Tuesday, October 4, 2011

Apache WSS4J 1.6.3 released

Apache WSS4J 1.6.3 has been released. It can be downloaded here and the issues fixed are listed in the WSS4J JIRA.

Probably the most significant part of this release is that WSS4J now fully supports the Kerberos Token Profile 1.1. In the previous release, support was added to retrieve a Kerberos token from a KDC, and insert it into the security header of a request, and then validate it accordingly on the receiving side. In WSS4J 1.6.3, support has been added to use the secret key associated with the Kerberos token to sign and encrypt the request, and to verify and decrypt on the receiving side. I am planning on writing a series of blog posts soon about how to use Kerberos with WSS4J and CXF. The forthcoming Apache CXF 2.4.3 release will have full WS-SecurityPolicy support for working with Kerberos, based on the work done in WSS4J 1.6.3.

In addition to the Kerberos work, WSS4J 1.6.3 features an upgraded Opensaml dependency, as well as several bug fixes.


  1. Hi,
    I have a question in this regard.If I need to use kerberos authentication via axis/rampart/wss4j, do I need any additional changes in other jars? A working example could be very useful.

  2. Hi Sourabh,

    As far as I know, Rampart has not yet upgraded to WSS4J 1.6.x, but is still using 1.5.x. So this functionality is not yet available in Rampart/Axis. So I suggest you inquire to the Rampart mailing list when they are planning on upgrading.