You might use a commercial java package from Vintela/Wedgetail which I think is now part of Quest, which as far as I remember work with Tomcat.
Markus ""Richard Gundersen"" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi Nikola > > Thanks for your quick and detailed reply. While it would be great if > Tomcat could interpret SPNEGO, I don't mind setting up Apache to sit in > front of Tomcat (in fact I was going to do this anyway for speeding up the > static content). > > How would Apache send the details to Tomcat once it's happy with the > ticket it's received? Would it be in the form of simple request params? I > guess so. I also guess it's time for me to RTFM on mod_krb_auth/mod_spnego > :-) > > Thanks very much for giving me a starting point. It's nice to know that > what I am attempting *should* be possible. > > Regards > > Richard > >>From: Nikola Milutinovic <[EMAIL PROTECTED]> >>To: [email protected] >>Subject: Re: Active Directory --> Java web app >>Date: Mon, 01 Aug 2005 14:56:08 +0200 >> >>Richard Gundersen wrote: >> >>>Hi >>> >>>I have written a Java web application which has a basic password login >>>screen. This works fine, but I would now like to allow users into my >>>system if they have previously authenticated against Active Directory. >>>I.E. if they can provide a valid kerberos ticket, I'll let them straight >>>through. NB I do not maintain the instance of Active Directory; it >>>actually belongs to another organisation. >>> >>>Could anyone suggest a good way for me to do this. I guess I need to >>>address the following: >>> >>>1) How will AD pass it's ticket to my system? >>>2) How will I verify the ticket? (GSS-API?) >>>3) I know MS have done some dodgy things to their tickets (non-standard >>>flags). Do I need to worry about them for this reason? >> >> >>First of all, what you need is that web server knows of authentication >>method SPNEGO (Security Protocol: NEGOtiate), which is, well, sort of a >>standard. It allows broser and server to use GSS-API and pass Kerberos >>tickets in a real Kerberos fashion. >> >>Tomcat knows nothing of this and I doubt any other Java Servlet/JSP >>container out there knows it either. So, you're stuck with either >>Apache+mod_krb_auth/mod_spnego or IIS to run as front end web servers and >>pass auth info to your Java Web Application. >> >>Note also that there are alternatives, that cut-in and pass kerberos >>tickets inside cookies, but they require a separate software installation >>and are not a part of any standard. This doesn't mean they are not working >>or not working well. Just that SPNEGO is an accepted standard, supported >>by Mozilla and IE, requiring no additional install on the clients, while >>those others are an add-on. >> >>Nix. >>________________________________________________ >>Kerberos mailing list [email protected] >>https://mailman.mit.edu/mailman/listinfo/kerberos > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
