5 Replies Latest reply on Sep 1, 2006 2:23 AM by markash

    Single Sign-ON, SPNEGO: How to?

    gfzhang

      IE 6.0 support SPNEGO(Simple and Protected Negotiation). We are planning to integrate our thin-clinet J2EE application with MS Active Directory, so that the user will not need to sign in to acces our application after he/she sign in to his/her Windows workstation.

      My question:
      does Tomcat support SPENGO, or is there any Java implementation for SPENGO?

      Thanks for your help.

        • 1. Re: Single Sign-ON, SPNEGO: How to?
          starksm64

          tomcat has no support for spnego currently as its not one of the servlet spec auth methods. Do a search on google for java implementations and let us know if there are any.

          • 2. Re: Single Sign-ON, SPNEGO: How to?
            phantom

            It may be helpful:

            We implemented such things by NTLM auth. in JCIFS. See jcifs.samba.org


            • 3. Re: Single Sign-ON, SPNEGO: How to?
              gfzhang

              Phantom,

              thanks. Your implementation works fine. I have integrated it by adding a Authenticator implementation into JBoss. Add this authenticator into Authenticators.properties, so that NTLM could be configured in web.xml.

              scott,

              see
              http://appliedcrypto.com/
              for the SPNEGO's java implementation.

              I am sorry that I answer the post so late. I am busy for other thing.

              • 4. Re: Single Sign-ON, SPNEGO: How to?
                bofriis

                ... just to add a little more info on the subject of having SPNEGO GSSAPI support in JBoss.

                Its based on the JBoss NTLM implementation, changed to do SPNEGO GSSAPI, with group support (stored in the PAC).

                /Bo
                http://appliedcrypto.com

                • 5. Re: Single Sign-ON, SPNEGO: How to?
                  markash

                  Good Day bifriis,

                  I read your introduction to getting fat clients to use SPNEGO/Kerberos to use SSO. I was wondering if you knew of a way to get this method to work with JBOSS J2EE server, especially when the fat/smart client is making calls on a session bean.

                  If the session bean implementation does not work, woul the Tomcat server housed in JBoss be able to use the SPNEGO token to authenticate the user when making webservice calls which ultimately make the session bean calls. In this scenario could we still use the default ejb authorization constructs in the ejb-jar.xml?

                  Regards,
                  Mark P Ashworth