You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by emaayan <el...@gmail.com> on 2011/05/20 15:10:18 UTC
how can i use KERBEROS sso? with shiro?
i understand that SHIRO can work with kerberos sso to active directory (i
read jcifs does not support kerberos) but i don't see any docs about it.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/how-can-i-use-KERBEROS-sso-with-shiro-tp6385972p6385972.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: how can i use KERBEROS sso? with shiro?
Posted by Brian Demers <br...@gmail.com>.
You could create a 'support' module, or just add patch to jira as a starting
point for someone else to pick up.
On Sat, May 21, 2011 at 12:10 AM, <sh...@xoxy.net> wrote:
> Shiro does not have out-of-box support for Kerberos - its integration with
> Active Directory is limited to LDAP. However, it's relatively
> straightforward to extend the Shiro APIs to support Kerberos using JGSS (I
> just did this recently). The SPNEGO tutorial (
> http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part5.html)
> is quite useful as a reference, as is the SPNEGO project on Sourceforge (
> http://spnego.sourceforge.net/index.html).
>
> The only major complications are:
>
> - Whether/how to support downgrades to NTLM
> - How to support mutual authentication without tightly coupling a realm to
> an authenticator (at least for web-based SSO)
>
> I'd offer to contribute my code to the Shiro project, but it's rather messy
> and introduces dependencies on jCIFS (to handle NTLM). If this would still
> be useful though, just let me know.
>
>
> On Fri, May 20, 2011 at 9:10 AM, emaayan - elh.mailgate@gmail.com wrote:
>
> i understand that SHIRO can work with kerberos sso to active directory (i
>> read jcifs does not support kerberos) but i don't see any docs about it.
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/how-can-i-use-KERBEROS-sso-with-shiro-tp6385972p6385972.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>
Re: how can i use KERBEROS sso? with shiro?
Posted by Minas Manthos <mi...@gmail.com>.
+1
--
View this message in context: http://shiro-user.582556.n2.nabble.com/how-can-i-use-KERBEROS-sso-with-shiro-tp6385972p6397727.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: how can i use KERBEROS sso? with shiro?
Posted by sh...@xoxy.net.
Shiro does not have out-of-box support for Kerberos - its integration with
Active Directory is limited to LDAP. However, it's relatively
straightforward to extend the Shiro APIs to support Kerberos using JGSS (I
just did this recently). The SPNEGO tutorial (
http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part5.html)
is quite useful as a reference, as is the SPNEGO project on Sourceforge (
http://spnego.sourceforge.net/index.html).
The only major complications are:
- Whether/how to support downgrades to NTLM
- How to support mutual authentication without tightly coupling a realm to
an authenticator (at least for web-based SSO)
I'd offer to contribute my code to the Shiro project, but it's rather messy
and introduces dependencies on jCIFS (to handle NTLM). If this would still
be useful though, just let me know.
On Fri, May 20, 2011 at 9:10 AM, emaayan - elh.mailgate@gmail.com wrote:
> i understand that SHIRO can work with kerberos sso to active directory (i
> read jcifs does not support kerberos) but i don't see any docs about it.
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/how-can-i-use-KERBEROS-sso-with-shiro-tp6385972p6385972.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>