Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 46644 invoked from network); 13 Nov 2009 09:16:49 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 13 Nov 2009 09:16:49 -0000 Received: (qmail 80072 invoked by uid 500); 13 Nov 2009 09:16:48 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 79985 invoked by uid 500); 13 Nov 2009 09:16:47 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 79974 invoked by uid 99); 13 Nov 2009 09:16:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Nov 2009 09:16:47 +0000 X-ASF-Spam-Status: No, hits=-2.6 required=5.0 tests=BAYES_00,HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ashjain2@gmail.com designates 209.85.216.187 as permitted sender) Received: from [209.85.216.187] (HELO mail-px0-f187.google.com) (209.85.216.187) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Nov 2009 09:16:45 +0000 Received: by pxi17 with SMTP id 17so138992pxi.30 for ; Fri, 13 Nov 2009 01:16:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=fp47v8ETlp756g/8Osa7a0gaVY4L51E6Guh3S+mylVU=; b=QfsDJQDplOoqOEk88qcBfgRRf5RMlwQJ1++6KaHZ0RimyR9dkYET8pTy9lnB1qc+x2 GPr6ZZ/3Mcee3ggl4b9YxtEKl/fkO4JlRuQRRzfL7CPJRAV1EMEavhF6KcHsOgXSgwYJ V2LnfLUaLqgZDo+GtASJOnMqrwTl6Mt4pkNcU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=ksT9ray0fF/GF1VftPOQHobVhPklgrlUUwkAWmNSNM//gkTmIRcC5XQxXSFGQNecjp RjlJDTdm+5XyPjOI+9XtM4s0iqzm3ljwZlBxO0F9ZKTjHUZvtpl0beYFvOP4StUacWJ9 HNEtPMjZDFLEIkVQ0a0jlhHiPh+FWlkg9fho4= MIME-Version: 1.0 Received: by 10.141.49.16 with SMTP id b16mr246357rvk.167.1258103785329; Fri, 13 Nov 2009 01:16:25 -0800 (PST) Date: Fri, 13 Nov 2009 14:46:25 +0530 Message-ID: <14af40510911130116n321cb7cfyd55cd5801f3cfba9@mail.gmail.com> Subject: SPNEGO/NEGOTIATE implementation for Apache Geronimo From: Ashish Jain To: dev@tomcat.apache.org Content-Type: multipart/alternative; boundary=000e0cd24da237154c04783d1df0 --000e0cd24da237154c04783d1df0 Content-Type: text/plain; charset=ISO-8859-1 Hi All, I am working on an implementation for SPENGO/NEGOTIATE implementation for geronimo. I have done some research on this and have come to the following conclusion to develop one implementation for geronimo. 1) Browser access a secured resource 2) Our custom authenticator will respond with 401 response and a header WWW-Authenticate: NEGOTIATE. This will tell the browser that we want to use NEGOTIATE Authentication protocol. 3) The browser will now require a service ticket. Now we need to send a request to AD to issue a ticket. 4) The browser tries to access the resource again and sends another http request with the following header WWW-authorization: NEGOTIATE encoded-spnego-token, heere encoded-spnego-token is SPNEGO token encoded in base64...basically it is a wrapper around a service ticket. 5) The custom authentication unwraps the the spnego token and acquires the service ticket. 6) If all is well than authenticator returns success and control is passed to servlet container which sends back the requested resource Here are some of my inputs on how we can develop a solution for Apache Geronimo 1) A custom valve can be written which can than be introduced in the pipeline. Will this new valve use AuthenticatorBase or will it be enough to have it extend ValveBase. There is an example were ssovalve is introduced in the pipleline for geronimo. 2) We may have to implement interfaces org.ietf.jgss GSSName, GSSContext, GSSName and make use of classes like GSSManager and GSSException 3) Some configurations on the browser side may also be required however I am not sure on this as of now. 4) Does this require code changes to BasicAuthenticator FormAuthenticator, AuthenticatorBase of tomcat. Please provide your comment and suggestions. Thanks and Regards Ashish Jain --000e0cd24da237154c04783d1df0--