tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dB. <dbl...@dblock.org>
Subject RE: JAAS Realm Authentication with Kerberos
Date Tue, 01 Jun 2010 11:56:50 GMT
If you look at the KerberosLoginModule code, it wants to be modified to retrieve roles from
somewhere in your system. For example a user database that says that user@realm is "manager".
Then you can say <auth-constraint> ... manager </> in web.xml rather than user@realm.
Listing individual users clearly isn't practical.

Any authenticated user will be a member of "Everyone" or "DOMAIN\Authenticated Users" or "DOMAIN\Users",
etc.

If you are using Active Directory on Windows, you're probably not getting what you want with
Kerberos alone. To use web.xml for authorization, you want something like roles = AD groups
(and local groups). Retrieving user groups by name from AD is going to yield the wrong result
in any kind of real world deployment - you will have hard time getting nested groups or anything
from trusted domains.

If you're running on Windows and your goal is single sign-on, you may want to try http://waffle.codeplex.com.
There're several options, including a login filter and a JAAS authenticator. All use SSPI
to login (will do Kerberos and NTLM) and will return not just the user identity, but the user
local and domain groups.

Hope this helps,
-dB.


dB. @ dblock.org 
Moscow|Geneva|Seattle|New York


-----Original Message-----
From: geofrey rainey [mailto:geofreyr@gmail.com] 
Sent: Tuesday, June 01, 2010 4:05 AM
To: users@tomcat.apache.org
Subject: JAAS Realm Authentication with Kerberos

Hello,

I've been following this fairly self-explanatory document on Kerberos
authentication against an AD. If I hard-code the user@realm in the web.xml
file, authentication is successful. However obviously what one really wants
is the actual user credentials as stored in the Principals class,
javax.security.auth.kerberos.KerberosPrincipal, in the web.xml for each
Subject authenticating, but I'm a bit lost as to how to get that information
from the class into the web.xml. Any ideas would be appreciated?

   (
http://wiki.wsmoak.net/cgi-bin/wiki.pl?action=browse&diff=1&id=TomcatKerberosConfigOnly)


<auth-constraint>
          <role-name>user@realm</role-name>
 </auth-constraint>


Regards,
Geofrey.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message