Secure Java EE Web Services w/ Kerberos and JAAS

发布于 2022-09-06 09:25:35 字数 1116 浏览 15 评论 0

Found this article on Java-based SSO systems and was wondering if it is in any way at all applicable to secure web services.

With secure web services, you need:

  1. A secure transport
  2. Authentication
  3. Digital signage
  4. Encrypted payloads

Usually this can be accomplished with some OASIS-compliant secure framework (CXF, WSS4J, XWSS, etc.) over SSL for the transport.

I'm not familiar at all with Kerberos, JAAS or GSS, but it seems to me that if they can be used to keep secure connections between a client and multiple Java EE apps, why couldn't they be used in tangent with one of those frameworks (like WSS4J) to provide WSS.

Instead of SSL, I could use Kerberos, then let WSS4J handle all the WS-specific stuff.

This way, I could make reusable Kerberos components that could be used both in SSO and for transport layer security in web services.

Am I completely off my rocker here?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

孤单情人 2022-09-13 09:25:35

Eugie,
The requirements stated are typical. But the details vary to a large degree.
Hence it is not practical to conclude on a single approach or solution.

The requirements need to be further broken down and analysed seperately.

for eg : SSO broadly has two requriments a)Authentication b) Authorization.
You could use single solution for both or multiple solutions for each. An eloborate system could be using multiple authentications at the same time like .. form-based, certifcate based , token based , remote-auth.

In case of authorization we could have a centeralized solution using LDAP/ActiveDirectory/Domino
or a decentralized with all above co-ordinating.

Each of these solutions have limitations , for eg,Kerberos is not effective against password guessing attacks

The choice of security solutions depends on many parameters like
persived threat, cost, prrformace etc..

WS-Security project tries to address many such architectural concerns.
To answer your question -- No you cannot use kerberos for both SSO and transport layer encryption
--Kiran.Kumar

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文