You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Ashish Jain <as...@gmail.com> on 2009/12/09 14:03:44 UTC
Re: SPNEGO/NEGOTIATE implementation for Apache Geronimo
Hi folks,
Can you please suggest if there is anyway to disable the prompt for
username and password when using basic authentication??
Thanks and Regards
Ashish
On 11/13/09, Costin Manolache <co...@gmail.com> wrote:
> On Fri, Nov 13, 2009 at 6:44 AM, Mark Thomas <ma...@apache.org> wrote:
>
>> Ashish Jain wrote:
>>
>> > 4) Does this require code changes to BasicAuthenticator
>> FormAuthenticator,
>> > AuthenticatorBase of tomcat.
>>
>> Basic and form - no. Base - maybe.
>>
>> > Please provide your comment and suggestions.
>>
>> My instinct (that may be wrong) is that you'll need a new authenticator.
>> If
>> you
>> get this working then I'd certainly consider it for inclusion in Tomcat.
>>
>>
> An OpenID would be nice too :-)
>
> Costin
>
>
>
>> Mark
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SPNEGO/NEGOTIATE implementation for Apache Geronimo
Posted by Ashish Jain <as...@gmail.com>.
Dear Developers,
I have successfully developed a patch which enables spnego authentication in
Tomcat. This patch also enables fallback in case Spnego authentication
fails. Can you kindly review and provide comments on the attached patch.
Here is the link for the bug raised in b'zilla (
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685).
Thanks
Ashish
On Thu, Dec 10, 2009 at 1:50 PM, Ashish Jain <as...@gmail.com> wrote:
> Yes I am using a Spnego enabled browser and my motto is to enable single
> sign in geronimo through spnego. As of now I have a small POC of spnego
> working were it is able to recoganise the src machine, target machine and is
> able to establish a security context between client and server. However
> current implementation requires me to override one of the Basic, digest or
> form as these are the ones which can be specified in web.xml and we cannot
> specify Negotiate. So my questions are:
>
> Q1. Can you think of a way were we need not override any of the above
> mentioned mechanism?
> Q2. I need to disable the prompt for credentials by the browser. because
> once the user is logged into a machine which is part of
> domain controller he should be able to access the apps w/o any prompt.
>
> I have referred the following link to understand how spnego is supposed to
> work.
>
>
> http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/csec_SPNEGO_explain.html
>
> Thanks
> Ashish
>
>
>
> On Thu, Dec 10, 2009 at 6:26 AM, David Jencks <da...@yahoo.com>wrote:
>
>>
>> On Dec 9, 2009, at 5:03 AM, Ashish Jain wrote:
>>
>> Hi folks,
>>>
>>> Can you please suggest if there is anyway to disable the prompt for
>>> username and password when using basic authentication??
>>>
>>
>> That's browser behavior, so the only thing you can do from the server side
>> is not use plain BASIC auth. Are you using a SPNEGO enabled browser on a
>> platform where it can recognize your (client side) kerberos login? Do you
>> have a link to a description of how SPNEGO is supposed to work?
>>
>> thanks
>> david jencks
>>
>>
>>
>>> Thanks and Regards
>>> Ashish
>>>
>>> On 11/13/09, Costin Manolache <co...@gmail.com> wrote:
>>>
>>>> On Fri, Nov 13, 2009 at 6:44 AM, Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>> Ashish Jain wrote:
>>>>>
>>>>> 4) Does this require code changes to BasicAuthenticator
>>>>>>
>>>>> FormAuthenticator,
>>>>>
>>>>>> AuthenticatorBase of tomcat.
>>>>>>
>>>>>
>>>>> Basic and form - no. Base - maybe.
>>>>>
>>>>> Please provide your comment and suggestions.
>>>>>>
>>>>>
>>>>> My instinct (that may be wrong) is that you'll need a new
>>>>> authenticator.
>>>>> If
>>>>> you
>>>>> get this working then I'd certainly consider it for inclusion in
>>>>> Tomcat.
>>>>>
>>>>>
>>>>> An OpenID would be nice too :-)
>>>>
>>>> Costin
>>>>
>>>>
>>>>
>>>> Mark
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
Re: SPNEGO/NEGOTIATE implementation for Apache Geronimo
Posted by Ashish Jain <as...@gmail.com>.
Yes I am using a Spnego enabled browser and my motto is to enable single
sign in geronimo through spnego. As of now I have a small POC of spnego
working were it is able to recoganise the src machine, target machine and is
able to establish a security context between client and server. However
current implementation requires me to override one of the Basic, digest or
form as these are the ones which can be specified in web.xml and we cannot
specify Negotiate. So my questions are:
Q1. Can you think of a way were we need not override any of the above
mentioned mechanism?
Q2. I need to disable the prompt for credentials by the browser. because
once the user is logged into a machine which is part of
domain controller he should be able to access the apps w/o any prompt.
I have referred the following link to understand how spnego is supposed to
work.
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/csec_SPNEGO_explain.html
Thanks
Ashish
On Thu, Dec 10, 2009 at 6:26 AM, David Jencks <da...@yahoo.com>wrote:
>
> On Dec 9, 2009, at 5:03 AM, Ashish Jain wrote:
>
> Hi folks,
>>
>> Can you please suggest if there is anyway to disable the prompt for
>> username and password when using basic authentication??
>>
>
> That's browser behavior, so the only thing you can do from the server side
> is not use plain BASIC auth. Are you using a SPNEGO enabled browser on a
> platform where it can recognize your (client side) kerberos login? Do you
> have a link to a description of how SPNEGO is supposed to work?
>
> thanks
> david jencks
>
>
>
>> Thanks and Regards
>> Ashish
>>
>> On 11/13/09, Costin Manolache <co...@gmail.com> wrote:
>>
>>> On Fri, Nov 13, 2009 at 6:44 AM, Mark Thomas <ma...@apache.org> wrote:
>>>
>>> Ashish Jain wrote:
>>>>
>>>> 4) Does this require code changes to BasicAuthenticator
>>>>>
>>>> FormAuthenticator,
>>>>
>>>>> AuthenticatorBase of tomcat.
>>>>>
>>>>
>>>> Basic and form - no. Base - maybe.
>>>>
>>>> Please provide your comment and suggestions.
>>>>>
>>>>
>>>> My instinct (that may be wrong) is that you'll need a new authenticator.
>>>> If
>>>> you
>>>> get this working then I'd certainly consider it for inclusion in Tomcat.
>>>>
>>>>
>>>> An OpenID would be nice too :-)
>>>
>>> Costin
>>>
>>>
>>>
>>> Mark
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: SPNEGO/NEGOTIATE implementation for Apache Geronimo
Posted by David Jencks <da...@yahoo.com>.
On Dec 9, 2009, at 5:03 AM, Ashish Jain wrote:
> Hi folks,
>
> Can you please suggest if there is anyway to disable the prompt for
> username and password when using basic authentication??
That's browser behavior, so the only thing you can do from the server
side is not use plain BASIC auth. Are you using a SPNEGO enabled
browser on a platform where it can recognize your (client side)
kerberos login? Do you have a link to a description of how SPNEGO is
supposed to work?
thanks
david jencks
>
> Thanks and Regards
> Ashish
>
> On 11/13/09, Costin Manolache <co...@gmail.com> wrote:
>> On Fri, Nov 13, 2009 at 6:44 AM, Mark Thomas <ma...@apache.org>
>> wrote:
>>
>>> Ashish Jain wrote:
>>>
>>>> 4) Does this require code changes to BasicAuthenticator
>>> FormAuthenticator,
>>>> AuthenticatorBase of tomcat.
>>>
>>> Basic and form - no. Base - maybe.
>>>
>>>> Please provide your comment and suggestions.
>>>
>>> My instinct (that may be wrong) is that you'll need a new
>>> authenticator.
>>> If
>>> you
>>> get this working then I'd certainly consider it for inclusion in
>>> Tomcat.
>>>
>>>
>> An OpenID would be nice too :-)
>>
>> Costin
>>
>>
>>
>>> Mark
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org