Kerberos with REST based Services

"Kerberos in ws-security with SOAP services" -

Check out the cxf configuration to allow Kerberos in SOAP web services at


With this configuration, REST service is configured with Kerberos JAAS domain, to negotiate a token, then use it access the web service. For this first create a security domain in standalone.xml file as below

<security-domain name="MY_REALM" cache-type="default">
         <login-module code="Kerberos" flag="required">
             <module-option name="storeKey" value="true"/>

             <module-option name="useKeyTab" value="true"/>
             <module-option name="keyTab" value="/home/username/service.keytab"/>
             <module-option name="principal" value="host/testserver@MY_REALM"/>

             <module-option name="doNotPrompt" value="true"/>
             <module-option name="debug" value="false"/>
             <module-option name="addGSSCredential" value="true"/>

and the jboss-cxf-xxx.xml file needs to be set as

<beans xmlns=""

       <http-conf:conduit name="*.http-conduit">

The resource adapter creation needs to define the following properties

   <config-property name="ConfigFile">path/to/jboss-cxf-xxxx.xml</config-property>
   <config-property name="ConfigName">test</config-property>
Even though above configuration configures the value of "ConfigName", the cxf framework currently in the case of JAX-RS client does not give option to use it. For that reason use "*.http-conduit" which will apply to all the HTTP communications under this resource adapter.


If in case the user is already logged into Teiid using Kerberos using JDBC/ODBC or used SPNEGO in web-tier and used pass-through authentication into Teiid, then there is no need to negotiate a new token for the Kerberos. The system can delegate the existing token.

To configure for delegation, set up security domain defined exactly as defined in "negotiation", and jboss-cxf-xxx.xml file, however remove the following line from jboss-cxf-xxx.xml file, as it is not going to negotiate new token.


Add the following properties in web service resource adapter creation. One configures that "kerberos" security being used, the second defines a security domain to be used at the data source, in this case we want to use a security domain that passes through a logged in user

   <config-property name="SecurityType">Kerberos</config-property>

To configure in "passthrough-security" security domain, the "security" subsystem add following XML fragment

<security-domain name="passthrough-security" cache-type="default">
        <login-module code="Kerberos" flag="required" module="">
            <module-option name="delegationCredential" value="REQUIRED"/>

If in case there is no delegationCredential is available on the context, the access will fail.

results matching ""

    No results matching ""