Active Directory --> Java web app - Kerberos

This is a discussion on Active Directory --> Java web app - Kerberos ; Hi I have written a Java web application which has a basic password login screen. This works fine, but I would now like to allow users into my system if they have previously authenticated against Active Directory. I.E. if they ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Active Directory --> Java web app

  1. Active Directory --> Java web app

    Hi

    I have written a Java web application which has a basic password login
    screen. This works fine, but I would now like to allow users into my system
    if they have previously authenticated against Active Directory. I.E. if they
    can provide a valid kerberos ticket, I'll let them straight through. NB I do
    not maintain the instance of Active Directory; it actually belongs to
    another organisation.

    Could anyone suggest a good way for me to do this. I guess I need to address
    the following:

    1) How will AD pass it's ticket to my system?
    2) How will I verify the ticket? (GSS-API?)
    3) I know MS have done some dodgy things to their tickets (non-standard
    flags). Do I need to worry about them for this reason?

    Thanks for your help. I know I'm being a bit vague but it's only because I'm
    not experienced with Kerberos. If you want me to clarify any requirements
    just shout.

    Appreciate your help - thanks!

    Richard


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Active Directory --> Java web app

    Richard Gundersen wrote:

    > Hi
    >
    > I have written a Java web application which has a basic password login
    > screen. This works fine, but I would now like to allow users into my
    > system if they have previously authenticated against Active Directory.
    > I.E. if they can provide a valid kerberos ticket, I'll let them
    > straight through. NB I do not maintain the instance of Active
    > Directory; it actually belongs to another organisation.
    >
    > Could anyone suggest a good way for me to do this. I guess I need to
    > address the following:
    >
    > 1) How will AD pass it's ticket to my system?
    > 2) How will I verify the ticket? (GSS-API?)
    > 3) I know MS have done some dodgy things to their tickets
    > (non-standard flags). Do I need to worry about them for this reason?



    First of all, what you need is that web server knows of authentication
    method SPNEGO (Security Protocol: NEGOtiate), which is, well, sort of a
    standard. It allows broser and server to use GSS-API and pass Kerberos
    tickets in a real Kerberos fashion.

    Tomcat knows nothing of this and I doubt any other Java Servlet/JSP
    container out there knows it either. So, you're stuck with either
    Apache+mod_krb_auth/mod_spnego or IIS to run as front end web servers
    and pass auth info to your Java Web Application.

    Note also that there are alternatives, that cut-in and pass kerberos
    tickets inside cookies, but they require a separate software
    installation and are not a part of any standard. This doesn't mean they
    are not working or not working well. Just that SPNEGO is an accepted
    standard, supported by Mozilla and IE, requiring no additional install
    on the clients, while those others are an add-on.

    Nix.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Active Directory --> Java web app

    Richard Gundersen wrote:

    > Hi
    >
    > I have written a Java web application which has a basic password login
    > screen. This works fine, but I would now like to allow users into my
    > system if they have previously authenticated against Active Directory.
    > I.E. if they can provide a valid kerberos ticket, I'll let them
    > straight through. NB I do not maintain the instance of Active
    > Directory; it actually belongs to another organisation.
    >
    > Could anyone suggest a good way for me to do this. I guess I need to
    > address the following:
    >
    > 1) How will AD pass it's ticket to my system?
    > 2) How will I verify the ticket? (GSS-API?)
    > 3) I know MS have done some dodgy things to their tickets
    > (non-standard flags). Do I need to worry about them for this reason?



    Oh, and just a side-note - one could sit down and WRITE a SPNEGO
    authenticator, just noone has done it, yet.

    Nix.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Active Directory --> Java web app

    Hi Nikola

    Thanks for your quick and detailed reply. While it would be great if Tomcat
    could interpret SPNEGO, I don't mind setting up Apache to sit in front of
    Tomcat (in fact I was going to do this anyway for speeding up the static
    content).

    How would Apache send the details to Tomcat once it's happy with the ticket
    it's received? Would it be in the form of simple request params? I guess so.
    I also guess it's time for me to RTFM on mod_krb_auth/mod_spnego :-)

    Thanks very much for giving me a starting point. It's nice to know that what
    I am attempting *should* be possible.

    Regards

    Richard

    >From: Nikola Milutinovic
    >To: kerberos@mit.edu
    >Subject: Re: Active Directory --> Java web app
    >Date: Mon, 01 Aug 2005 14:56:08 +0200
    >
    >Richard Gundersen wrote:
    >
    >>Hi
    >>
    >>I have written a Java web application which has a basic password login
    >>screen. This works fine, but I would now like to allow users into my
    >>system if they have previously authenticated against Active Directory.
    >>I.E. if they can provide a valid kerberos ticket, I'll let them straight
    >>through. NB I do not maintain the instance of Active Directory; it
    >>actually belongs to another organisation.
    >>
    >>Could anyone suggest a good way for me to do this. I guess I need to
    >>address the following:
    >>
    >>1) How will AD pass it's ticket to my system?
    >>2) How will I verify the ticket? (GSS-API?)
    >>3) I know MS have done some dodgy things to their tickets (non-standard
    >>flags). Do I need to worry about them for this reason?

    >
    >
    >First of all, what you need is that web server knows of authentication
    >method SPNEGO (Security Protocol: NEGOtiate), which is, well, sort of a
    >standard. It allows broser and server to use GSS-API and pass Kerberos
    >tickets in a real Kerberos fashion.
    >
    >Tomcat knows nothing of this and I doubt any other Java Servlet/JSP
    >container out there knows it either. So, you're stuck with either
    >Apache+mod_krb_auth/mod_spnego or IIS to run as front end web servers and
    >pass auth info to your Java Web Application.
    >
    >Note also that there are alternatives, that cut-in and pass kerberos
    >tickets inside cookies, but they require a separate software installation
    >and are not a part of any standard. This doesn't mean they are not working
    >or not working well. Just that SPNEGO is an accepted standard, supported by
    >Mozilla and IE, requiring no additional install on the clients, while those
    >others are an add-on.
    >
    >Nix.
    >________________________________________________
    >Kerberos mailing list Kerberos@mit.edu
    >https://mailman.mit.edu/mailman/listinfo/kerberos



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Active Directory --> Java web app

    Richard Gundersen wrote:

    > Hi Nikola
    >
    > Thanks for your quick and detailed reply. While it would be great if
    > Tomcat could interpret SPNEGO, I don't mind setting up Apache to sit
    > in front of Tomcat (in fact I was going to do this anyway for speeding
    > up the static content).



    Most people advocate against it or at least do not advocate for it. The
    rationalle being that Tomcat is fast enough these days. My rationalle is
    that I yet have to see a pure TC web site. With Apache you have tons of
    options, although, employing some of them might take the life of you - I
    have recently had a misfortune of making a TC application which was
    connected to Apache via WARP (mod_webapp, if you remember), with no
    option to change it.

    Anyway, given enough room to work in, you can happily run othe peoples
    PHP, make your own rewrites, etc. and keep TC in it's place. The way
    mod_jk (or mod_jk2) can be configured, you can do really seamless
    integration. In my oppinion, the trouble of connecting the two is worth it.

    I have a small webapp on our public server, backed by PostgreSQL DB and
    it is running more than a year now, no glitch.

    > How would Apache send the details to Tomcat once it's happy with the
    > ticket it's received? Would it be in the form of simple request
    > params? I guess so. I also guess it's time for me to RTFM on
    > mod_krb_auth/mod_spnego :-)



    When you connect TC to Apache via mod_jk, you can set an attribute in
    server.xml which tells TC to trust authentication information it gets
    from Apache. So, if the user manages to authenticate as, say,
    "richard.gundersen@YOUR.DOMAIN.COM", Apache will pass that information
    to TC, via mod_jk. So, you can set in your web.xml the protection for
    certain URLs, just as you would with local TC users. It should work,
    regardless of which authentication mechanism Apache uses.

    This also means, you have to setup Apache properly, to do the job. The
    upside, there are no n-layers where authentication *can* occur, only one.

    Nix.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Active Directory --> Java web app

    You might use a commercial java package from Vintela/Wedgetail which I think
    is now part of Quest, which as far as I remember work with Tomcat.

    Markus

    ""Richard Gundersen"" wrote in message
    news:BAY102-F22B40AA5CFE76CE5C5F35EDFC30@phx.gbl...
    > Hi Nikola
    >
    > Thanks for your quick and detailed reply. While it would be great if
    > Tomcat could interpret SPNEGO, I don't mind setting up Apache to sit in
    > front of Tomcat (in fact I was going to do this anyway for speeding up the
    > static content).
    >
    > How would Apache send the details to Tomcat once it's happy with the
    > ticket it's received? Would it be in the form of simple request params? I
    > guess so. I also guess it's time for me to RTFM on mod_krb_auth/mod_spnego
    > :-)
    >
    > Thanks very much for giving me a starting point. It's nice to know that
    > what I am attempting *should* be possible.
    >
    > Regards
    >
    > Richard
    >
    >>From: Nikola Milutinovic
    >>To: kerberos@mit.edu
    >>Subject: Re: Active Directory --> Java web app
    >>Date: Mon, 01 Aug 2005 14:56:08 +0200
    >>
    >>Richard Gundersen wrote:
    >>
    >>>Hi
    >>>
    >>>I have written a Java web application which has a basic password login
    >>>screen. This works fine, but I would now like to allow users into my
    >>>system if they have previously authenticated against Active Directory.
    >>>I.E. if they can provide a valid kerberos ticket, I'll let them straight
    >>>through. NB I do not maintain the instance of Active Directory; it
    >>>actually belongs to another organisation.
    >>>
    >>>Could anyone suggest a good way for me to do this. I guess I need to
    >>>address the following:
    >>>
    >>>1) How will AD pass it's ticket to my system?
    >>>2) How will I verify the ticket? (GSS-API?)
    >>>3) I know MS have done some dodgy things to their tickets (non-standard
    >>>flags). Do I need to worry about them for this reason?

    >>
    >>
    >>First of all, what you need is that web server knows of authentication
    >>method SPNEGO (Security Protocol: NEGOtiate), which is, well, sort of a
    >>standard. It allows broser and server to use GSS-API and pass Kerberos
    >>tickets in a real Kerberos fashion.
    >>
    >>Tomcat knows nothing of this and I doubt any other Java Servlet/JSP
    >>container out there knows it either. So, you're stuck with either
    >>Apache+mod_krb_auth/mod_spnego or IIS to run as front end web servers and
    >>pass auth info to your Java Web Application.
    >>
    >>Note also that there are alternatives, that cut-in and pass kerberos
    >>tickets inside cookies, but they require a separate software installation
    >>and are not a part of any standard. This doesn't mean they are not working
    >>or not working well. Just that SPNEGO is an accepted standard, supported
    >>by Mozilla and IE, requiring no additional install on the clients, while
    >>those others are an add-on.
    >>
    >>Nix.
    >>________________________________________________
    >>Kerberos mailing list Kerberos@mit.edu
    >>https://mailman.mit.edu/mailman/listinfo/kerberos

    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




+ Reply to Thread