You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Igor Galić <i....@brainsware.org> on 2010/10/11 08:45:59 UTC
Kerberos authentication
Hello Happy people,
I'm cross-posting this to tomcat and archiva.
In our company we have a well established Active Directory infrastructure,
I'm running an Apache Archiva 1.3.1 installation in Tomcat 6, on Solaris 10.
The OS has been Kerberos enabled and I would very much like to make
use of this for Tomcat/Archiva in order to provide secure authenticated
access to it.
We need to provide secure and scalable authentication.
Thus, everything else has been ruled out:
* No authentication -- not good, because we need some form of
auditing on who uploaded/deployed what (i.e.: who broke it)
* SSH/SCP doesn't scale from an administration point of view
(i.e.: we'd have to do something. That could be done wrong,
forgotten about or any number of things when people have to do
mundane tasks)
* Basic authentication -- not so good from an admin's point
of view, because clear-text passwords are stored in a
Developer's settings.xml. Not so good from a developer's
point of view, because s/he has to change their password
in settings.xml every month or so. (sic)
Given the lack of (official) documentation:
http://www.google.com/search?hl=en&sitesearch=tomcat.apache.org&q=kerberos+OR+krb&aq=f&aqi=&aql=&oq=&gs_rfai=
http://wiki.apache.org/tomcat/FrontPage?action=fullsearch&context=180&value=kerberos+krb&fullsearch=Text
http://www.google.at/search?client=opera&rls=en&q=site:archiva.apache.org+kerberos+OR+krb&sourceid=opera&ie=utf-8&oe=utf-8
http://www.google.com/search?hl=en&domains=cwiki.apache.org%2FARCHIVA&sitesearch=cwiki.apache.org%2FARCHIVA&q=kerberos+OR+krb&sitesearch=cwiki.apache.org%2FARCHIVA&aq=f&aqi=&aql=&oq=&gs_rfai=
I was wondering if that's even in remotely in scope of
either Project.
It seems fairly simple to integrate Tomcat into a
Kerberos Infrastructure (although I haven't had the time
to do this so far), the question that remains unanswered
to me is how to make Archiva profit from such integration.
I appreciate any kind of feedback from people who similarily
are stuck between a rock and a hard place, and even more so
from those who have a sensible solution :)
So long,
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Kerberos authentication
Posted by "dB." <db...@dblock.org>.
Jump :) Waffle is windows-only and it seems like this is a Solaris implementation. I have some good news though. Someone just uploaded a big patch for a windows authentication provider that uses JCIFs (which does Kerberos and more), which works on top of Samba on *nix.
dB. @ dblock.org
Moscow|Geneva|Seattle|New York
-----Original Message-----
From: Pid [mailto:pid@pidster.com]
Sent: Monday, October 11, 2010 3:27 AM
To: Tomcat Users List
Subject: Re: Kerberos authentication
On 11/10/2010 07:45, Igor Galić wrote:
>
> Hello Happy people,
>
> I'm cross-posting this to tomcat and archiva.
>
> In our company we have a well established Active Directory
> infrastructure,
>
> I'm running an Apache Archiva 1.3.1 installation in Tomcat 6, on Solaris 10.
> The OS has been Kerberos enabled and I would very much like to make
> use of this for Tomcat/Archiva in order to provide secure
> authenticated access to it.
> We need to provide secure and scalable authentication.
> Thus, everything else has been ruled out:
>
> * No authentication -- not good, because we need some form of auditing
> on who uploaded/deployed what (i.e.: who broke it)
>
> * SSH/SCP doesn't scale from an administration point of view
> (i.e.: we'd have to do something. That could be done wrong, forgotten
> about or any number of things when people have to do mundane tasks)
>
> * Basic authentication -- not so good from an admin's point of view,
> because clear-text passwords are stored in a Developer's settings.xml.
> Not so good from a developer's point of view, because s/he has to
> change their password in settings.xml every month or so. (sic)
>
> Given the lack of (official) documentation:
> http://www.google.com/search?hl=en&sitesearch=tomcat.apache.org&q=kerb
> eros+OR+krb&aq=f&aqi=&aql=&oq=&gs_rfai=
> http://wiki.apache.org/tomcat/FrontPage?action=fullsearch&context=180&
> value=kerberos+krb&fullsearch=Text
> http://www.google.at/search?client=opera&rls=en&q=site:archiva.apache.
> org+kerberos+OR+krb&sourceid=opera&ie=utf-8&oe=utf-8
> http://www.google.com/search?hl=en&domains=cwiki.apache.org%2FARCHIVA&
> sitesearch=cwiki.apache.org%2FARCHIVA&q=kerberos+OR+krb&sitesearch=cwi
> ki.apache.org%2FARCHIVA&aq=f&aqi=&aql=&oq=&gs_rfai=
>
> I was wondering if that's even in remotely in scope of either Project.
> It seems fairly simple to integrate Tomcat into a Kerberos
> Infrastructure (although I haven't had the time to do this so far),
> the question that remains unanswered to me is how to make Archiva
> profit from such integration.
>
> I appreciate any kind of feedback from people who similarily are stuck
> between a rock and a hard place, and even more so from those who have
> a sensible solution :)
>
> So long,
> i
>
Try http://waffle.codeplex.com/. The author lurks hereabouts & will jump in shortly, no doubt.
p
Re: Kerberos authentication
Posted by Pid <pi...@pidster.com>.
On 11/10/2010 07:45, Igor Galić wrote:
>
> Hello Happy people,
>
> I'm cross-posting this to tomcat and archiva.
>
> In our company we have a well established Active Directory infrastructure,
>
> I'm running an Apache Archiva 1.3.1 installation in Tomcat 6, on Solaris 10.
> The OS has been Kerberos enabled and I would very much like to make
> use of this for Tomcat/Archiva in order to provide secure authenticated
> access to it.
> We need to provide secure and scalable authentication.
> Thus, everything else has been ruled out:
>
> * No authentication -- not good, because we need some form of
> auditing on who uploaded/deployed what (i.e.: who broke it)
>
> * SSH/SCP doesn't scale from an administration point of view
> (i.e.: we'd have to do something. That could be done wrong,
> forgotten about or any number of things when people have to do
> mundane tasks)
>
> * Basic authentication -- not so good from an admin's point
> of view, because clear-text passwords are stored in a
> Developer's settings.xml. Not so good from a developer's
> point of view, because s/he has to change their password
> in settings.xml every month or so. (sic)
>
> Given the lack of (official) documentation:
> http://www.google.com/search?hl=en&sitesearch=tomcat.apache.org&q=kerberos+OR+krb&aq=f&aqi=&aql=&oq=&gs_rfai=
> http://wiki.apache.org/tomcat/FrontPage?action=fullsearch&context=180&value=kerberos+krb&fullsearch=Text
> http://www.google.at/search?client=opera&rls=en&q=site:archiva.apache.org+kerberos+OR+krb&sourceid=opera&ie=utf-8&oe=utf-8
> http://www.google.com/search?hl=en&domains=cwiki.apache.org%2FARCHIVA&sitesearch=cwiki.apache.org%2FARCHIVA&q=kerberos+OR+krb&sitesearch=cwiki.apache.org%2FARCHIVA&aq=f&aqi=&aql=&oq=&gs_rfai=
>
> I was wondering if that's even in remotely in scope of
> either Project.
> It seems fairly simple to integrate Tomcat into a
> Kerberos Infrastructure (although I haven't had the time
> to do this so far), the question that remains unanswered
> to me is how to make Archiva profit from such integration.
>
> I appreciate any kind of feedback from people who similarily
> are stuck between a rock and a hard place, and even more so
> from those who have a sensible solution :)
>
> So long,
> i
>
Try http://waffle.codeplex.com/. The author lurks hereabouts & will
jump in shortly, no doubt.
p
Re: Kerberos authentication
Posted by Igor Galić <i....@brainsware.org>.
----- "Wendy Smoak" <ws...@gmail.com> wrote:
> 2010/10/11 Igor Galić <i....@brainsware.org>:
> > I'm running an Apache Archiva 1.3.1 installation in Tomcat 6, on
> Solaris 10.
> > The OS has been Kerberos enabled and I would very much like to make
> > use of this for Tomcat/Archiva in order to provide secure
> authenticated
> > access to it.
>
> Archiva relies on Redback (a Codehaus project) for the auth bits, so
> likely that's where any changes would need to be made.
> http://redback.codehaus.org/
And by changes you mean code changes?
> Long ago in a previous life, I got Tomcat working with Kerberos. The
> notes are still up here:
> http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatKerberos
That was one of the very few solid documents that I was able to find.
> --
> Wendy
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
Re: Kerberos authentication
Posted by Wendy Smoak <ws...@gmail.com>.
2010/10/11 Igor Galić <i....@brainsware.org>:
> I'm running an Apache Archiva 1.3.1 installation in Tomcat 6, on Solaris 10.
> The OS has been Kerberos enabled and I would very much like to make
> use of this for Tomcat/Archiva in order to provide secure authenticated
> access to it.
Archiva relies on Redback (a Codehaus project) for the auth bits, so
likely that's where any changes would need to be made.
http://redback.codehaus.org/
Long ago in a previous life, I got Tomcat working with Kerberos. The
notes are still up here:
http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatKerberos
--
Wendy