Security depends on where you put the token. If the URL is guessable, you're subject to clickjacking. See http://www.hpl.hp.com/techreports/2009/HPL-2009-20.html.
________________________ Alan Karp Principal Scientist Virus Safe Computing Initiative Hewlett-Packard Laboratories 1501 Page Mill Road Palo Alto, CA 94304 (650) 857-3967, fax (650) 857-7029 http://www.hpl.hp.com/personal/Alan_Karp > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Thomas Hardjono > Sent: Wednesday, March 04, 2009 9:00 AM > To: 'Frank Gruellich'; [email protected] > Cc: 'MIT Krb-and-Web discussion list' > Subject: Re: [Mitkc-web] Kerberos in Browser based Applications > > Frank, > > Getting Kerberos to support single-sign-on on the Web (Web-SSO) has a > number > of challenges. I'm not sure if the browsers today fully support the > trafficking of Kerberos tickets/tokens. The closest seems to be > HPPT-Negotiate, but I believe it also need more work. There are a set > of > drafts in the IETF that are trying to address some of these issues. > Then > there is the question of how to get all this working with the Identity > Federation infrastructures. > > ps. Kerb-on-the-web is one of the initiatives at the MIT-KC. > http://kerberos.org/software/kerbweb.pdf > > cheers, > > > /thomas/ > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On > > Behalf Of Frank Gruellich > > Sent: Tuesday, March 03, 2009 12:47 PM > > To: [email protected] > > Subject: Kerberos in Browser based Applications > > > > Hi, > > > > I have set up a Kerberos realm. A user and a service (let's say a > > database) are both included as principals in KDC database and the > > service restricts access to */[email protected]. User and service > can > > communicate perfectly using a database CLI at the users machine. > > > > Now these days CLIs aren't "state-of-the-art" anymore and $managers > > refuse to use them. Let's throw a long discussion and platform > > independent, Web2.0 ready and more buzzwords into the pot and we get > the > > need for a browser based web frontend to the service. And that's the > > point where I do not get the full picture about Kerberos. > > > > How would that work in a fully kerberized environment using all these > > great features like single-sign-on and never transmitting a password > > over the wire? For sure, I would have to add the webserver to the > KDC > > database, but what then? Would I add the webserver principal to the > ACL > > list of the service and add another authentication/authorization > layer > > into the web application? Could I somehow forward the users ticket > for > > the service to the webserver and make the application to give it to > the > > service proving this way that the user requested access to the > service? > > That would keep all authentication on service side, but is it a good > > idea to give a service ticket to another machine? Would that even > work > > given that the users machine IP# is added to the tickets, AFAICS? > > > > In the current setup the software involved are MIT Kerberos, an > OpenLDAP > > server as service, e.g. phpLDAPadmin as web application, Apache httpd > > running it, and various browsers used to access it running on > different > > OS's. But I'm more interested in the general Kerberos idea how to do > > that. However, if you point me to specific software I should use in > > this setup I would be happy, too. > > > > Thanks in advance for some enlightenment. > > > > Kind regards, > > -- > > Navteq (DE) GmbH > > Frank Gruellich > > Map24 Systems and Networks > > > > Duesseldorfer Strasse 40a > > 65760 Eschborn > > Germany > > > > Phone: +49 6196 77756-414 > > Fax: +49 6196 77756-100 > > > > USt-ID-No.: DE 197947163 > > Managing Directors: Thomas Golob, Alexander Wiegand, > > Hans Pieter Gieszen, Martin Robert Stockman > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > _______________________________________________ > MITKC-Web mailing list > [email protected] > http://mailman.mit.edu/mailman/listinfo/mitkc-web ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
