Package oracle.security.xmlsec.wss.kerberos

WSS Kerberos AP_REQ Token classes.

See: Description

Class Summary

Class	Description
KerberosBinarySecurityToken	This class represents a WSS Binary Security Token of type Kerberos V5 AP_REQ.
KerberosKeyIdentifier	Represents a wsse:KeyIdentifier of type kerberos v5 ap_req.
KerberosKeyIdentifierResolver	A generic interface for resolving Kerberos Key Identifiers.
KerberosKeyRetriever
KerberosUtils	Utility methods for use with Java GSS API.

Exception Summary

Exception	Description
KerberosKeyIdentifierResolverException	Signals failure in resolving a Kerberos key identifier.

Package oracle.security.xmlsec.wss.kerberos Description

WSS Kerberos AP_REQ Token classes.

Supports WSS - Kerberos token Profile 1.1

• WSS - Kerberos token profile 1.0 supports an AP_REQ token
• WSS - Kerberos token profile 1.1 supports both an AP_REQ token and a GSS wrapped AP_REQ token

Using the Java GSS API

You can use the Java GSS APIs to generate Kerberos tokens. Ser Use of Java GSS-API

Client side

• Use JAAS Authentication with Kerberos Login Module.
  Set up the config files and then call

  LoginContext lc = new LoginContext(...);
  lc.login();
  

  to login using this module. This will cause the client to contact the Kerberos Authentication-Service and get a ticket to talk to the Kerberos Ticket-Granting-Service
• Use JAAS Authorization to set the subject into the thread context
  

  Subject.doAs(lc.getSubject(), action)
  

  The rest of the code should be executed as a Privileged action
• Create a GSSContext to talk to a particular server
  Do

   GSSManager gssManager = GSSManager.getInstance();
   GSSName serviceName = gssManager.createName(svcPrincipalName, null);
   GSSContext gssContext = gssManager.createContext(serviceName, null, null, GSSCredential.DEFAULT_LIFETIME);
   byte[] token = new byte[1];
   token = gssContext.initSecContext(token, 0, token.length);
  
  

  to set up a GSSContext. This will cause the client to contact the Ticket-Granting-Service to obtain a ticket for talking to that particular server. The token that is returned by the initSecCOntext is a GSS wrapped AP_REQ packet.
• Create a Kerberos BST using this AP_REQ packet
  Do

   WSSecurity ws = ...
   KerberosBinarySecurityToken kbst = ws.createBST_Kerberos(token, WSSURI.vt_GSSKerberosv5);
   ws.addKerberosToken(kbst);
  

  to create the kerberos token.
• Create an STR to this BSR
  

   kbst.setWsuId("MyAppReq");
   WSSecurityTokenReference str = ws.createSTR_KerberosKeyRef("MyApReq", WSSURI.vt_GSSKerberosv5);
  

• Sign/Encrypt using the kerberos session key
  There is no public API to get the session key, so we have provided a utility method.

   SecretKey sessionKey = KerberosUtils.getSessionKey(gssContext);
   WSSEncryptionParams eParams = new WSSEncryptionParams(XMLURI.alg_tripleDES_CBC, sessionKey, null, null, str);
   WSSecurity.encryptNoEncKey(...)
  

• Send the created SOAP request to the server

  Server side

  • Use JAAS Authentication and Authorization as for the client
  • Create GSSContext will null credentials
    

     GSSManager manager = GSSManager.getInstance();
     GSSContext gssContext = manager.createContext((GSSCredential)null);
    

  • Recieve the SOAP request sent from the client, and extract WSSecurity headers

     WSSecurity ws = WSSecurity.getAllSecurityHeaders(soapMessage)[0]; 
    

  • From the header extract the Kerberos Binary Security token

     KerberosBinarySecurityToken kbst = (KerberosBinarySecurityToken)ws.getBinaryTokens().get(0);  
    

  • Now extract the AP_REQ from the BST and call acceptSecContext

     byte ap_req[] = kbst.getValue();
     gssContext.acceptSecContext(ap_req);
    

    The context is now extablished. (Note Mutual authentication would need one more round trip)
• Verify/Decrypt using the kerberos session key
  As for the client use the utility method to get the key.

   SecretKey sessionKey = KerberosUtils.getSessionKey(gssContext);
   ws.decrypt(..., sessionKey);