|
||||||
| Home | Products | Support | ||
|
SPNEGO/Kerberos WWW authenticationUsage scenariosThis section will describe how the SPNEGO/Kerberos component can be used in different environments and setups. Authentication servletThe authentication servlet can be used as an "external" authentication URL. This can be triggered from the web applications deployment descriptor using the <form-login-page> tag. If a web application needs authentication, the request will be redirected to the login URL, the SPNEGO/Kerberos servlet, which handles the authentication, and the authenticaiton servlet redirects back to the web applicaiton. Another usage can be in special reverse-proxy implementation or if server needs Kerbros ticket delegation, for further calling Kerberized services on behalf of the user. The sample code on the download page contains a sample negotiate servlet Tomcat authenticator pluginThe SPNEGO/Kerberos component implements a Tomcat 4.x/5.x based Authenticator plugin. This supports protocol negotiation and logon through a the Tomcat Realm interface The SPNEGO/Kerberos authenticator will fall-back to BASIC authentication if SPNEGO/Kerberos protocol negotiation fails. Using the Authenticator, J2EE security will be set throughout Tomcat WebSphere 5.02 and 5.1 Negotiate Trust Association Interceptor (NTAI) pluginThe SPNEGO/Kerberos component implements a WebSphere NTAI security plugin, which can be installed into the kernel of WebSphere. This plugin handles SPNEGO/Kerberos authentication where possible. When not possible, authentication is handled by WebSphere. WebLogic 8.1 authentication pluginThe SPNEGO/Kerberos component includes a Weblogic authentication security plugin, which is installed into WebLogic. This plugin handles SPNEGO/Kerberos authentication for use in HTTP and EJB based applications. HTTP based applications, normally named thin clients, the browser negotiates the SSO credentials and wraps this into the SPNEGO token. WebLogic authenticates the request, redirects to a logon handler which performs the authentication, if nessesary. EJB based applications, fat java client programs, can authenticate using the SSO credentials (Kerberos) to authenticate EJB calls towards WebLogic. This brings SSO to fat java programs even when EJB's is to be called. Servlet filterThe SPNEGO/Kerberos component also supports SPNEGO/Kerberos using servlet filters. A servlet filter must be installed in the web application deployment descriptor. Note that servlet filter authentication and native application server authorization normally doesn't integrate well. Authorization is normally checked before the servlet filter can run, which means that if the user is not authenticated, the authorization will not call the servlet filter, which means that the authentication servlet filter is never run. For a more thight integration with authorization, use the security plugins for Tomcat, WebSphere and WebLogic SPNEGO/Kerberos authentication reverse proxy serverAn authentication proxy server can be used if systems consists of application servers that cannot run on JDK 1.4 from SUN or IBM, which is a pre req. for this component. This solution works well with identity assertion techniques, with WebLogic and WebSphere application servers. If identity assertion is used from a SPNEGO/Kerberos authentication proxy server, J2EE security can be set properly even on older systems like WAS 3.5, WAS 4, WAS 5.0, WLS 6.1, WLS 7 but also servers like Oracle Application server or Lotus Domino. The SPNEGO/Kerberos authentication proxy is the most flexible, but it requires a Tomcat using SUN JDK 1.4 JAAS based client authenticationThe windows LSA contains locally stored Kerberos TGT's, which is access using a custom LSA accessor. A JAAS module is using the custom LSA accessor, to generate SPNEGO authentication requests. This SPNEGO authentication request is compatible with the SPNEGO/Kerberos HTTP based servers mentioned above and with the IIS server. The JAAS based java client can therefore do SSO using the domain user credentials stored in the LSA ticket cache. The authenticated
subject can then be used in conjunction with Using BEA's WebLogic, from Java based rich clients, its possible to access EJB's using the domain user credentials. This brings SSO to the EJB's |
|||||||||||||||||||||||||||||||||
