Active Directory --> Java web app
Nikola Milutinovic
Nikola.Milutinovic at ev.co.yu
Mon Aug 1 08:56:08 EDT 2005
Richard Gundersen wrote:
> Hi
>
> I have written a Java web application which has a basic password login
> screen. This works fine, but I would now like to allow users into my
> system if they have previously authenticated against Active Directory.
> I.E. if they can provide a valid kerberos ticket, I'll let them
> straight through. NB I do not maintain the instance of Active
> Directory; it actually belongs to another organisation.
>
> Could anyone suggest a good way for me to do this. I guess I need to
> address the following:
>
> 1) How will AD pass it's ticket to my system?
> 2) How will I verify the ticket? (GSS-API?)
> 3) I know MS have done some dodgy things to their tickets
> (non-standard flags). Do I need to worry about them for this reason?
First of all, what you need is that web server knows of authentication
method SPNEGO (Security Protocol: NEGOtiate), which is, well, sort of a
standard. It allows broser and server to use GSS-API and pass Kerberos
tickets in a real Kerberos fashion.
Tomcat knows nothing of this and I doubt any other Java Servlet/JSP
container out there knows it either. So, you're stuck with either
Apache+mod_krb_auth/mod_spnego or IIS to run as front end web servers
and pass auth info to your Java Web Application.
Note also that there are alternatives, that cut-in and pass kerberos
tickets inside cookies, but they require a separate software
installation and are not a part of any standard. This doesn't mean they
are not working or not working well. Just that SPNEGO is an accepted
standard, supported by Mozilla and IE, requiring no additional install
on the clients, while those others are an add-on.
Nix.
More information about the Kerberos
mailing list