Return-Path: <Endre@Stolsvik.com>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 74367 invoked from network); 10 Sep 2003 07:44:55 -0000
Received: from unknown (HELO mammut.stud.ntnu.no) (129.241.56.21)
  by daedalus.apache.org with SMTP; 10 Sep 2003 07:44:55 -0000
Received: by mammut.stud.ntnu.no (Postfix, from userid 26619)
	id 02AE230F; Wed, 10 Sep 2003 09:45:07 +0200 (MEST)
Received: from localhost (localhost [127.0.0.1])
	by mammut.stud.ntnu.no (Postfix) with ESMTP id F11B930E
	for <tomcat-user@jakarta.apache.org>; Wed, 10 Sep 2003 09:45:06 +0200 (MEST)
Date: Wed, 10 Sep 2003 09:45:06 +0200 (MEST)
From: =?iso-8859-1?Q?Endre_St=F8lsvik?= <Endre@Stolsvik.com>
X-X-Sender: endrs@mammut.stud.ntnu.no
To: Tomcat Users List <tomcat-user@jakarta.apache.org>
Subject: Re: Active Directory Single Sign-On
In-Reply-To: <AFA11341639CB24498D1034C238B15E6013445@mbox.authentica.com>
Message-ID: <Pine.GSO.4.51.0309100935500.12616@mammut.stud.ntnu.no>
References: <AFA11341639CB24498D1034C238B15E6013445@mbox.authentica.com>
X-My-Opinion: War and bombs are bad. Peace and flowers are good. ;-D
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: 8BIT
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

| Tim mentioned the use of the JCIFS library.  I don't think that'd work
| either since it'd need to run on the same machine as the browser, which
| doesn't seem right.  Or perhaps I'm missing something.  Now if Tomcat
| supported Windows SSO using JCIFS, then that's a different story.  I
| don't think it does though (and I'm sure someone will correct me if I'm
| wrong :)).

You're missing something. I'm correcting you! It works. We've done it with
our portal engine..!

There is a part of JCIFS that actually can be used as a Servlet 2.3
Servlet filter, doing the magic SSO thing. The magic SSO thing is called
something like "NTLM over HTTP". Also, you don't need this servlet filter
to do it, jcifs provides a API for doing it yourself (we didn't want to
tie into the 2.3 spec just quite yet, so we had to do it ourself, using
the JCIFS package more directly)

Notice that NTLM negotiation over HTTP is one very sick and nonconformant
protocol, probably violating every RFC that has anything to do with "Web".

It negotiates each and every -connection-, not any notion of a -session-,
using three "back-and-forths" over the same "physical" TCP connection.
This is, of course, totally insane, as HTTP is a -request-response-(and
quit connection) protocol (This is just as sick, of course, HTTP is
-really really- lame).

Pick a favourite packet dumper and analyzer before starting with this, as
you most probably will need it! ;)



--
Mvh,
Endre St�lsvik               M[+47 93054050] F[+47 51625182]
Developer @ CoreTrek AS         -  http://www.coretrek.com/
CoreTrek corporate portal / EIP -  http://www.corelets.com/