tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ashish Jain <ashja...@gmail.com>
Subject Re: SPNEGO/NEGOTIATE implementation for Apache Geronimo
Date Thu, 10 Dec 2009 08:20:06 GMT
Yes I am using a Spnego enabled browser and my motto is to enable single
sign in geronimo through spnego. As of now I have a small POC of spnego
working were it is able to recoganise the src machine, target machine and is
able to establish a security context between client and server. However
current implementation requires me to override one of the Basic, digest or
form as these are the ones which can be specified in web.xml  and we cannot
specify Negotiate. So my  questions are:

Q1. Can you think of a way were we need not override any of the above
mentioned mechanism?
Q2. I need to disable the prompt for credentials by the browser. because
once the user is logged into a machine which is part of
domain controller he should be able to access the apps w/o any prompt.

 I have referred the following link to understand how spnego is supposed to
work.

http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/csec_SPNEGO_explain.html

Thanks
Ashish


On Thu, Dec 10, 2009 at 6:26 AM, David Jencks <david_jencks@yahoo.com>wrote:

>
> On Dec 9, 2009, at 5:03 AM, Ashish Jain wrote:
>
>  Hi folks,
>>
>> Can you please suggest if there is anyway to disable the prompt for
>> username and password when using basic authentication??
>>
>
> That's browser behavior, so the only thing you can do from the server side
> is not use plain BASIC auth.  Are you using a SPNEGO enabled browser on a
> platform where it can recognize your (client side) kerberos login?  Do you
> have a link to a description of how SPNEGO is supposed to work?
>
> thanks
> david jencks
>
>
>
>> Thanks and Regards
>> Ashish
>>
>> On 11/13/09, Costin Manolache <costin@gmail.com> wrote:
>>
>>> On Fri, Nov 13, 2009 at 6:44 AM, Mark Thomas <markt@apache.org> wrote:
>>>
>>>  Ashish Jain wrote:
>>>>
>>>>  4) Does this require code changes to BasicAuthenticator
>>>>>
>>>> FormAuthenticator,
>>>>
>>>>> AuthenticatorBase of tomcat.
>>>>>
>>>>
>>>> Basic and form - no. Base - maybe.
>>>>
>>>>  Please provide your comment and suggestions.
>>>>>
>>>>
>>>> My instinct (that may be wrong) is that you'll need a new authenticator.
>>>> If
>>>> you
>>>> get this working then I'd certainly consider it for inclusion in Tomcat.
>>>>
>>>>
>>>>  An OpenID would be nice too :-)
>>>
>>> Costin
>>>
>>>
>>>
>>>  Mark
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message