tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Endre Stølsvik <>
Subject Re: Active Directory Single Sign-On
Date Wed, 10 Sep 2003 07:45:06 GMT
| Tim mentioned the use of the JCIFS library.  I don't think that'd work
| either since it'd need to run on the same machine as the browser, which
| doesn't seem right.  Or perhaps I'm missing something.  Now if Tomcat
| supported Windows SSO using JCIFS, then that's a different story.  I
| don't think it does though (and I'm sure someone will correct me if I'm
| wrong :)).

You're missing something. I'm correcting you! It works. We've done it with
our portal engine..!

There is a part of JCIFS that actually can be used as a Servlet 2.3
Servlet filter, doing the magic SSO thing. The magic SSO thing is called
something like "NTLM over HTTP". Also, you don't need this servlet filter
to do it, jcifs provides a API for doing it yourself (we didn't want to
tie into the 2.3 spec just quite yet, so we had to do it ourself, using
the JCIFS package more directly)

Notice that NTLM negotiation over HTTP is one very sick and nonconformant
protocol, probably violating every RFC that has anything to do with "Web".

It negotiates each and every -connection-, not any notion of a -session-,
using three "back-and-forths" over the same "physical" TCP connection.
This is, of course, totally insane, as HTTP is a -request-response-(and
quit connection) protocol (This is just as sick, of course, HTTP is
-really really- lame).

Pick a favourite packet dumper and analyzer before starting with this, as
you most probably will need it! ;)

Endre Stølsvik               M[+47 93054050] F[+47 51625182]
Developer @ CoreTrek AS         -
CoreTrek corporate portal / EIP -

View raw message