Windows Integrated Single Sign-on and Java

Discussions

News: Windows Integrated Single Sign-on and Java

  1. Windows Integrated Single Sign-on and Java (17 messages)

    AppliedCrypto.com has released articles and presentations on how to implement single sign-on using SPNEGO (Kerberos) to do HTTP based authentication. The latest article is on SPNEGO authentication with Apache Tomcat.

    Other questions answered on the site:

    • How can Java applications use Windows credentials to do SSO?
    • How can SPNEGO be implemented into solutions with older application servers like WAS 3.4, 4 and older WebLogic servers?
    • What about latest servers like WAS 5 and WLS 8.1?
    • Can SPNEGO be implemented into Applets?
    • What about other browsers than Internet Explorer?
    • What about non Windows enviromnents like Linux?
    Read the security articles at http://appliedcrypto.com

    Threaded Messages (17)

  2. I would be baffled if this works in general. Attempting to integrate Windows domains with anything else is usually a nice recipe for disaster.

    You see, Kerberos doesn't even work properly with NATIVE Win32 protocols, like DCOM and .NET Remoting.
  3. Free implementation[ Go to top ]

    Does anyone know a free java implementation to unpack SPNEGO?

    Thanks,
    Danilo
  4. Re: Free implementation[ Go to top ]

    Does anyone know a free java implementation to unpack SPNEGO?

    Thanks,
    Danilo
    http://dev.taglab.com/sites/taglab-public/support/spnego.html
  5. Re: Free implementation[ Go to top ]

    Does anyone know a free java implementation to unpack SPNEGO?

    Thanks,
    Danilo
    http://dev.taglab.com/viewvc/viewvc.cgi/taglab-public/trunk/support/src/main/java/com/taglab/support/spnego/
  6. Re: Free implementation[ Go to top ]

    With JDK 1.6 single-sign-on is easy to implement in any kinds of J2EE web server. Find the solution in below link: http://webmoli.com/2009/08/29/single-sign-on-in-java-platform/
  7. Re: Free implementation[ Go to top ]

    Have a look at this open source project on sourceforge http://spnego.sourceforge.net
  8. Another possible solution[ Go to top ]

    Here is another way to provide SSO against Kerberos or any other back end authentication store. It's also open source...

    It has tag library and servlet filter client, but also has clients for many other languages.

    http://www.yale.edu/tp/auth/
  9. Oops[ Go to top ]

    Oops, my bad. I read the first page, but didn't understand that this allows logging in to a web app based on Windows authentication until I read the FAQ.

    The CAS application isn't the same thing. It requires the user to enter a username/password, but it does provide single sign on across many web apps and it works on platforms other than IE/Windows.
  10. Another possible solution[ Go to top ]

    Here is another way to provide SSO against Kerberos or any other back end authentication store. It's also open source...It has tag library and servlet filter client, but also has clients for many other languages.http://www.yale.edu/tp/auth/
    This article describes how to use Yale's CAS:

    http://www-106.ibm.com/developerworks/web/library/wa-singlesign/
  11. Wedgetail...[ Go to top ]

    @see http://www.wedgetail.com/jcsi/sso/index.html
  12. SPNEGO and Apache[ Go to top ]

    SPNEGO and Apache:

    http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=1
  13. Actually, one of our programmers implemented this (ofcourse, he didn't have this article, and the black work discovering how to do it must have removed several years off his life...).

    We have an Windows (Active Directory) based network where each user has a W2K workstation. From these stations the users access web applications, some written in Java and some in .NET/DNA. Those in .NET/DNA have no problem using SSO but for those in Java we've developed the mentioned mechanism which does exactly what the article suggests.

    And it works.

    We had problems here and there (and still do actually) but nothing major except one serious bug. Don't despair: it's implementable!

    Arik.
  14. My tests shows this too. Thanks for backing me up.

    /Bo
    http://appliedcrypto.com
  15. The SPNEGO implementation now includes plugins for

    WebSphere 5.1; using NTAI all HTTP will authentication using SPNEGO

    WebLogic 8.1; using authentication plugin all HTTP will authenticate using SPNEGO. Fat java programs can authenticate using JAAS login module, which enables SSO towards HTTP and EJB connections to the WebLogic server.

    Tomcat 4.x, 5.x; using Authenticator and Realm.

    All above solutions brings seamless SSO, authentication and authorization to the web applications.

    Read more on http://appliedcrypto.com.

    /Bo
  16. Windows PAC in a Java Web Server World[ Go to top ]

    I have added a new article in the series that explains some of the details of the PAC (Privilege Access Certificate).

    The PAC is a Microsoft extension to the Kerberos standard and contains information about the user e.g. group membership.

    This can be used in java web servers like Tomcat. But also WebLogic and others can use this to avoid extra authorization lookups i LDAP (active directory).

    http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html

    /Bo
    http://appliedcrypto.com
  17. I have updated the article "SPNEGO/Kerberos authentication with Apache Tomcat" with the new PAC support. The PAC contains the group membership information for the authenticated user, which previously required an LDAP lookup in a Realm plugin. This is not required any more.

    Read more at: http://appliedcrypto.com

    /Bo
    http://appliedcrypto.com
  18. waste money[ Go to top ]

    Why should I buy a product with €3,000 when there is equivalent open source solution available?