I found a great white paper (by Sun) about integrating Kerberos, JAAS and the GSS-API together for a heavy-duty SSO system. Unfortunately the article was written for Java 1.4 and is several years old.
(1) I'm wondering: is this "triumverate" (Kerberos-JAAS-GSS, or KJG for short) still (as of J6 and coming soon, J7) the predominant SSO mechanism for Java EE apps? If not, what is, and can you explain its architecture briefly?
My application would also require some secure web services. Prior to reading this paper, I was considering using SSL to secure the transport and either XWSS or (more likely) Apache's WSS4J framework for authentication/sigs/encryption:
(2) Is KJG (or whatever solution you recommended for Question 1 above) capable of providing secure web services? For instance, would it be possible to use KJG instead of WSS4J/SSL?
This second question is my attempt to see if I can reuse a lot of the SSO code for a secure web service implementation. Thanks in advance for any input or nudges in the right direction.
Have you considered SAML 2.0?
Its specification contains a Web SSO profile and it is supported in popular J2EE identity products such as OpenAM (formerly known as OpenSSO). I've worked with OpenASelect (which uses OpenSAML) to implement Web SSO.