http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1047
For tomcat, jboss, java-common, ruby examples how to get it working. Love 5 mar 2009 kl. 11:44 skrev Wyllys Ingersoll: > > I documented using Kerberos with an Apache Web server and Firefox a > while ago (for Solaris 10), > but the ideas are very similar for Linux or non-Solaris as long as > you stick with Apache, Firefox, > and a Kerberos package that is based-on MITs codebase. > > http://blogs.sun.com/wyllys/entry/kerberos_web_authentiation_with_apache > > The doc may be a bit out of date, but I believe most of the steps > are still correct and apply > to newer releases of Solaris as well as Linux, albeit with some > slight different pathnames > and settings. > > Just getting web-based authentication configured and working is only > the beginning, though. > To extend the reach and the use of the tickets to other processes > (such as having the > forwarded ticket then be used to authenticate to other backend > services on behalf of the user) > would require additional work for both the web server and the > middleware that it > needs to talk to. Getting this to work with Tomcat or other web > servers will definitely > require some additional effort and digging around, I don't know what > the current state > of the art is in those areas. > > -Wyllys > > > > > Frank Gruellich wrote: >> Hi, >> >> I have set up a Kerberos realm. A user and a service (let's say a >> database) are both included as principals in KDC database and the >> service restricts access to */[email protected]. User and service >> can >> communicate perfectly using a database CLI at the users machine. >> >> Now these days CLIs aren't "state-of-the-art" anymore and $managers >> refuse to use them. Let's throw a long discussion and platform >> independent, Web2.0 ready and more buzzwords into the pot and we >> get the >> need for a browser based web frontend to the service. And that's the >> point where I do not get the full picture about Kerberos. >> >> How would that work in a fully kerberized environment using all these >> great features like single-sign-on and never transmitting a password >> over the wire? For sure, I would have to add the webserver to the >> KDC >> database, but what then? Would I add the webserver principal to >> the ACL >> list of the service and add another authentication/authorization >> layer >> into the web application? Could I somehow forward the users ticket >> for >> the service to the webserver and make the application to give it to >> the >> service proving this way that the user requested access to the >> service? >> That would keep all authentication on service side, but is it a good >> idea to give a service ticket to another machine? Would that even >> work >> given that the users machine IP# is added to the tickets, AFAICS? >> >> In the current setup the software involved are MIT Kerberos, an >> OpenLDAP >> server as service, e.g. phpLDAPadmin as web application, Apache httpd >> running it, and various browsers used to access it running on >> different >> OS's. But I'm more interested in the general Kerberos idea how to do >> that. However, if you point me to specific software I should use in >> this setup I would be happy, too. >> >> Thanks in advance for some enlightenment. >> >> Kind regards, > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
