Restful Web Service with Kerberos Authentication

Question

Starting a new project to create a restful Web Service that requires callers to be Authenticated by Kerberos (Active Directory).

The web service will be hosted by Tomcat and I was planning to use JAX-RS with JAAS but I'm not finding much information on this, does anyone have information or experience on getting this to work?

Should I be looking at Spring and Spring Security instead?

Answer 1

Apache provides good documentation for using JAXRS with kerberos. Here is the link:

http://cxf.apache.org/docs/jaxrs-kerberos.html

Answer 2

I have the same issue. I googled extensively and not found a good answer.

The problem is that the issue has several layers and most answers point to (usually vague) solutions for only one layer.

And there is not a single complete and clear example for the end-to-end solution.

LAYERS

1. Client call to rest service using kerberos/windows logged in credentials.

• Answers usually show how to use kerberos to authenticate but fail to say how to use it to pass the logged in credentials to the REST service.
• Both Spring REST client functionality and native Java seem capable of doing this but it is not clear how.

2. Processing by the REST service of the authentication request by the client that is authenticating via windows/kerberos.

• Spring REST service functionality appears to be the easiest way to implement it but again it is not clear how to tell the REST service to expect that authentication method.

3. Either forwarding the client kerberos credentials to whatever resource the REST service is trying to access, or get a success/failure and then the REST service uses kerberos/windows authentication itself (different credentials from the clients) to access a resource.

I hope this clarification of the issue helps in producing a good answer.