[
https://issues.jboss.org/browse/TEIID-3059?page=com.atlassian.jira.plugin...
]
Ramesh Reddy edited comment on TEIID-3059 at 8/15/14 5:09 PM:
--------------------------------------------------------------
After spending a ton of time and building a kerberos based example and trying to test with
individual client and then through Teiid, the conclusion I derived is
1) To use any WS-Security features in "ws" translator, the resource-adapter must
be configured with WSDL. When WSDL is configured it exposes all the methods on the port
through dynamic metadata. These methods needs to be used instead of using generic
"invoke" procedure. The reason for this is, the client proxy that gets generated
through "Service.create()" call takes ws-policy information in the WSDL
automatically. Otherwise the onerous is on the Teiid framework to do the same (through
some duplicate config or WSDL) on generic Dispatch interface. Which seems cumbersome at
best. The issue is current tooling is based on "invoke" based execution, this
is need to be re thought when WSDL is available.
2) As per pass-through authentication for Kerberos token to the web service from logged in
user, this feature just got committed to master branch in cxf (url in above comment), so
when we move up in CXF version them we can support it. I tried to see if I can patch
existing code, but the change involves CXF and WSS4J modules and totally not trivial. So,
I say we push this until we support later version of the CXF and WSS4J. (not in 2.0.1 of
wss4j)
3) wrote sample examples here
https://github.com/rareddy/ws-security-examples
4) I update documentation with above
was (Author: rareddy):
After spending a ton of time and building a kerberos based example and trying to test with
individual client and then through Teiid, the conclusion I derived is
1) To use any WS-Security features in "ws" translator, the resource-adapter must
be configured with WSDL. When WSDL is configured it exposes all the methods on the port
through dynamic metadata. These methods needs to be used instead of using generic
"invoke" procedure. The reason for this is, the client proxy that gets generated
through "Service.create()" call takes ws-policy information in the WSDL
automatically. Otherwise the onerous is on the Teiid framework to do the same (through
some duplicate config or WSDL) on generic Dispatch interface. Which seems cumbersome at
best. The issue is current tooling is based on "invoke" based execution, this
is need to be re thought when WSDL is available.
2) As per pass-through authentication for Kerberos token to the web service from logged in
user, this feature just got committed to master branch in cxf (url in above comment), so
when we move up in CXF version them we can support it. I tried to see if I can patch
existing code, but the change involves CXF and WSS4J modules and totally trivial. So, I
say we push this until we support later version of the CXF and WSS4J. (not in 2.0.1 of
wss4j)
3) wrote sample examples here
https://github.com/rareddy/ws-security-examples
4) I update documentation with above
Support consuming SOAP based service that is secured by Kerberos
authentication
-------------------------------------------------------------------------------
Key: TEIID-3059
URL:
https://issues.jboss.org/browse/TEIID-3059
Project: Teiid
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Misc. Connectors
Reporter: Ramesh Reddy
Assignee: Ramesh Reddy
CXF supports Kerberos based authentication in issuing a SOAP based web service call. This
needs to be verified authentication scenario and further enhance code to support
delegation of kerberos token.
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)