to a WebSphere Process Server.

    IIS (Windows) -> WCF web service (.NET) -> CXF web service (Java) -> WESB -> WPS

    The WebSphere Process Server should be able to identify the user using a Kerberos token. Therefore, the Kerberos token should be propagated throughout the whole chain.

    As I have no control over the ESB, I started out with the following scenario:

    [1] IIS -> [2] WCF webservice -> [3] CXF webservice -> [4] CXF webservice

    The user credentials are propagated from [1] -> [2] -> [3]. However, I’m unable to call [4], the exception is “Access is denied (user is anonymous)”.

    In the CXF service [3], I have a KerberosServiceRequestToken, which contains a valid token (e.g. getToken() returns a binary array). However, I have no clue how to invoke the next service using this information (should I create a new LoginContext somehow?).

    Another poblem is the way the Kerberos token is exchanged. Currently, the token is transmitted over the transport layer (e.g. as a HTTP Header as part of the Negotiation Challenge). WPS expects the Kerberos token to be contained within the SOAP-header. Using WCF, this is straigthforward to implement. However, I haven’t been able to configure CXF to correctly process the soap header. Does anybody know if this is even possible?

    Thanks in advance,