Hi, I've been looking into enabling SPNEGO for our CAS server and have a question relating to the CAS 3.4.12 + SPNEGO thread in cas-u...@lists.jasig.org.
As the SPNEGO module works currently it puts itself as a layer before the username/password authentication, sending an empty 401/Authorization: Negotiate response. If negotiation fails, say if the kerberos tickets are expired, the login will fall back to username/password which is nice. But, browsers that are not explicitely configured to allow negotiation for our server will just stop on the 401 response, not try a negotiation and hence not fall back to username/password. This makes the SPNEGO module somewhat useless for anything other than a tightly controlled intranet environment where you have control over all clients, which is not very internetish. A work-around for this is to lay an additional layer in the login flow and check for a user-agent header that in some manner indicates that the browser is under sysadmin control and configured to use negotiation. This works, but places additional burden on maintenance for all browsers which user-agents must be maintained if we want to keep the original version information in them. So, my question is if there is any particular reason why the SPNEGO module not rather amends the normal 200 username/password response with 401 Authorization: Negotiate headers then do a separate, empty response before the username/password? As far as I can see this would mean that unconfigured clients would work just fine with username/password while configured clients will try a negotiation. Or am I missing something? Best regards, /Fredrik -- Fredrik Jönsson, M.Sc. Email: f...@kth.se System architect Phone: +46 8 790 66 03 Kungliga tekniska högskolan (KTH) Mobile: +46 73 595 66 03 KTH/UF/ITA/Infosys -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
