Hello, Has anyone tried to do something like that?
I need to create a portal, based on Liferay software, where some users will be always authenticated. They're coming from AD and I can authenticate them against it. The trick is: user cannot see any login form, it has to be authenticated automatically without any interaction. There is SPNEGO and it works well. But, there other users, who should be able to see some part of the portal, but won't be authenticated and will be redirected to different part of portal.
Every page on portal is guarded by CAS filter, if user is not somehow authenticated he is redirected to CAS for authentication. I came with the idea on "guest login": let's create some user to which every user, who didn't pass SPNEGO authentication, will be authenticated. The problem is: SPNEGO authentication works in two parts. First one ends with HTTP response with 401 unauthorized error and "WWW-Authenticate: Negotiate" header. Every browser with SPNEGO authentication enabled will send another request to the very same page, but with additional Kerberos token via which user will be authenticated. In the second part CAS once again walks through login-webflow, but this time SPNEGO succeeds and user is authenticated. If SPNEGO failed then my bean will authenticate "guest user".
My problem is: if browser is not configured for SPNEGO, there won't be second part and my bean won't be even called. The only idea I have right now is to alter SPNEGO to not send 401 unauthorized but 302 redirect to the same page, but with "WWW-Authenticate: Negotiate" header. Does anyone know if SPNEGO will be supported that way? I haven't checked that yet.
Maybe someone has different way of doing such thing? I was considering loosening a bit CAS filter, but every user sees portal in his own way, but to do so I HAVE to force him to authenticate. Any ideas?
Regards Jacek Bilski -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
