Wedgetail has announced a Java Crypto and Security Implementation (JCSI) Single Sign-On product. Wedgetail allows J2EE appservers running on windows to use Windows Integrated Authentication (MS Active Directory) to provide single sign-on to deployed J2EE apps, allowing users/passwords to be managed using standard windows infrastructure.

Check out Wedgetail and their press release .

I have used jcifs from samba.org to do the same kind of thing?

How does this compare?

Thank You
Jim Tyrrell

MS ActiveDirectory is only a type of data store. Not provide SSO API and SPI to developer.

CIFS = Common Internet File System

jCIFS is the Java implementation of that standard

I don't think he is confused, the jCIFS project also provides an NTLM filter as per the servlet specification. It integrates very nicely with IE browsers to provide NTLM authentication for single sign on within a Windows domain. See http://jcifs.samba.org/src/docs/ntlmhttpauth.html for more information.

Sorry to sound confused. I have used the NTLM filter with great success.

How does what this product is doing compare to that?

Is the vendor here to answer?

Thank You
Jim Tyrrell

[I'm not the vendor]. The difference I see here is the use of Windows Integrated Authentication, Microsofts implementation of Kerberos. There are a number of solutions out there that authenticate using NTLM but NTLM is not as secure.

"Beginning with Windows 2000, the Microsoft Kerberos security package adds greater security to networked systems than NTLM." http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/microsoft_ntlm.asp

[I work for the vendor so treat accordingly :-)] The previous poster
covered one of the main differences between the NTLM filter provided by
jCIFS and our product. NTLM uses an MD5 hash of the password to
authenticate users in a manner that is "plaintext equivalent" (meaning
that if you get the hash then you break the scheme). The Windows
Integrated Authentication mechanism uses the SPNEGO protocol with
Kerberos to provide a much more secure authentication mechanism, and
also provides mutual authentication with the server. (I'll be honest
and say the SPNEGO protocol is not secure against active
man-in-the-middle attacks, but is still _much_ more secure than NTLM).

However, there are quite a few other benefits. By default, Internet
Explorer will send a delegated credential to the web server which
allows you to do "pass-through authentication" to another Kerberized
service. We currently have an example that shows you how to do this to
IIS or another J2EE app server running our SSO filter. In a future
release, we will add support for doing this to DB2 via it's Kerberized
JDBC driver and provide transparent delegation using the
HttpUrlConnection. This ideal for securely "front-ending" a J2EE
application to Microsoft stuff (like ASP .NET et al).

SPNEGO is also the current default security mechanism for Microsoft
SOAP web services. Although I may be made to wash my mouth out for
saying this in a J2EE forum, we have an example that shows how to write
a C# .NET client that talks securely to a Web Service using the Java
Web Services Developer pack.

Lastly, the next release of our product will add support for doing J2EE
authorization using Active Directory groups using the PAC information
present in the Kerberos ticket. This provide a secure mechanism that
allows authorisation to be centrally managed across many (J2EE or
non-J2EE) applications.

Hope that helps.
Dean.

NTLM uses an MD5 hash of the password to
authenticate users in a manner that is "plaintext equivalent" (meaning
that if you get the hash then you break the scheme).

This is just false. The plain text equivalent hash is never transmitted over the wire. All hashes are salted with a session challenge.

But yes SPEGNO is better than NTLM for a variety of reasons.

Mike

Do you guys know of anyone that has a similar product that talks to Sun's Directory Server?