Re: Active Directory --> Java web app

Mon, 01 Aug 2005 07:03:13 -0700 

Hi Nikola
Thanks for your quick and detailed reply. While it would be great if Tomcat could interpret SPNEGO, I don't mind setting up Apache to sit in front of Tomcat (in fact I was going to do this anyway for speeding up the static content). 


How would Apache send the details to Tomcat once it's happy with the ticket 
it's received? Would it be in the form of simple request params? I guess so. 
I also guess it's time for me to RTFM on mod_krb_auth/mod_spnego :-)



Thanks very much for giving me a starting point. It's nice to know that what 
I am attempting *should* be possible.


Regards

Richard


From: Nikola Milutinovic <[EMAIL PROTECTED]>
To: [email protected]
Subject: Re: Active Directory --> Java web app
Date: Mon, 01 Aug 2005 14:56:08 +0200

Richard Gundersen wrote:


Hi


I have written a Java web application which has a basic password login 
screen. This works fine, but I would now like to allow users into my 
system if they have previously authenticated against Active Directory. 
I.E. if they can provide a valid kerberos ticket, I'll let them straight 
through. NB I do not maintain the instance of Active Directory; it 
actually belongs to another organisation.



Could anyone suggest a good way for me to do this. I guess I need to 
address the following:


1) How will AD pass it's ticket to my system?
2) How will I verify the ticket? (GSS-API?)

3) I know MS have done some dodgy things to their tickets (non-standard 
flags). Do I need to worry about them for this reason?




First of all, what you need is that web server knows of authentication 
method SPNEGO (Security Protocol: NEGOtiate), which is, well, sort of a 
standard. It allows broser and server to use GSS-API and pass Kerberos 
tickets in a real Kerberos fashion.



Tomcat knows nothing of this and I doubt any other Java Servlet/JSP 
container out there knows it either. So, you're stuck with either 
Apache+mod_krb_auth/mod_spnego or IIS to run as front end web servers and 
pass auth info to your Java Web Application.



Note also that there are alternatives, that cut-in and pass kerberos 
tickets inside cookies, but they require a separate software installation 
and are not a part of any standard. This doesn't mean they are not working 
or not working well. Just that SPNEGO is an accepted standard, supported by 
Mozilla and IE, requiring no additional install on the clients, while those 
others are an add-on.


Nix.
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos






















					Reply via email to