Active Directory --> Java web app

Markus Moeller huaraz at moeller.plus.com
Mon Aug 1 15:07:16 EDT 2005 

You might use a commercial java package from Vintela/Wedgetail which I think 
is now part of  Quest, which as far as I remember work with Tomcat.

Markus

""Richard Gundersen"" <richardgundersen at hotmail.com> wrote in message 
news:BAY102-F22B40AA5CFE76CE5C5F35EDFC30 at phx.gbl...
> Hi Nikola
>
> Thanks for your quick and detailed reply. While it would be great if 
> Tomcat could interpret SPNEGO, I don't mind setting up Apache to sit in 
> front of Tomcat (in fact I was going to do this anyway for speeding up the 
> static content).
>
> How would Apache send the details to Tomcat once it's happy with the 
> ticket it's received? Would it be in the form of simple request params? I 
> guess so. I also guess it's time for me to RTFM on mod_krb_auth/mod_spnego 
> :-)
>
> Thanks very much for giving me a starting point. It's nice to know that 
> what I am attempting *should* be possible.
>
> Regards
>
> Richard
>
>>From: Nikola Milutinovic <Nikola.Milutinovic at ev.co.yu>
>>To: kerberos at mit.edu
>>Subject: Re: Active Directory --> Java web app
>>Date: Mon, 01 Aug 2005 14:56:08 +0200
>>
>>Richard Gundersen wrote:
>>
>>>Hi
>>>
>>>I have written a Java web application which has a basic password login 
>>>screen. This works fine, but I would now like to allow users into my 
>>>system if they have previously authenticated against Active Directory. 
>>>I.E. if they can provide a valid kerberos ticket, I'll let them straight 
>>>through. NB I do not maintain the instance of Active Directory; it 
>>>actually belongs to another organisation.
>>>
>>>Could anyone suggest a good way for me to do this. I guess I need to 
>>>address the following:
>>>
>>>1) How will AD pass it's ticket to my system?
>>>2) How will I verify the ticket? (GSS-API?)
>>>3) I know MS have done some dodgy things to their tickets (non-standard 
>>>flags). Do I need to worry about them for this reason?
>>
>>
>>First of all, what you need is that web server knows of authentication 
>>method SPNEGO (Security Protocol: NEGOtiate), which is, well, sort of a 
>>standard. It allows broser and server to use GSS-API and pass Kerberos 
>>tickets in a real Kerberos fashion.
>>
>>Tomcat knows nothing of this and I doubt any other Java Servlet/JSP 
>>container out there knows it either. So, you're stuck with either 
>>Apache+mod_krb_auth/mod_spnego or IIS to run as front end web servers and 
>>pass auth info to your Java Web Application.
>>
>>Note also that there are alternatives, that cut-in and pass kerberos 
>>tickets inside cookies, but they require a separate software installation 
>>and are not a part of any standard. This doesn't mean they are not working 
>>or not working well. Just that SPNEGO is an accepted standard, supported 
>>by Mozilla and IE, requiring no additional install on the clients, while 
>>those others are an add-on.
>>
>>Nix.
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list