You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Ashish Jain <as...@gmail.com> on 2010/02/08 14:24:01 UTC
Re: SPNEGO/NEGOTIATE implementation for Apache Geronimo
Dear Developers,
I have successfully developed a patch which enables spnego authentication in
Tomcat. This patch also enables fallback in case Spnego authentication
fails. Can you kindly review and provide comments on the attached patch.
Here is the link for the bug raised in b'zilla (
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685).
Thanks
Ashish
On Thu, Dec 10, 2009 at 1:50 PM, Ashish Jain <as...@gmail.com> wrote:
> Yes I am using a Spnego enabled browser and my motto is to enable single
> sign in geronimo through spnego. As of now I have a small POC of spnego
> working were it is able to recoganise the src machine, target machine and is
> able to establish a security context between client and server. However
> current implementation requires me to override one of the Basic, digest or
> form as these are the ones which can be specified in web.xml and we cannot
> specify Negotiate. So my questions are:
>
> Q1. Can you think of a way were we need not override any of the above
> mentioned mechanism?
> Q2. I need to disable the prompt for credentials by the browser. because
> once the user is logged into a machine which is part of
> domain controller he should be able to access the apps w/o any prompt.
>
> I have referred the following link to understand how spnego is supposed to
> work.
>
>
> http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/csec_SPNEGO_explain.html
>
> Thanks
> Ashish
>
>
>
> On Thu, Dec 10, 2009 at 6:26 AM, David Jencks <da...@yahoo.com>wrote:
>
>>
>> On Dec 9, 2009, at 5:03 AM, Ashish Jain wrote:
>>
>> Hi folks,
>>>
>>> Can you please suggest if there is anyway to disable the prompt for
>>> username and password when using basic authentication??
>>>
>>
>> That's browser behavior, so the only thing you can do from the server side
>> is not use plain BASIC auth. Are you using a SPNEGO enabled browser on a
>> platform where it can recognize your (client side) kerberos login? Do you
>> have a link to a description of how SPNEGO is supposed to work?
>>
>> thanks
>> david jencks
>>
>>
>>
>>> Thanks and Regards
>>> Ashish
>>>
>>> On 11/13/09, Costin Manolache <co...@gmail.com> wrote:
>>>
>>>> On Fri, Nov 13, 2009 at 6:44 AM, Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>> Ashish Jain wrote:
>>>>>
>>>>> 4) Does this require code changes to BasicAuthenticator
>>>>>>
>>>>> FormAuthenticator,
>>>>>
>>>>>> AuthenticatorBase of tomcat.
>>>>>>
>>>>>
>>>>> Basic and form - no. Base - maybe.
>>>>>
>>>>> Please provide your comment and suggestions.
>>>>>>
>>>>>
>>>>> My instinct (that may be wrong) is that you'll need a new
>>>>> authenticator.
>>>>> If
>>>>> you
>>>>> get this working then I'd certainly consider it for inclusion in
>>>>> Tomcat.
>>>>>
>>>>>
>>>>> An OpenID would be nice too :-)
>>>>
>>>> Costin
>>>>
>>>>
>>>>
>>>> Mark
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>