Class | Description |
---|---|
KerberosBinarySecurityToken |
This class represents a WSS Binary Security Token of type Kerberos V5 AP_REQ.
|
KerberosKeyIdentifier |
Represents a wsse:KeyIdentifier of type kerberos v5 ap_req.
|
KerberosKeyIdentifierResolver |
A generic interface for resolving Kerberos Key Identifiers.
|
KerberosKeyRetriever | |
KerberosUtils |
Utility methods for use with Java GSS API.
|
Exception | Description |
---|---|
KerberosKeyIdentifierResolverException |
Signals failure in resolving a Kerberos key identifier.
|
WSS Kerberos AP_REQ Token classes.
Supports WSS - Kerberos token Profile 1.1LoginContext lc = new LoginContext(...); lc.login();to login using this module. This will cause the client to contact the Kerberos Authentication-Service and get a ticket to talk to the Kerberos Ticket-Granting-Service
Subject.doAs(lc.getSubject(), action)The rest of the code should be executed as a Privileged action
GSSManager gssManager = GSSManager.getInstance(); GSSName serviceName = gssManager.createName(svcPrincipalName, null); GSSContext gssContext = gssManager.createContext(serviceName, null, null, GSSCredential.DEFAULT_LIFETIME); byte[] token = new byte[1]; token = gssContext.initSecContext(token, 0, token.length);to set up a GSSContext. This will cause the client to contact the Ticket-Granting-Service to obtain a ticket for talking to that particular server. The token that is returned by the initSecCOntext is a GSS wrapped AP_REQ packet.
WSSecurity ws = ... KerberosBinarySecurityToken kbst = ws.createBST_Kerberos(token, WSSURI.vt_GSSKerberosv5); ws.addKerberosToken(kbst);to create the kerberos token.
kbst.setWsuId("MyAppReq"); WSSecurityTokenReference str = ws.createSTR_KerberosKeyRef("MyApReq", WSSURI.vt_GSSKerberosv5);
SecretKey sessionKey = KerberosUtils.getSessionKey(gssContext); WSSEncryptionParams eParams = new WSSEncryptionParams(XMLURI.alg_tripleDES_CBC, sessionKey, null, null, str); WSSecurity.encryptNoEncKey(...)
GSSManager manager = GSSManager.getInstance(); GSSContext gssContext = manager.createContext((GSSCredential)null);
WSSecurity ws = WSSecurity.getAllSecurityHeaders(soapMessage)[0];
KerberosBinarySecurityToken kbst = (KerberosBinarySecurityToken)ws.getBinaryTokens().get(0);
byte ap_req[] = kbst.getValue(); gssContext.acceptSecContext(ap_req);The context is now extablished. (Note Mutual authentication would need one more round trip)
SecretKey sessionKey = KerberosUtils.getSessionKey(gssContext); ws.decrypt(..., sessionKey);