Secure Java EE Web Services w/ Kerberos and JAAS

Question

Found this article on Java-based SSO systems and was wondering if it is in any way at all applicable to secure web services.

With secure web services, you need:

1. A secure transport
2. Authentication
3. Digital signage
4. Encrypted payloads

Usually this can be accomplished with some OASIS-compliant secure framework (CXF, WSS4J, XWSS, etc.) over SSL for the transport.

I'm not familiar at all with Kerberos, JAAS or GSS, but it seems to me that if they can be used to keep secure connections between a client and multiple Java EE apps, why couldn't they be used in tangent with one of those frameworks (like WSS4J) to provide WSS.

Instead of SSL, I could use Kerberos, then let WSS4J handle all the WS-specific stuff.

This way, I could make reusable Kerberos components that could be used both in SSO and for transport layer security in web services.

Am I completely off my rocker here?

Answer 1

Eugie,
The requirements stated are typical. But the details vary to a large degree.
Hence it is not practical to conclude on a single approach or solution.

The requirements need to be further broken down and analysed seperately.

for eg : SSO broadly has two requriments a)Authentication b) Authorization.
You could use single solution for both or multiple solutions for each. An eloborate system could be using multiple authentications at the same time like .. form-based, certifcate based , token based , remote-auth.

In case of authorization we could have a centeralized solution using LDAP/ActiveDirectory/Domino
or a decentralized with all above co-ordinating.

Each of these solutions have limitations , for eg,Kerberos is not effective against password guessing attacks

The choice of security solutions depends on many parameters like
persived threat, cost, prrformace etc..

WS-Security project tries to address many such architectural concerns.
To answer your question -- No you cannot use kerberos for both SSO and transport layer encryption
--Kiran.Kumar