Active Directory --> Java web app
Richard Gundersen
richardgundersen at hotmail.com
Mon Aug 1 10:01:08 EDT 2005
Hi Nikola
Thanks for your quick and detailed reply. While it would be great if Tomcat
could interpret SPNEGO, I don't mind setting up Apache to sit in front of
Tomcat (in fact I was going to do this anyway for speeding up the static
content).
How would Apache send the details to Tomcat once it's happy with the ticket
it's received? Would it be in the form of simple request params? I guess so.
I also guess it's time for me to RTFM on mod_krb_auth/mod_spnego :-)
Thanks very much for giving me a starting point. It's nice to know that what
I am attempting *should* be possible.
Regards
Richard
>From: Nikola Milutinovic <Nikola.Milutinovic at ev.co.yu>
>To: kerberos at mit.edu
>Subject: Re: Active Directory --> Java web app
>Date: Mon, 01 Aug 2005 14:56:08 +0200
>
>Richard Gundersen wrote:
>
>>Hi
>>
>>I have written a Java web application which has a basic password login
>>screen. This works fine, but I would now like to allow users into my
>>system if they have previously authenticated against Active Directory.
>>I.E. if they can provide a valid kerberos ticket, I'll let them straight
>>through. NB I do not maintain the instance of Active Directory; it
>>actually belongs to another organisation.
>>
>>Could anyone suggest a good way for me to do this. I guess I need to
>>address the following:
>>
>>1) How will AD pass it's ticket to my system?
>>2) How will I verify the ticket? (GSS-API?)
>>3) I know MS have done some dodgy things to their tickets (non-standard
>>flags). Do I need to worry about them for this reason?
>
>
>First of all, what you need is that web server knows of authentication
>method SPNEGO (Security Protocol: NEGOtiate), which is, well, sort of a
>standard. It allows broser and server to use GSS-API and pass Kerberos
>tickets in a real Kerberos fashion.
>
>Tomcat knows nothing of this and I doubt any other Java Servlet/JSP
>container out there knows it either. So, you're stuck with either
>Apache+mod_krb_auth/mod_spnego or IIS to run as front end web servers and
>pass auth info to your Java Web Application.
>
>Note also that there are alternatives, that cut-in and pass kerberos
>tickets inside cookies, but they require a separate software installation
>and are not a part of any standard. This doesn't mean they are not working
>or not working well. Just that SPNEGO is an accepted standard, supported by
>Mozilla and IE, requiring no additional install on the clients, while those
>others are an add-on.
>
>Nix.
>________________________________________________
>Kerberos mailing list Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list