Apr 17th, 2012, 06:04 AM
Kerberos and credential propagation
First, I want to apologize for my lack of experience with java (including spring, spring-security, cxf, etc). I might also be asking this question in the wrong place, but I'm happy with all the help I can get.
I want to create the following situation: A user accesses a website hosted by IIS. From IIS, a WCF service is called, which will call a web service developed using CXF. This service will forward the request to a WebSphere Enterprise Service Bus, which will forward the message to a WebSphere Process Server.
IIS (Windows) -> WCF web service (.NET) -> CXF web service (Java) -> WESB -> WPS
The WebSphere Process Server should be able to identify the user using a Kerberos token. Therefore, the Kerberos token should be propagated throughout the whole chain.
As I have no control over the ESB, I started out with the following scenario:
 IIS ->  WCF webservice ->  CXF webservice ->  CXF webservice
The user credentials are propagated from  ->  -> . However, I’m unable to call , the exception is “Access is denied (user is anonymous)”.
In the CXF service , I have a KerberosServiceRequestToken, which contains a valid token (e.g. getToken() returns a binary array). However, I have no clue how to invoke the next service using this information (should I create a new LoginContext somehow?).
Another poblem is the way the Kerberos token is exchanged. Currently, the token is transmitted over the transport layer (e.g. as a HTTP Header as part of the Negotiation Challenge). WPS expects the Kerberos token to be contained within the SOAP-header. Using WCF, this is straigthforward to implement. However, I haven’t been able to configure CXF to correctly process the soap header. Does anybody know if this is even possible?
Thanks in advance,