You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "N.s.Karthik" <ns...@gmail.com> on 2013/01/28 05:08:08 UTC
LDAP on TOMCAT 7.0.30
Hi
Spec : JDK1.6,
Tomcat 7.0.30,
Linux 64 bit Suse
So far we have been using 3 killer Ajax web based applications
with each app provided with separate DB schema.
The Requirement is to provide a SSO "Single Sign On" Logic with existing
LDAP Server.
The AAA has to validated Only once for login
1) What Options do i have in providing SSO Logic
2)Can Cookies be used for resolving the requirement.
3)Can the browser pick up the Client System Login credentials ( Win start-up
credentials) for the authorization.
with regards
karthik
with regards
Karthik
--
View this message in context: http://tomcat.10.n6.nabble.com/LDAP-on-TOMCAT-7-0-30-tp4993107.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by chris derham <ch...@derham.me.uk>.
> Is this possible, Is there any material available for me
The links already provided cover all that you request
> I have read some where that Apache HTTPD ( ) can do this SSO process,
> then the same could be at Httpd instead of Tomcat end .
>
> If so yes plz let me know the process.
I have never setup SSO for httpd. Others on this Apache tomcat mailing
list might know, but I suggest that if you have questions relating to
Apache httpd, then you ask on the Apache httpd mailing list.
HTH
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by "N.s.Karthik" <ns...@gmail.com>.
Hey Cris
>>So you want to configure the login process to work once per day, e.g.
the users are prompted once per day for either app, but once prompted,
they won't be prompted again for either app for the rest of the day.
Presumably if the login is without a prompt, then this requirement
disappears, e.g. if the browser can send current credentials to server
without any prompt, then it doesn't really matter how many times this
happens per day right?
Yes u have hit the bulls Eye,
Is this possible, Is there any material available for me
I have read some where that Apache HTTPD ( ) can do this SSO process,
then the same could be at Httpd instead of Tomcat end .
If so yes plz let me know the process.
with regards
Karthik
--
View this message in context: http://tomcat.10.n6.nabble.com/LDAP-on-TOMCAT-7-0-30-tp4993107p4993433.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by chris derham <ch...@derham.me.uk>.
> We have 2 Apps on tomcat with each having independent DB
> the credentials in both apps are in synch with the list of authorized users
> as per LDAP.
What does that mean? Where is the source of the credentials? When a
user changes a password, where do they change it? You say "in synch",
so do the databases just copy the credentials from LDAP? How is the
sync working?
> *for the 1st app any valid user should be able to log in (using any Browser)
> only once to validate the LDAP verification ,
What does that mean "validate the LDAP verification" - do you mean
validate their credentials against LDAP right?
> On validating the request should continue to AAA of the Application as per
> the Local DB credentials
Do you mean that another round of authentication should occur in the
application? Surely the app could just pick up the SSO credentials?
Why do it again?
> and allow to successful logon ...probably log out later.*
>
> *Later If the 2nd apps is requested for the authorization should not ask for re-validation.*
>
> The process on any apps requires to validate credentials only once in a day.
So you want to configure the login process to work once per day, e.g.
the users are prompted once per day for either app, but once prompted,
they won't be prompted again for either app for the rest of the day.
Presumably if the login is without a prompt, then this requirement
disappears, e.g. if the browser can send current credentials to server
without any prompt, then it doesn't really matter how many times this
happens per day right?
>
> How can this be achievable [ Either at TOMCAT (if possible) or at Apache
> httpd since we use reverse Proxy conf ]
Subject to some confirmation from you about exactly what you want, the
previous suggestions should allow you to do all of the above
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by "N.s.Karthik" <ns...@gmail.com>.
Hi
Thx for Quick reply
>>Single-Sign-On Valve, which will alllow a user to
login once to the first application running on Tomcat, and then the login
will be valid if
he calls other applications on the same Tomcat, and for these other
applications running
on the same Tomcat he will not have to login again.
This is exactly what i needed,but with a twist
We have 2 Apps on tomcat with each having independent DB
the credentials in both apps are in synch with the list of authorized users
as per LDAP.
*for the 1st app any valid user should be able to log in (using any Browser)
only once to validate the LDAP verification ,
On validating the request should continue to AAA of the Application as per
the Local DB credentials and allow to successful logon ...probably log out
later.*
*Later If the 2nd apps is requested for the authorization should not ask
for re-validation.*
The process on any apps requires to validate credentials only once in a
day.
How can this be achievable [ Either at TOMCAT (if possible) or at Apache
httpd since we use reverse Proxy conf ]
with regards
karthik
--
View this message in context: http://tomcat.10.n6.nabble.com/LDAP-on-TOMCAT-7-0-30-tp4993107p4993396.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by André Warnier <aw...@ice-sa.com>.
N.s.Karthik wrote:
> Hi
>
> Thx for the Conversation
> but still i am not convinced
>
> How Do I achieve SSO + LDAP for the setup as define below,
> I absolutely do not have any Idea, I am confused with lot's URL's
>
> Apache 2.2x (httpd-ssl) ----> Tomcat----> DB
why SSL between Apache2 and tomcat ? is it necessary ?
Usually, people do this :
browser <-- HTTPS --> Apache <-- HTTP or AJP --> Tomcat <--> DB
>
> Traffic expected on system is 300+
300+ what ?
requests per hour, requests per day, per minute ?
number of simultaneous sessions ?
using IE, FFOX, Safari , Opera, Crome
> per day,So cannot have some sort of browser plugin, specific installation on
> every system.
None of the things suggested so far include anything at the browser level.
>
Karthik.
You are not getting precise answers, because your question is too vague.
SSO means "Single Sign On". It just means that a user should have to login only once, and
then this login would be valid for several applications.
For exactly the above, Tomcat provides a Single-Sign-On Valve, which will alllow a user to
login once to the first application running on Tomcat, and then the login will be valid if
he calls other applications on the same Tomcat, and for these other applications running
on the same Tomcat he will not have to login again.
(But if he goes to another server, or closes his browser and then comes back to Tomcat, he
will have to login again).
Note that in the above, I do not specify *how* the login happens.
That is Authentication, and it is independent of the SSO aspect.
Now some people, when they say "SSO + LDAP", actually mean : I want the users to be
logged-in automatically in the Tomcat application, based on the login that they did in
Windows on their workstation when they arrived in the morning. Is that what you mean ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by "N.s.Karthik" <ns...@gmail.com>.
Hi
Thx for the Conversation
but still i am not convinced
How Do I achieve SSO + LDAP for the setup as define below,
I absolutely do not have any Idea, I am confused with lot's URL's
Apache 2.2x (httpd-ssl) ----> Tomcat----> DB
Traffic expected on system is 300+ using IE, FFOX, Safari , Opera, Crome
per day,So cannot have some sort of browser plugin, specific installation on
every system.
with regards
Karthik
--
View this message in context: http://tomcat.10.n6.nabble.com/LDAP-on-TOMCAT-7-0-30-tp4993107p4993389.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
André,
On 1/29/13 6:53 PM, André Warnier wrote:
> I believe that you both are close to the correct understanding, but
> that it helps to clearly distinguish the various parts of the
> process, and be very clear about the terminology (which
> unfortunately is quite confusing, because many people are using
> terms like SPNEGO, GSSAPI, "Active Directory authentication", NTLM,
> "Windows Integrated Authentication" etc. all over the place without
> .. really knowing precisely what they are talking about).
Thanks for the detailed description. I'll refer back to this post if I
ever have the misfortune of having to use WIA in any way ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEK9JsACgkQ9CaO5/Lv0PBjGwCghrr4InhDQrdBHxaaFEIpLiBx
csoAnjKluFxFhbGaihNfoGOmXYVCXsUP
=PZwA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by André Warnier <aw...@ice-sa.com>.
chris derham wrote:
>> Does that mean that Tomcat treats WIA similar to HTTP BASIC (or maybe
>> DIGEST) unless you've approved a particular domain/host? That's
>> interesting. Can you just enter anything you'd like? For instance, can
>> I authenticate to a server that is expecting WIA from a Linux
>> workstation just by entering my domain credentials into the dialog?
>> That certainly sounds nice: the Microsoft Windows crowd doesn't have
>> to authenticate (explicitly, that is... their credentials are that
>> they are currently logged-into a machine on the network) but everyone
>> else can also get in.
>>
>
> If tomcat is setup to work with SPNEGO authentication, then when a new
> session requires authentication, the server asks the client for a
> kerberos token. Under IE this will be passed silently. Under FF if you
> have configured the "network.automatic-ntlm-auth.trusted-uris" to the
> url of the server, this will be passed silently. If you setup your
> *nix machines to login to active directory they will have a kerberos
> token. If you also make the FF setting change, they to will then be
> able to silently login by sending through the kerberos token.
>
> I think as you configure the server, you can specify what to do it
> SPNEGO fails. I guess one option would be to fail back to http basic.
> If you didn't want to get the *nix machines to login to active
> directory, then I guess that would be a way to go. Guess that it all
> depends on the security requirements
>
I believe that you both are close to the correct understanding, but that it helps to
clearly distinguish the various parts of the process, and be very clear about the
terminology (which unfortunately is quite confusing, because many people are using terms
like SPNEGO, GSSAPI, "Active Directory authentication", NTLM, "Windows Integrated
Authentication" etc. all over the place without .. really knowing precisely what they are
talking about).
The first few paragraphs here : http://en.wikipedia.org/wiki/SPNEGO
explain what SPNEGO is, and that SPNEGO in itself is not an authentication mechanism. It
is kind of the "preliminary" layer which allow a browser and a server to negociate which
real authentication mechanism they both support and are going to use in the real
authentication which happens next.
And what happens next can be based on /either/ Kerberos or NTLM (or Basic for that
matter), which are different mechanisms.
I know little about Kerberos, but in the context of workstations belonging to a Windows
Domain environment, running web-based applications and desiring to use a Windows-based
form of authentication and SSO for these web-based applications, most organisations which
I have come in contact with until now (including some large multinational ones) do not use
Kerberos as an authentication mechanism; most of them still use NTLM (v2 nowadays).
In summary and approximately, this is how WIA/NTLM works :
- the browser picks up the user-id which the user used to login onto his Windows
workstation when he started Windows
- the browser transmits this user-id to the webserver it is communicating with, in some
form (it actually takes several coded message exchanges for that)
- the webserver verifies this user-id with a back-end Windows Domain Controller
- the Windows Domain Controller in turn uses a back-end to check this user-id (this
back-end being generally an Active Directory server)
- if all of the above works as it should, the webserver accepts this user-id, and makes it
available to the web applications that run on this webserver on behalf of that browser,
for as long as this browser-server connection persists.
(and if a new connection is established, the cycle is repeated)
Now as long as the workstation runs Windows, the browser is IE, the webserver is IIS, both
the workstation and the webserver are in the same "intranet", the IIS webserver has access
to a Windows Domain Controller, the user-id is valid etc.. then all of this happens
automatically behind the scenes and without the user noticing anything.
And if any of these conditions is not true, then you will need to put together alternative
pieces of the puzzle to make "Windows Integrated Authentication" work.
The good news is that in most cases these pieces exist.
The bad news is that you really need to know where to find the needed pieces, how to set
them up, and to know that sometimes the behaviour is a bit different from the basic one above.
(Such as the fact that FF by default displays a dialog, where IE does not; and that this
FF dialog looks just like a Basic Authentication dialog, but it isn't. The authentication
taking place is still NTLM, not Basic; but the popup looks the same).
(And just to make things a bit more confusing : in about 50% of the cases that I have come
across - either as a conscious decision or as an oversight of the domain admins, if NTLM
fails then Basic authentication will take place, both in IE and in FF, and provided the
user enters the correct user-id and password, the webserver will accept it; and the popup
dialog looks the same too).
On the browser side, you need one that supports WIA. IE does (of course), and so does FF.
Others, I don't know.
If the browser is IE, it will accept to even try WIA authentication only if the webserver
is either in the same "intranet" or at least marked as a "trusted" server.
(So don't try this over the Internet).
If the OS under which the browser is running is not Windows, then the browser will not be
able to pick up a valid Windows user-id from the OS (of course); so then it will have to
ask one fom the user, via a dialog.
(So that is probably what is going to happen in the case Chris mentioned at the beginning;
but I don't really know, I have never tried).
If the webserver is not IIS (which has the WIA code builtin), then you will need to add to
the webserver a piece that can do WIA authentication. If you are running this webserver on
a Windows machine, then you will find several alternatives for that. If your webserver is
running under another OS (e.g. Linux), then there are less alternatives available.
For example, if your webserver is Tomcat and it is running on a Linux platform, then I am
personally not sure (and I can't really tell from the Tomcat documentation) if the SPNEGO
Valve works or not. But I do know that Jespa (www.ioplex.com) works (and you can try it
for free); and Jespa also works if Tomcat runs under Windows.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by chris derham <ch...@derham.me.uk>.
> Does that mean that Tomcat treats WIA similar to HTTP BASIC (or maybe
> DIGEST) unless you've approved a particular domain/host? That's
> interesting. Can you just enter anything you'd like? For instance, can
> I authenticate to a server that is expecting WIA from a Linux
> workstation just by entering my domain credentials into the dialog?
> That certainly sounds nice: the Microsoft Windows crowd doesn't have
> to authenticate (explicitly, that is... their credentials are that
> they are currently logged-into a machine on the network) but everyone
> else can also get in.
>
If tomcat is setup to work with SPNEGO authentication, then when a new
session requires authentication, the server asks the client for a
kerberos token. Under IE this will be passed silently. Under FF if you
have configured the "network.automatic-ntlm-auth.trusted-uris" to the
url of the server, this will be passed silently. If you setup your
*nix machines to login to active directory they will have a kerberos
token. If you also make the FF setting change, they to will then be
able to silently login by sending through the kerberos token.
I think as you configure the server, you can specify what to do it
SPNEGO fails. I guess one option would be to fail back to http basic.
If you didn't want to get the *nix machines to login to active
directory, then I guess that would be a way to go. Guess that it all
depends on the security requirements
HTH
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
André,
On 1/29/13 4:19 AM, André Warnier wrote:
> Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> André,
>>
>> On 1/28/13 12:32 PM, André Warnier wrote:
>>> Christopher Schultz wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>
>>>> Chris,
>>>>
>>>> On 1/28/13 7:47 AM, chris derham wrote:
>>>>>> 1) All 3 applications are browser compatible and users
>>>>>> may use other then IE hence IE alone can be ruled out
>>>>> Do you mean "multiple browsers access these web
>>>>> applications, so we can't use anything that is IE
>>>>> specific"? Assuming that you do, I don't believe that
>>>>> anybody suggested anything that is IE specific, e.g. the
>>>>> SSO solutions so far posted will work in other browsers as
>>>>> well. Can you elaborate on what you mean exactly please?
>>>> I think auto-forwarding credentials from the client system
>>>> through the browser generally requires MSIE. I've never done
>>>> anything like that and have no idea what I'm talking about,
>>>> so I may be completely wrong.
>>>>
>>> You are. Firefox supports "Windows Integrated Authentication"
>>> fine too, and I believe most usual current browsers do.
>>
>> Do you need a plug-in or anything like that? Does it need to be
>> specifically enabled?
>>
>
> This may provide more details :
> http://markmonica.com/2007/11/20/firefox-and-integrated-windows-authentication/
>
> or search Google for : windows integrated authentication support
> in firefox
>
> I am using currently Firefox v 17.0.1, and it seems to do fine
> right out of the box. By default, Firefox will prompt for id/pw in
> a dialog box anyway, even for WIA. But you can change this
> specifically for a list of sites, for which no prompt will be
> issued. (That's all under Windows of course).
Does that mean that Tomcat treats WIA similar to HTTP BASIC (or maybe
DIGEST) unless you've approved a particular domain/host? That's
interesting. Can you just enter anything you'd like? For instance, can
I authenticate to a server that is expecting WIA from a Linux
workstation just by entering my domain credentials into the dialog?
That certainly sounds nice: the Microsoft Windows crowd doesn't have
to authenticate (explicitly, that is... their credentials are that
they are currently logged-into a machine on the network) but everyone
else can also get in.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEIA1kACgkQ9CaO5/Lv0PBipACePGDkZmoUz7G6KSuPlw/gvI0t
PzkAn08vYiDxbbOeJziPp/lLwyMpawh5
=kWQJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> André,
>
> On 1/28/13 12:32 PM, André Warnier wrote:
>> Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>
>>> Chris,
>>>
>>> On 1/28/13 7:47 AM, chris derham wrote:
>>>>> 1) All 3 applications are browser compatible and users may
>>>>> use other then IE hence IE alone can be ruled out
>>>> Do you mean "multiple browsers access these web applications,
>>>> so we can't use anything that is IE specific"? Assuming that
>>>> you do, I don't believe that anybody suggested anything that is
>>>> IE specific, e.g. the SSO solutions so far posted will work in
>>>> other browsers as well. Can you elaborate on what you mean
>>>> exactly please?
>>> I think auto-forwarding credentials from the client system
>>> through the browser generally requires MSIE. I've never done
>>> anything like that and have no idea what I'm talking about, so I
>>> may be completely wrong.
>>>
>> You are. Firefox supports "Windows Integrated Authentication" fine
>> too, and I believe most usual current browsers do.
>
> Do you need a plug-in or anything like that? Does it need to be
> specifically enabled?
>
This may provide more details :
http://markmonica.com/2007/11/20/firefox-and-integrated-windows-authentication/
or search Google for : windows integrated authentication support in firefox
I am using currently Firefox v 17.0.1, and it seems to do fine right out of the box.
By default, Firefox will prompt for id/pw in a dialog box anyway, even for WIA. But you
can change this specifically for a list of sites, for which no prompt will be issued.
(That's all under Windows of course).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by chris derham <ch...@derham.me.uk>.
>>> Do you need a plug-in or anything like that? Does it need to be
>>> specifically enabled?
>>
>> No, we use it all the time with IE, Firefox, and I believe Chrome
>> as well.
Last time I was working in this area a few years ago, it worked by
default in IE and had to be turned on in FF. A rogue website would
request the token and do malicious things if it is handed out by the
browser whenever asked. The link explains the settings required.
Perhaps this has changed "recently" and works auto-magically now?
http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_configweb_new.html
Thanks
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
David,
On 1/28/13 1:18 PM, David kerber wrote:
> On 1/28/2013 1:07 PM, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> André,
>>
>> On 1/28/13 12:32 PM, André Warnier wrote:
>>> Christopher Schultz wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>
>>>> Chris,
>>>>
>>>> On 1/28/13 7:47 AM, chris derham wrote:
>>>>>> 1) All 3 applications are browser compatible and users
>>>>>> may use other then IE hence IE alone can be ruled out
>>>>> Do you mean "multiple browsers access these web
>>>>> applications, so we can't use anything that is IE
>>>>> specific"? Assuming that you do, I don't believe that
>>>>> anybody suggested anything that is IE specific, e.g. the
>>>>> SSO solutions so far posted will work in other browsers as
>>>>> well. Can you elaborate on what you mean exactly please?
>>>>
>>>> I think auto-forwarding credentials from the client system
>>>> through the browser generally requires MSIE. I've never done
>>>> anything like that and have no idea what I'm talking about,
>>>> so I may be completely wrong.
>>>>
>>>
>>> You are. Firefox supports "Windows Integrated Authentication"
>>> fine too, and I believe most usual current browsers do.
>>
>> Do you need a plug-in or anything like that? Does it need to be
>> specifically enabled?
>
> No, we use it all the time with IE, Firefox, and I believe Chrome
> as well.
Cool - good to know!
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEGyr4ACgkQ9CaO5/Lv0PCt9ACgmOSPJwFdRw8++218bCT9LojO
4fIAoMHijn0pSJ0OMxQGTkKw4vNzW9aM
=W+zJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by David kerber <dc...@verizon.net>.
On 1/28/2013 1:07 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> André,
>
> On 1/28/13 12:32 PM, André Warnier wrote:
>> Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>
>>> Chris,
>>>
>>> On 1/28/13 7:47 AM, chris derham wrote:
>>>>> 1) All 3 applications are browser compatible and users may
>>>>> use other then IE hence IE alone can be ruled out
>>>> Do you mean "multiple browsers access these web applications,
>>>> so we can't use anything that is IE specific"? Assuming that
>>>> you do, I don't believe that anybody suggested anything that is
>>>> IE specific, e.g. the SSO solutions so far posted will work in
>>>> other browsers as well. Can you elaborate on what you mean
>>>> exactly please?
>>>
>>> I think auto-forwarding credentials from the client system
>>> through the browser generally requires MSIE. I've never done
>>> anything like that and have no idea what I'm talking about, so I
>>> may be completely wrong.
>>>
>>
>> You are. Firefox supports "Windows Integrated Authentication" fine
>> too, and I believe most usual current browsers do.
>
> Do you need a plug-in or anything like that? Does it need to be
> specifically enabled?
No, we use it all the time with IE, Firefox, and I believe Chrome as well.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
André,
On 1/28/13 12:32 PM, André Warnier wrote:
> Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> Chris,
>>
>> On 1/28/13 7:47 AM, chris derham wrote:
>>>> 1) All 3 applications are browser compatible and users may
>>>> use other then IE hence IE alone can be ruled out
>>> Do you mean "multiple browsers access these web applications,
>>> so we can't use anything that is IE specific"? Assuming that
>>> you do, I don't believe that anybody suggested anything that is
>>> IE specific, e.g. the SSO solutions so far posted will work in
>>> other browsers as well. Can you elaborate on what you mean
>>> exactly please?
>>
>> I think auto-forwarding credentials from the client system
>> through the browser generally requires MSIE. I've never done
>> anything like that and have no idea what I'm talking about, so I
>> may be completely wrong.
>>
>
> You are. Firefox supports "Windows Integrated Authentication" fine
> too, and I believe most usual current browsers do.
Do you need a plug-in or anything like that? Does it need to be
specifically enabled?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEGvnoACgkQ9CaO5/Lv0PB9FQCgr0csun/TDZdiI1ZuWf1K/M63
/BUAnRunq5Lr/2V497Thhz9cbuMU90CV
=r/u1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 1/28/13 7:47 AM, chris derham wrote:
>>> 1) All 3 applications are browser compatible and users may use
>>> other then IE hence IE alone can be ruled out
>> Do you mean "multiple browsers access these web applications, so
>> we can't use anything that is IE specific"? Assuming that you do, I
>> don't believe that anybody suggested anything that is IE specific,
>> e.g. the SSO solutions so far posted will work in other browsers as
>> well. Can you elaborate on what you mean exactly please?
>
> I think auto-forwarding credentials from the client system through the
> browser generally requires MSIE. I've never done anything like that
> and have no idea what I'm talking about, so I may be completely wrong.
>
You are. Firefox supports "Windows Integrated Authentication" fine too, and I believe most
usual current browsers do.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 1/28/13 7:47 AM, chris derham wrote:
>> 1) All 3 applications are browser compatible and users may use
>> other then IE hence IE alone can be ruled out
>
> Do you mean "multiple browsers access these web applications, so
> we can't use anything that is IE specific"? Assuming that you do, I
> don't believe that anybody suggested anything that is IE specific,
> e.g. the SSO solutions so far posted will work in other browsers as
> well. Can you elaborate on what you mean exactly please?
I think auto-forwarding credentials from the client system through the
browser generally requires MSIE. I've never done anything like that
and have no idea what I'm talking about, so I may be completely wrong.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEGmHsACgkQ9CaO5/Lv0PCqkgCcDZwZB2pNlbUKkklhJ+OBBiLU
NAgAoLZ3TWwl8lflIJsHT0jfnbDm4l9V
=DrZr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by chris derham <ch...@derham.me.uk>.
> 1) All 3 applications are browser compatible and users may use other then
> IE
> hence IE alone can be ruled out
Do you mean "multiple browsers access these web applications, so we
can't use anything that is IE specific"? Assuming that you do, I don't
believe that anybody suggested anything that is IE specific, e.g. the
SSO solutions so far posted will work in other browsers as well. Can
you elaborate on what you mean exactly please?
Thanks
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by "N.s.Karthik" <ns...@gmail.com>.
Hi
Thx for the Quick reply
1) All 3 applications are browser compatible and users may use other then
IE
hence IE alone can be ruled out
What about the other (2 & 3) options
with regards
karthik
--
View this message in context: http://tomcat.10.n6.nabble.com/LDAP-on-TOMCAT-7-0-30-tp4993107p4993116.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by Mark Thomas <ma...@apache.org>.
On 28/01/2013 09:06, André Warnier wrote:
> N.s.Karthik wrote:
>> Hi
>>
>> Spec : JDK1.6, Tomcat 7.0.30, Linux 64
>> bit Suse
>> So far we have been using 3 killer Ajax web based applications with
>> each app provided with separate DB schema.
>>
>> The Requirement is to provide a SSO "Single Sign On" Logic with
>> existing
>> LDAP Server.
>> The AAA has to validated Only once for login
>>
>> 1) What Options do i have in providing SSO Logic
>> 2)Can Cookies be used for resolving the requirement.
>> 3)Can the browser pick up the Client System Login credentials ( Win
>> start-up
>> credentials) for the authorization.
>>
> Have a look at Jespa : www.ioplex.com
There is also built-in support for Windows authentication in Tomcat as
well as other third-party libraries that do this. See:
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
I'll add Jespa to that page.
Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Posted by André Warnier <aw...@ice-sa.com>.
N.s.Karthik wrote:
> Hi
>
> Spec : JDK1.6,
> Tomcat 7.0.30,
> Linux 64 bit Suse
>
> So far we have been using 3 killer Ajax web based applications
> with each app provided with separate DB schema.
>
> The Requirement is to provide a SSO "Single Sign On" Logic with existing
> LDAP Server.
> The AAA has to validated Only once for login
>
> 1) What Options do i have in providing SSO Logic
> 2)Can Cookies be used for resolving the requirement.
> 3)Can the browser pick up the Client System Login credentials ( Win start-up
> credentials) for the authorization.
>
Have a look at Jespa : www.ioplex.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org