Hi Mark,
Am 28.03.2011 10:49, schrieb Mark Thomas:
On 28/03/2011 08:42, Borut Hadžialić wrote:
Hellos Stefan,
if you can't fix your problem with configuration and decide that you
want to solve the problem by programming, then this might help you
http://blog.springsource.com/2009/09/28/spring-security-kerberos/
After understanding that article a developer should be able to add a
SPNEGO implementation (probably not the whole protocol, just as much
it is needed for your app) to your Tomcat application by adding some
filters.
Or you could just add Spring Security to your app. I'll add that as an
option to the new How-To.
I guess this is the classic kerberos/keytab approach (no NTLM-fallback)
that many solutions offer.
Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator /
integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318).
The last comment links a new Windows Authentication How-To from Mark Thomas.
Looks like we have already tried almost all proposed solutions:
Thanks for the great feedback on the options. I put the existing how-to
together pretty much entirely on some Google searches. I'll add your
feedback to the how-to / maybe remove some options that don't look viable.
- IIS + mod_jk:
tried but stuck in Bug 47679. Also tried ARR to pass the user name
as a request header from IIS to Tomcat without success
- Apache mod_ntlm: used it and we replaced it by the much more stable
mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default)
- Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit
plattform - we couldn't get stability problems solved on Apache 2.2
and 64bit Linux. No ongoing development.
- Apache mod_auth_sspi: till now in internal use for a very small
project (works just fine), not sure about the future. Although
there seems to be some new activity on 1.0.5 beta
- Waffle: found it on thursday and it is on my our todo-list for
testing it next week
Any chances to get Bug 47679 solved? How can we help (we are admins, no
devs)?
What solutions have you deployed? Recommendations?
It is tricky to recommend something right now. I'm guessing you want
something that a) works reliably and b) is likely to be supported for
the long term. Right now Waffle probably comes closest to that. It you
can wait a little while, I should have SPNEGO support in Tomcat 7 fairly
soon. It may - or may not - get back-ported to Tomcat 6. It will depend
on the eventual solution.
You're definitely right. We search for the holy grail of intranet
authentication. a+b is a must.
The idea of using IIS with ARR in reverse proxy mode passing a username
was dead end: Microsoft pointed us to a nice article describing HTTP
request processing order. Rewriting a request comes before the
authentication modul - so nothing to append to a header or request in
the first place.
See
http://learn.iis.net/page.aspx/501/iis-70-request-filtering-and-url-rewriting/
Leaves IIS with mod_jk if you can live with Bug 47679.
Our first test with Waffle is promising. Now it needs to be integrated
and in our application for further testing.
Native SPNEGO in Tomcat sounds great. Waiting a little while depends on
your scale of "little". Is there already some development we can follow?
Will this use Java GSS? I never figured out how to configure this with
Tomcat.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
