Friday, January 18. 2013
SPNEGO/Kerberos in JavaEE
Comments
Display comments as
(Linear | Threaded)
I set tomcat 7 with spnego on red hat machine and automatic authentification on windows server 2008 Domain, It work fine from windows 7/hp client machine wia IE and Firefox.
I have problem when I tried to access demo page from ubuntu 12.04 and firefox browser. I was logen on local user (not associate with domain (not configured likewise)).
I exprect from web browser to ask me for ad credential and when I enter it I will pass, but I got:
"HTTP Status 401 -
This request requires HTTP authentication."
firefox even, don't prompt me to enter manuelly my credential.
It just display me error.
Any idea how to solve it?
I have problem when I tried to access demo page from ubuntu 12.04 and firefox browser. I was logen on local user (not associate with domain (not configured likewise)).
I exprect from web browser to ask me for ad credential and when I enter it I will pass, but I got:
"HTTP Status 401 -
This request requires HTTP authentication."
firefox even, don't prompt me to enter manuelly my credential.
It just display me error.
Any idea how to solve it?
Hi Aleksadar,
It depends on what library you're using. In case of the spnego filter I'm using in this entry it can be configured to accept spnego and BASIC authentication if the negotiation fails.
This is configured with some of the properties of the filter:
- spnego.allow.basic: allow BASIC if spnego negotiation fails.
- spnego.allow.unsecure.basic: allow BASIC even if https is not being used (not recommended).
- spnego.prompt.ntlm: prompt for BASIC if NTML is offered.
This is done in the spnego filter sending the specific headers for each case. What library are you using for spnego?
Thanks for reading my blog.
It depends on what library you're using. In case of the spnego filter I'm using in this entry it can be configured to accept spnego and BASIC authentication if the negotiation fails.
This is configured with some of the properties of the filter:
- spnego.allow.basic: allow BASIC if spnego negotiation fails.
- spnego.allow.unsecure.basic: allow BASIC even if https is not being used (not recommended).
- spnego.prompt.ntlm: prompt for BASIC if NTML is offered.
This is done in the spnego filter sending the specific headers for each case. What library are you using for spnego?
Thanks for reading my blog.
Hi,
Could you please give the steps for jboss server.
Thanks in Advance
Anmol Jain
Could you please give the steps for jboss server.
Thanks in Advance
Anmol Jain
thanks a lot for this useful tutorial, but could you give me a recommendation for authorization issue
Hi dadel,
I wrote two more entries about this subject (PAC and standard solution). Please read them and check if they are useful for you. But both entries are a bit farfetched, common solution would be querying the AD to retrieve user groups once the username is known.
Thanks for reading the blog!
I wrote two more entries about this subject (PAC and standard solution). Please read them and check if they are useful for you. But both entries are a bit farfetched, common solution would be querying the AD to retrieve user groups once the username is known.
Thanks for reading the blog!
thanks again for your reply, but there is something that is not clear for me, I'm using glassfish how to override the spnego solution over login configuration of glassfish
thanks in advance...
thanks in advance...
Hi again dadel,
I don't understand you completely. If you use the SPNEGO filter project (the one used in this entry), the solution is absolutely custom. The filter is used to present the login and no JavaEE security is used, so glassfish does not even present any login (it's the filter the one that performs the kerberos login). Nevertheless the third entry of this series (spnego.java.net) uses a JavaEE integrated solution (ServerAuthModule), in that entry the kerberos login is integrated with common JavaEE security. See this third entry:
http://blogs.nologin.es/rickyepoderi/index.php?/archives/74-SPNEGOKerberos-in-JavaEE-spnego.java.net.html
So first you have to choose what you want to use: a custom solution (spnego filter for example) or a standard one (spnego.java.net for example). Then, if you need groups membership you have to implement ldap access to the AD in order to retrieve the groups of the logged user. This second part is different depending your first choice.
ciao!
I don't understand you completely. If you use the SPNEGO filter project (the one used in this entry), the solution is absolutely custom. The filter is used to present the login and no JavaEE security is used, so glassfish does not even present any login (it's the filter the one that performs the kerberos login). Nevertheless the third entry of this series (spnego.java.net) uses a JavaEE integrated solution (ServerAuthModule), in that entry the kerberos login is integrated with common JavaEE security. See this third entry:
http://blogs.nologin.es/rickyepoderi/index.php?/archives/74-SPNEGOKerberos-in-JavaEE-spnego.java.net.html
So first you have to choose what you want to use: a custom solution (spnego filter for example) or a standard one (spnego.java.net for example). Then, if you need groups membership you have to implement ldap access to the AD in order to retrieve the groups of the logged user. This second part is different depending your first choice.
ciao!
Comments