Discussions

News: Wedgetail Releases JCSI Single Signon

  1. Wedgetail Releases JCSI Single Signon (9 messages)

    Wedgetail has announced a Java Crypto and Security Implementation (JCSI) Single Sign-On product. Wedgetail allows J2EE appservers running on windows to use Windows Integrated Authentication (MS Active Directory) to provide single sign-on to deployed J2EE apps, allowing users/passwords to be managed using standard windows infrastructure.

    Check out Wedgetail and their press release .

    Threaded Messages (9)

  2. What about JCIFS[ Go to top ]

    I have used jcifs from samba.org to do the same kind of thing?

    How does this compare?

    Thank You
    Jim Tyrrell
  3. MS ActiveDirectory is only a type of data store. Not provide SSO API and SPI to developer.
  4. CIFS = Common Internet File System

    jCIFS is the Java implementation of that standard
  5. Not so confused[ Go to top ]

    I don't think he is confused, the jCIFS project also provides an NTLM filter as per the servlet specification. It integrates very nicely with IE browsers to provide NTLM authentication for single sign on within a Windows domain. See http://jcifs.samba.org/src/docs/ntlmhttpauth.html for more information.
  6. Sorry[ Go to top ]

    Sorry to sound confused. I have used the NTLM filter with great success.

    How does what this product is doing compare to that?

    Is the vendor here to answer?

    Thank You
    Jim Tyrrell
  7. NTLM vs WIA[ Go to top ]

    [I'm not the vendor]. The difference I see here is the use of Windows Integrated Authentication, Microsofts implementation of Kerberos. There are a number of solutions out there that authenticate using NTLM but NTLM is not as secure.

    "Beginning with Windows 2000, the Microsoft Kerberos security package adds greater security to networked systems than NTLM." http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/microsoft_ntlm.asp
  8. NTLM vs WIA[ Go to top ]

    [I work for the vendor so treat accordingly :-)] The previous poster
    covered one of the main differences between the NTLM filter provided by
    jCIFS and our product. NTLM uses an MD5 hash of the password to
    authenticate users in a manner that is "plaintext equivalent" (meaning
    that if you get the hash then you break the scheme). The Windows
    Integrated Authentication mechanism uses the SPNEGO protocol with
    Kerberos to provide a much more secure authentication mechanism, and
    also provides mutual authentication with the server. (I'll be honest
    and say the SPNEGO protocol is not secure against active
    man-in-the-middle attacks, but is still _much_ more secure than NTLM).

    However, there are quite a few other benefits. By default, Internet
    Explorer will send a delegated credential to the web server which
    allows you to do "pass-through authentication" to another Kerberized
    service. We currently have an example that shows you how to do this to
    IIS or another J2EE app server running our SSO filter. In a future
    release, we will add support for doing this to DB2 via it's Kerberized
    JDBC driver and provide transparent delegation using the
    HttpUrlConnection. This ideal for securely "front-ending" a J2EE
    application to Microsoft stuff (like ASP .NET et al).

    SPNEGO is also the current default security mechanism for Microsoft
    SOAP web services. Although I may be made to wash my mouth out for
    saying this in a J2EE forum, we have an example that shows how to write
    a C# .NET client that talks securely to a Web Service using the Java
    Web Services Developer pack.

    Lastly, the next release of our product will add support for doing J2EE
    authorization using Active Directory groups using the PAC information
    present in the Kerberos ticket. This provide a secure mechanism that
    allows authorisation to be centrally managed across many (J2EE or
    non-J2EE) applications.

    Hope that helps.
    Dean.
  9. NTLM vs WIA[ Go to top ]

    NTLM uses an MD5 hash of the password to
    authenticate users in a manner that is "plaintext equivalent" (meaning
    that if you get the hash then you break the scheme).


    This is just false. The plain text equivalent hash is never transmitted over the wire. All hashes are salted with a session challenge.

    But yes SPEGNO is better than NTLM for a variety of reasons.

    Mike
  10. DS implementation[ Go to top ]

    Do you guys know of anyone that has a similar product that talks to Sun's Directory Server?