tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ashish Jain <ashja...@gmail.com>
Subject SPNEGO/NEGOTIATE implementation for Apache Geronimo
Date Fri, 13 Nov 2009 09:16:25 GMT
Hi All,

I am working on an implementation for SPENGO/NEGOTIATE implementation for
geronimo. I have done some research on this and have come to the following
conclusion to
develop one implementation for geronimo.

1) Browser access a secured resource

2) Our custom authenticator will respond with 401 response and a header
WWW-Authenticate: NEGOTIATE. This

will tell the browser that we want to use NEGOTIATE Authentication protocol.

3) The browser will now require a service ticket. Now we need to send a
request to AD to issue a ticket.

4) The browser tries to access the resource again and sends another http
request with the following header

WWW-authorization: NEGOTIATE encoded-spnego-token, heere
encoded-spnego-token is SPNEGO token encoded in

base64...basically it is a wrapper around a service ticket.

5) The custom authentication unwraps the the spnego token and acquires the
service ticket.

6) If all is well than authenticator returns success and control is passed
to servlet container which
sends back the requested resource

Here are some of my inputs on how we can develop a solution for Apache
Geronimo

1) A custom valve can be written which can than be introduced in the
pipeline. Will this new valve use  AuthenticatorBase or will it be enough to
have it extend ValveBase.

There is an example were ssovalve is introduced in the pipleline for
geronimo.
2) We may have to implement interfaces org.ietf.jgss GSSName, GSSContext,
GSSName and make use of classes like GSSManager and GSSException
3) Some configurations on the browser side may also be required however I am
not sure on this as of now.
4) Does this require code changes to BasicAuthenticator FormAuthenticator,
AuthenticatorBase of tomcat.

Please provide your comment and suggestions.

Thanks and Regards
Ashish Jain

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message