Presumably the Kerberos token identifies the user and once the java client obtains
the JAAS Subject based on that token then authorization on the server would proceed
per WLS application security settings.

You might want to look at the JAAS Client documentation:

http://edocs.bea.com/wls/docs81/secu...at_client.html

-Craig


"Claude" wrote:
>
>Hi
>
>I'm wondering how i can implement a single sign on, using Microsoft Kerberos,
>and WLS
>(running on Unix). My client is a Java client running on Windows XP (not
>a Web
>application).
>
>I know I have to implement an identity assertion provider, but this is
>only a
>small part of
>what i have to do (and understand). Isn't it?
>
>Thanks, Claude

Which WLS application security settings?

claude

"Craig" wrote:
>
>Presumably the Kerberos token identifies the user and once the java client
>obtains
>the JAAS Subject based on that token then authorization on the server
>would proceed
>per WLS application security settings.
>
>You might want to look at the JAAS Client documentation:
>
>http://edocs.bea.com/wls/docs81/secu...at_client.html
>
>-Craig
>
>
>"Claude" wrote:
>>
>>Hi
>>
>>I'm wondering how i can implement a single sign on, using Microsoft
>Kerberos,
>>and WLS
>>(running on Unix). My client is a Java client running on Windows XP
>(not
>>a Web
>>application).
>>
>>I know I have to implement an identity assertion provider, but this
>is
>>only a
>>small part of
>>what i have to do (and understand). Isn't it?
>>
>>Thanks, Claude
>

I'm referring to a general set of policies for an application which restrict access
based on user, group or role assignments. The application may also have programmatic
security where the principals are examined by the application itself to determine
access rights.

-Craig

"Claude" wrote:
>
>Which WLS application security settings?
>
>claude
>
>"Craig" wrote:
>>
>>Presumably the Kerberos token identifies the user and once the java
>client
>>obtains
>>the JAAS Subject based on that token then authorization on the server
>>would proceed
>>per WLS application security settings.
>>
>>You might want to look at the JAAS Client documentation:
>>
>>http://edocs.bea.com/wls/docs81/secu...at_client.html
>>
>>-Craig
>>
>>
>>"Claude" wrote:
>>>
>>>Hi
>>>
>>>I'm wondering how i can implement a single sign on, using Microsoft
>>Kerberos,
>>>and WLS
>>>(running on Unix). My client is a Java client running on Windows XP
>>(not
>>>a Web
>>>application).
>>>
>>>I know I have to implement an identity assertion provider, but this
>>is
>>>only a
>>>small part of
>>>what i have to do (and understand). Isn't it?
>>>
>>>Thanks, Claude
>>
>

Claude wrote:

> Hi
>
> I'm wondering how i can implement a single sign on, using Microsoft Kerberos,
> and WLS
> (running on Unix). My client is a Java client running on Windows XP (not a Web
> application).
>
> I know I have to implement an identity assertion provider, but this is only a
> small part of
> what i have to do (and understand). Isn't it?
>
> Thanks, Claude

If client is running JDK 1.4 from SUN, I managed to write some code that
can get the ticket granting ticket from the KDC, get a session ticket
issued and wrap this into an SPNEGO token.

This is then sent from you client program over HTTP, hitting a webserver
that does the server side thingie - offcause doing the reverse SPNEGO
and kerberos lookups.

My server side thing is a servlet filter on WLS, that authenticates the
user (behind the spnego token). This dont work with identity asserters
and login modules, since they are not capable of negotiating the SPNEGO
token (which is a custom challenge-response protocol).

I wrote some articles on the subject and posted them on my site

/Bo
http://appliedcrypto.com

Hi,
I would like to know if it is possible to use the same
single sign-on mechanism if it is a web applicattion (not a
client app)
Any help would be very appreciated.
Thanks in advance,
Carolina



>
>
> Presumably the Kerberos token identifies the user and once
> the java client obtains the JAAS Subject based on that
> token then authorization on the server would proceed per
> WLS application security settings.
>
> You might want to look at the JAAS Client documentation:
>
> http://edocs.bea.com/wls/docs81/secu...at_client.html
>
> -Craig
>
>
> "Claude" wrote:
> >
> >Hi
> >
> >I'm wondering how i can implement a single sign on, using
> Microsoft Kerberos, >and WLS
> >(running on Unix). My client is a Java client running on
> Windows XP (not >a Web
> >application).
> >
> >I know I have to implement an identity assertion provider
> , but this is >only a
> >small part of
> >what i have to do (and understand). Isn't it?
> >
> >Thanks, Claude
>

cribes@ipsistemas.con wrote:
> Hi,
> I would like to know if it is possible to use the same
> single sign-on mechanism if it is a web applicattion (not a
> client app)
> Any help would be very appreciated.
> Thanks in advance,
> Carolina
>
>

Yes. Microsoft has proposed a protocol, SPNEGO, which makes it possible
to transport the Kerberos messages between the browser and the web server.

We have implemeted the SPNEGO protocol support for WebLogic which enable
windows SSO on the WebLogic server.

/Bo
http://appliedcrypto.com