First, I want to apologize for my lack of experience with java (including spring, spring-security, cxf, etc). I might also be asking this question in the wrong place, but I'm happy with all the help I can get.

I want to create the following situation: A user accesses a website hosted by IIS. From IIS, a WCF service is called, which will call a web service developed using CXF. This service will forward the request to a WebSphere Enterprise Service Bus, which will forward the message to a WebSphere Process Server.

IIS (Windows) -> WCF web service (.NET) -> CXF web service (Java) -> WESB -> WPS

The WebSphere Process Server should be able to identify the user using a Kerberos token. Therefore, the Kerberos token should be propagated throughout the whole chain.

As I have no control over the ESB, I started out with the following scenario:

[1] IIS -> [2] WCF webservice -> [3] CXF webservice -> [4] CXF webservice

The user credentials are propagated from [1] -> [2] -> [3]. However, I’m unable to call [4], the exception is “Access is denied (user is anonymous)”.

In the CXF service [3], I have a KerberosServiceRequestToken, which contains a valid token (e.g. getToken() returns a binary array). However, I have no clue how to invoke the next service using this information (should I create a new LoginContext somehow?).

Another poblem is the way the Kerberos token is exchanged. Currently, the token is transmitted over the transport layer (e.g. as a HTTP Header as part of the Negotiation Challenge). WPS expects the Kerberos token to be contained within the SOAP-header. Using WCF, this is straigthforward to implement. However, I haven’t been able to configure CXF to correctly process the soap header. Does anybody know if this is even possible?

Thanks in advance,
Henk-Jan.