[Mitkc-web] Kerberos in Browser based Applications
Karp, Alan H
alan.karp at hp.com
Tue Mar 17 20:13:05 EDT 2009
Security depends on where you put the token. If the URL is guessable, you're subject to clickjacking. See http://www.hpl.hp.com/techreports/2009/HPL-2009-20.html.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
> -----Original Message-----
> From: mitkc-web-bounces at mit.edu [mailto:mitkc-web-bounces at mit.edu] On
> Behalf Of Thomas Hardjono
> Sent: Wednesday, March 04, 2009 9:00 AM
> To: 'Frank Gruellich'; kerberos at mit.edu
> Cc: 'MIT Krb-and-Web discussion list'
> Subject: Re: [Mitkc-web] Kerberos in Browser based Applications
> Getting Kerberos to support single-sign-on on the Web (Web-SSO) has a
> of challenges. I'm not sure if the browsers today fully support the
> trafficking of Kerberos tickets/tokens. The closest seems to be
> HPPT-Negotiate, but I believe it also need more work. There are a set
> drafts in the IETF that are trying to address some of these issues.
> there is the question of how to get all this working with the Identity
> Federation infrastructures.
> ps. Kerb-on-the-web is one of the initiatives at the MIT-KC.
> > -----Original Message-----
> > From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
> > Behalf Of Frank Gruellich
> > Sent: Tuesday, March 03, 2009 12:47 PM
> > To: kerberos at MIT.EDU
> > Subject: Kerberos in Browser based Applications
> > Hi,
> > I have set up a Kerberos realm. A user and a service (let's say a
> > database) are both included as principals in KDC database and the
> > service restricts access to */dbuser at EXAMPLE.COM. User and service
> > communicate perfectly using a database CLI at the users machine.
> > Now these days CLIs aren't "state-of-the-art" anymore and $managers
> > refuse to use them. Let's throw a long discussion and platform
> > independent, Web2.0 ready and more buzzwords into the pot and we get
> > need for a browser based web frontend to the service. And that's the
> > point where I do not get the full picture about Kerberos.
> > How would that work in a fully kerberized environment using all these
> > great features like single-sign-on and never transmitting a password
> > over the wire? For sure, I would have to add the webserver to the
> > database, but what then? Would I add the webserver principal to the
> > list of the service and add another authentication/authorization
> > into the web application? Could I somehow forward the users ticket
> > the service to the webserver and make the application to give it to
> > service proving this way that the user requested access to the
> > That would keep all authentication on service side, but is it a good
> > idea to give a service ticket to another machine? Would that even
> > given that the users machine IP# is added to the tickets, AFAICS?
> > In the current setup the software involved are MIT Kerberos, an
> > server as service, e.g. phpLDAPadmin as web application, Apache httpd
> > running it, and various browsers used to access it running on
> > OS's. But I'm more interested in the general Kerberos idea how to do
> > that. However, if you point me to specific software I should use in
> > this setup I would be happy, too.
> > Thanks in advance for some enlightenment.
> > Kind regards,
> > --
> > Navteq (DE) GmbH
> > Frank Gruellich
> > Map24 Systems and Networks
> > Duesseldorfer Strasse 40a
> > 65760 Eschborn
> > Germany
> > Phone: +49 6196 77756-414
> > Fax: +49 6196 77756-100
> > USt-ID-No.: DE 197947163
> > Managing Directors: Thomas Golob, Alexander Wiegand,
> > Hans Pieter Gieszen, Martin Robert Stockman
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> MITKC-Web mailing list
> MITKC-Web at mit.edu
More information about the Kerberos