Single sign on using Kerberos - Weblogic

This is a discussion on Single sign on using Kerberos - Weblogic ; Hi I'm wondering how i can implement a single sign on, using Microsoft Kerberos, and WLS (running on Unix). My client is a Java client running on Windows XP (not a Web application). I know I have to implement an ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Single sign on using Kerberos

  1. Single sign on using Kerberos


    Hi

    I'm wondering how i can implement a single sign on, using Microsoft Kerberos,
    and WLS
    (running on Unix). My client is a Java client running on Windows XP (not a Web
    application).

    I know I have to implement an identity assertion provider, but this is only a
    small part of
    what i have to do (and understand). Isn't it?

    Thanks, Claude

  2. Re: Single sign on using Kerberos


    Presumably the Kerberos token identifies the user and once the java client obtains
    the JAAS Subject based on that token then authorization on the server would proceed
    per WLS application security settings.

    You might want to look at the JAAS Client documentation:

    http://edocs.bea.com/wls/docs81/secu...at_client.html

    -Craig


    "Claude" wrote:
    >
    >Hi
    >
    >I'm wondering how i can implement a single sign on, using Microsoft Kerberos,
    >and WLS
    >(running on Unix). My client is a Java client running on Windows XP (not
    >a Web
    >application).
    >
    >I know I have to implement an identity assertion provider, but this is
    >only a
    >small part of
    >what i have to do (and understand). Isn't it?
    >
    >Thanks, Claude



  3. Re: Single sign on using Kerberos


    Which WLS application security settings?

    claude

    "Craig" wrote:
    >
    >Presumably the Kerberos token identifies the user and once the java client
    >obtains
    >the JAAS Subject based on that token then authorization on the server
    >would proceed
    >per WLS application security settings.
    >
    >You might want to look at the JAAS Client documentation:
    >
    >http://edocs.bea.com/wls/docs81/secu...at_client.html
    >
    >-Craig
    >
    >
    >"Claude" wrote:
    >>
    >>Hi
    >>
    >>I'm wondering how i can implement a single sign on, using Microsoft

    >Kerberos,
    >>and WLS
    >>(running on Unix). My client is a Java client running on Windows XP

    >(not
    >>a Web
    >>application).
    >>
    >>I know I have to implement an identity assertion provider, but this

    >is
    >>only a
    >>small part of
    >>what i have to do (and understand). Isn't it?
    >>
    >>Thanks, Claude

    >



  4. Re: Single sign on using Kerberos


    I'm referring to a general set of policies for an application which restrict access
    based on user, group or role assignments. The application may also have programmatic
    security where the principals are examined by the application itself to determine
    access rights.

    -Craig

    "Claude" wrote:
    >
    >Which WLS application security settings?
    >
    >claude
    >
    >"Craig" wrote:
    >>
    >>Presumably the Kerberos token identifies the user and once the java

    >client
    >>obtains
    >>the JAAS Subject based on that token then authorization on the server
    >>would proceed
    >>per WLS application security settings.
    >>
    >>You might want to look at the JAAS Client documentation:
    >>
    >>http://edocs.bea.com/wls/docs81/secu...at_client.html
    >>
    >>-Craig
    >>
    >>
    >>"Claude" wrote:
    >>>
    >>>Hi
    >>>
    >>>I'm wondering how i can implement a single sign on, using Microsoft

    >>Kerberos,
    >>>and WLS
    >>>(running on Unix). My client is a Java client running on Windows XP

    >>(not
    >>>a Web
    >>>application).
    >>>
    >>>I know I have to implement an identity assertion provider, but this

    >>is
    >>>only a
    >>>small part of
    >>>what i have to do (and understand). Isn't it?
    >>>
    >>>Thanks, Claude

    >>

    >



  5. Re: Single sign on using Kerberos

    Claude wrote:

    > Hi
    >
    > I'm wondering how i can implement a single sign on, using Microsoft Kerberos,
    > and WLS
    > (running on Unix). My client is a Java client running on Windows XP (not a Web
    > application).
    >
    > I know I have to implement an identity assertion provider, but this is only a
    > small part of
    > what i have to do (and understand). Isn't it?
    >
    > Thanks, Claude


    If client is running JDK 1.4 from SUN, I managed to write some code that
    can get the ticket granting ticket from the KDC, get a session ticket
    issued and wrap this into an SPNEGO token.

    This is then sent from you client program over HTTP, hitting a webserver
    that does the server side thingie - offcause doing the reverse SPNEGO
    and kerberos lookups.

    My server side thing is a servlet filter on WLS, that authenticates the
    user (behind the spnego token). This dont work with identity asserters
    and login modules, since they are not capable of negotiating the SPNEGO
    token (which is a custom challenge-response protocol).

    I wrote some articles on the subject and posted them on my site

    /Bo
    http://appliedcrypto.com

  6. Re: Single sign on using Kerberos

    Hi,
    I would like to know if it is possible to use the same
    single sign-on mechanism if it is a web applicattion (not a
    client app)
    Any help would be very appreciated.
    Thanks in advance,
    Carolina



    >
    >
    > Presumably the Kerberos token identifies the user and once
    > the java client obtains the JAAS Subject based on that
    > token then authorization on the server would proceed per
    > WLS application security settings.
    >
    > You might want to look at the JAAS Client documentation:
    >
    > http://edocs.bea.com/wls/docs81/secu...at_client.html
    >
    > -Craig
    >
    >
    > "Claude" wrote:
    > >
    > >Hi
    > >
    > >I'm wondering how i can implement a single sign on, using

    > Microsoft Kerberos, >and WLS
    > >(running on Unix). My client is a Java client running on

    > Windows XP (not >a Web
    > >application).
    > >
    > >I know I have to implement an identity assertion provider

    > , but this is >only a
    > >small part of
    > >what i have to do (and understand). Isn't it?
    > >
    > >Thanks, Claude

    >


  7. Re: Single sign on using Kerberos

    cribes@ipsistemas.con wrote:
    > Hi,
    > I would like to know if it is possible to use the same
    > single sign-on mechanism if it is a web applicattion (not a
    > client app)
    > Any help would be very appreciated.
    > Thanks in advance,
    > Carolina
    >
    >


    Yes. Microsoft has proposed a protocol, SPNEGO, which makes it possible
    to transport the Kerberos messages between the browser and the web server.

    We have implemeted the SPNEGO protocol support for WebLogic which enable
    windows SSO on the WebLogic server.

    /Bo
    http://appliedcrypto.com

+ Reply to Thread