[Mitkc-web] Kerberos in Browser based Applications

Karp, Alan H alan.karp at hp.com
Tue Mar 17 20:13:05 EDT 2009 

Security depends on where you put the token.  If the URL is guessable, you're subject to clickjacking.  See http://www.hpl.hp.com/techreports/2009/HPL-2009-20.html. 

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp


> -----Original Message-----
> From: mitkc-web-bounces at mit.edu [mailto:mitkc-web-bounces at mit.edu] On
> Behalf Of Thomas Hardjono
> Sent: Wednesday, March 04, 2009 9:00 AM
> To: 'Frank Gruellich'; kerberos at mit.edu
> Cc: 'MIT Krb-and-Web discussion list'
> Subject: Re: [Mitkc-web] Kerberos in Browser based Applications
> 
> Frank,
> 
> Getting Kerberos to support single-sign-on on the Web (Web-SSO) has a
> number
> of challenges.  I'm not sure if the browsers today fully support the
> trafficking of Kerberos tickets/tokens. The closest seems to be
> HPPT-Negotiate, but I believe it also need more work. There are a set
> of
> drafts in the IETF that are trying to address some of these issues.
> Then
> there is the question of how to get all this working with the Identity
> Federation infrastructures.
> 
> ps. Kerb-on-the-web is one of the initiatives at the MIT-KC.
> http://kerberos.org/software/kerbweb.pdf
> 
> cheers,
> 
> 
> /thomas/
> 
> 
> > -----Original Message-----
> > From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
> > Behalf Of Frank Gruellich
> > Sent: Tuesday, March 03, 2009 12:47 PM
> > To: kerberos at MIT.EDU
> > Subject: Kerberos in Browser based Applications
> >
> > Hi,
> >
> > I have set up a Kerberos realm.  A user and a service (let's say a
> > database) are both included as principals in KDC database and the
> > service restricts access to */dbuser at EXAMPLE.COM.  User and service
> can
> > communicate perfectly using a database CLI at the users machine.
> >
> > Now these days CLIs aren't "state-of-the-art" anymore and $managers
> > refuse to use them.  Let's throw a long discussion and platform
> > independent, Web2.0 ready and more buzzwords into the pot and we get
> the
> > need for a browser based web frontend to the service.  And that's the
> > point where I do not get the full picture about Kerberos.
> >
> > How would that work in a fully kerberized environment using all these
> > great features like single-sign-on and never transmitting a password
> > over the wire?  For sure, I would have to add the webserver to the
> KDC
> > database, but what then?  Would I add the webserver principal to the
> ACL
> > list of the service and add another authentication/authorization
> layer
> > into the web application?  Could I somehow forward the users ticket
> for
> > the service to the webserver and make the application to give it to
> the
> > service proving this way that the user requested access to the
> service?
> > That would keep all authentication on service side, but is it a good
> > idea to give a service ticket to another machine?  Would that even
> work
> > given that the users machine IP# is added to the tickets, AFAICS?
> >
> > In the current setup the software involved are MIT Kerberos, an
> OpenLDAP
> > server as service, e.g. phpLDAPadmin as web application, Apache httpd
> > running it, and various browsers used to access it running on
> different
> > OS's.  But I'm more interested in the general Kerberos idea how to do
> > that.  However, if you point me to specific software I should use in
> > this setup I would be happy, too.
> >
> > Thanks in advance for some enlightenment.
> >
> > Kind regards,
> > --
> > Navteq (DE) GmbH
> > Frank Gruellich
> > Map24 Systems and Networks
> >
> > Duesseldorfer Strasse 40a
> > 65760 Eschborn
> > Germany
> >
> > Phone:      +49 6196 77756-414
> > Fax:        +49 6196 77756-100
> >
> > USt-ID-No.: DE 197947163
> > Managing Directors: Thomas Golob, Alexander Wiegand,
> > Hans Pieter Gieszen, Martin Robert Stockman
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> _______________________________________________
> MITKC-Web mailing list
> MITKC-Web at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitkc-web

More information about the Kerberos mailing list