Kerberos in Browser based Applications

Love Hörnquist Åstrand lha at
Thu Mar 5 15:28:47 EST 2009

For tomcat, jboss, java-common, ruby examples how to get it working.


5 mar 2009 kl. 11:44 skrev Wyllys Ingersoll:

> I documented using Kerberos with an Apache Web server and Firefox a  
> while ago (for Solaris 10),
> but the ideas are very similar for Linux or non-Solaris as long as  
> you stick with Apache, Firefox,
> and a Kerberos package that is based-on MITs codebase.
> The doc may be a bit out of date, but I believe most of the steps  
> are still correct and apply
> to newer releases of Solaris as well as Linux, albeit with some  
> slight different pathnames
> and settings.
> Just getting web-based authentication configured and working is only  
> the beginning, though.
> To extend the reach and the use of the tickets to other processes  
> (such as having the
> forwarded ticket then be used to authenticate to other backend  
> services on behalf of the user)
> would require additional work for both the web server and the  
> middleware that it
> needs to talk to.   Getting this to work with Tomcat or other web  
> servers will definitely
> require some additional effort and digging around, I don't know what  
> the current state
> of the art is in those areas.
> -Wyllys
> Frank Gruellich wrote:
>> Hi,
>> I have set up a Kerberos realm.  A user and a service (let's say a
>> database) are both included as principals in KDC database and the
>> service restricts access to */dbuser at EXAMPLE.COM.  User and service  
>> can
>> communicate perfectly using a database CLI at the users machine.
>> Now these days CLIs aren't "state-of-the-art" anymore and $managers
>> refuse to use them.  Let's throw a long discussion and platform
>> independent, Web2.0 ready and more buzzwords into the pot and we  
>> get the
>> need for a browser based web frontend to the service.  And that's the
>> point where I do not get the full picture about Kerberos.
>> How would that work in a fully kerberized environment using all these
>> great features like single-sign-on and never transmitting a password
>> over the wire?  For sure, I would have to add the webserver to the  
>> KDC
>> database, but what then?  Would I add the webserver principal to  
>> the ACL
>> list of the service and add another authentication/authorization  
>> layer
>> into the web application?  Could I somehow forward the users ticket  
>> for
>> the service to the webserver and make the application to give it to  
>> the
>> service proving this way that the user requested access to the  
>> service?
>> That would keep all authentication on service side, but is it a good
>> idea to give a service ticket to another machine?  Would that even  
>> work
>> given that the users machine IP# is added to the tickets, AFAICS?
>> In the current setup the software involved are MIT Kerberos, an  
>> OpenLDAP
>> server as service, e.g. phpLDAPadmin as web application, Apache httpd
>> running it, and various browsers used to access it running on  
>> different
>> OS's.  But I'm more interested in the general Kerberos idea how to do
>> that.  However, if you point me to specific software I should use in
>> this setup I would be happy, too.
>> Thanks in advance for some enlightenment.
>> Kind regards,
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list