tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From geofrey rainey <geofr...@gmail.com>
Subject Re: JAAS Realm Authentication with Kerberos
Date Wed, 02 Jun 2010 22:26:56 GMT
okay, thank you very much.

On Wed, Jun 2, 2010 at 10:25 PM, dB. <dblock@dblock.org> wrote:

> Yes. You can (and should) have a list of roles - everything the user that
> just logged in has access to / every role he has.
>
> cheers
> dB.
>
>
>
> dB. @ dblock.org
> Moscow|Geneva|Seattle|New York
>
>
> -----Original Message-----
> From: geofrey rainey [mailto:geofreyr@gmail.com]
> Sent: Tuesday, June 01, 2010 10:13 PM
> To: Tomcat Users List
> Subject: Re: JAAS Realm Authentication with Kerberos
>
> Right, so let me get this straight; Presently the KerberosLoginModule saves
> the role information (defined as user@realm) as a Principal which is then
> compared against the literal string defined in web.xml. So what you're
> suggesting is modify the KerberosLoginModule so that, essentially, the
> credentials saved in the (Role) Principal should reflect exactly what's in
> (under the Role) web.xml?
>
> thank you for your help.
>
> On Tue, Jun 1, 2010 at 11:56 PM, dB. <dblock@dblock.org> wrote:
>
> > If you look at the KerberosLoginModule code, it wants to be modified to
> > retrieve roles from somewhere in your system. For example a user database
> > that says that user@realm is "manager". Then you can say
> <auth-constraint>
> > ... manager </> in web.xml rather than user@realm. Listing individual
> > users clearly isn't practical.
> >
> > Any authenticated user will be a member of "Everyone" or
> > "DOMAIN\Authenticated Users" or "DOMAIN\Users", etc.
> >
> > If you are using Active Directory on Windows, you're probably not getting
> > what you want with Kerberos alone. To use web.xml for authorization, you
> > want something like roles = AD groups (and local groups). Retrieving user
> > groups by name from AD is going to yield the wrong result in any kind of
> > real world deployment - you will have hard time getting nested groups or
> > anything from trusted domains.
> >
> > If you're running on Windows and your goal is single sign-on, you may
> want
> > to try http://waffle.codeplex.com. There're several options, including a
> > login filter and a JAAS authenticator. All use SSPI to login (will do
> > Kerberos and NTLM) and will return not just the user identity, but the
> user
> > local and domain groups.
> >
> > Hope this helps,
> > -dB.
> >
> >
> > dB. @ dblock.org
> > Moscow|Geneva|Seattle|New York
> >
> >
> > -----Original Message-----
> > From: geofrey rainey [mailto:geofreyr@gmail.com]
> > Sent: Tuesday, June 01, 2010 4:05 AM
> > To: users@tomcat.apache.org
> > Subject: JAAS Realm Authentication with Kerberos
> >
> > Hello,
> >
> > I've been following this fairly self-explanatory document on Kerberos
> > authentication against an AD. If I hard-code the user@realm in the
> web.xml
> > file, authentication is successful. However obviously what one really
> wants
> > is the actual user credentials as stored in the Principals class,
> > javax.security.auth.kerberos.KerberosPrincipal, in the web.xml for each
> > Subject authenticating, but I'm a bit lost as to how to get that
> > information
> > from the class into the web.xml. Any ideas would be appreciated?
> >
> >   (
> >
> >
> http://wiki.wsmoak.net/cgi-bin/wiki.pl?action=browse&diff=1&id=TomcatKerberosConfigOnly
> > )
> >
> >
> > <auth-constraint>
> >          <role-name>user@realm</role-name>
> >  </auth-constraint>
> >
> >
> > Regards,
> > Geofrey.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message