« January 2010
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today
XML

www.flickr.com
This is a Flickr badge showing public photos from ashutosh.shahi. Make your own badge here.

Blog::Navigation


blogs.sun.com
Weblog
Login

Bookmarks::Blogroll


Recent Entries

Blog::Referers

Today's Page Hits: 58

Stat Counter


since 02/20/07

Technorati

Add to Technorati Favorites

del.icio.us

All | Personal | Web Services
« Running Kerberos... | Main | Metro at Sun Tech... »
20080201 Friday February 01, 2008
Kerberos token based WS Security Scenarios on Tomcat

My previous blog Running Kerberos Token Profile scenario with Metro showed how to run kerberos token based WS-Security scenarios on Glassfish. Here I show the small changes you need to do to run it on Tomcat. The steps essentially boil down to specifying the location of JAAS login config file where login modules for Kerberos are stored. Glassfish picks the login modules from $GLASSFISH_HOME/domains/domain1/config/login.conf, in Tomcat we need to specify the file explicitly using java.security.auth.login.config system property.

Here are the complete steps:

  1. Create a file jaas.conf , and place it in $CATALINA_HOME/conf. Here's what jaas.conf looks like: 
            KerberosClient { 
            com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true; 
        };

        KerberosServer { 
            com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/krb5.keytab" doNotPrompt=true storeKey=true principal="websvc/service@INDIA.SUN.COM"; 
        };
  2. Add following line to the catalina.sh script (or specify the mentioned JAVA_OPTS property): 
            JAVA_OPTS="$JAVA_OPTS "-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf
  3. Specify the following system property in your client code: 
        -Djava.security.policy=${tomcat.home}/conf/catalina.policy
    -Djava.security.auth.login.config=${tomcat.home}/conf/jaas.conf
Permalink Comments [2] Posted by ashutoshshahi ( Feb 01 2008, 12:29:14 PM IST / Feb 01 2008, 12:29:14 PM IST )
Trackback: http://blogs.sun.com/ashutosh/entry/kerberos_token_based_ws_security
Trackback URL: http://blogs.sun.com/ashutosh/entry/kerberos_token_based_ws_security
Comments:

Hi,

I'm trying to develop WebService with Kerberos. When i use arcfour, all is correct. But with other crypto algo, i have :

glassfish log:

[#|2009-03-18T15:53:51.833+0100|SEVERE|sun-appserver2.1|com.sun.xml.wss.logging.impl.opt.crypto|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=643be549-98af-48e6-93ec-90b022b8a311;|WSS1925: No CipherValue found in CipherData|#]

[#|2009-03-18T15:53:51.838+0100|SEVERE|sun-appserver2.1|com.sun.xml.wss.provider.wsit|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=643be549-98af-48e6-93ec-90b022b8a311;|WSITPVD0035: Error in Verifying Security in Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: WSS1925: No CipherValue found in CipherData
at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:134)
at com.sun.xml.ws.security.opt.impl.incoming.processor.CipherDataProcessor.readAsStream(CipherDataProcessor.java:176

On the client side :
Mar 18, 2009 3:53:49 PM com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor encryptData
SEVERE: WSS1906: Invalid key provided for encryption/decryption.

I don't understand why?

Posted by ellis2323 on March 18, 2009 at 08:35 PM IST #

Hi,

I have been out of touch with this for quite a while, but as far as I remember you need to install the strong encryption jars. Look at Other downloads at the bottom at:
http://java.sun.com/javase/downloads/index.jsp

Ashutosh

Posted by Ashutosh Shahi on March 26, 2009 at 06:50 PM IST #

Post a Comment:

Name:
E-Mail:
URL:

Your Comment:

HTML Syntax: NOT allowed
Copyright (C) 2003, Ashutosh's Blog