tags:

views:

3458

answers:

2
Q: 

Tomcat authentication using SPNEGO/Kerberos and delegation

Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation?

I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user.

EDIT: To clarify, I need to impersonate under Win32 using the GSS/SSPI context so when legacy code connects to another server, the delegated credentials are used.

+2  A: 

How about using the JAAS realm and using the kerberos 5 JAAS module?

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

Looks like it might require a little coding, but the pieces should be there.

Suppressingfire  2009-01-19 20:44:15
It seems this is half of what I need with getting the kerberos context into TomCat + modifying mod_spnego so I'd have a security context to impersonate when calling win32 code.
Tony Lee  2009-01-24 01:05:06
I've successfully done Kerberos/SPNEGO authentication using JRE 6 and Tomcat, by implementing my own Tomcat Authenticator and Realm. In your case this could be accomplished through GSS-API and some headers sent to the client. Then that principal could be used to do other JAAS operations.
Scott Markwell  2009-01-28 23:57:31
+1  A: 

Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.

Pat Gonzalez  2009-11-04 16:25:35
This looks very interesting, but doesn't seem to solve my problem. I don't see a way to impersonate (via win32) using the GSSContext.This is what I'm trying to do, but rather than delegate to another http server, I need to delegate over sspi. I'll clarify the question.
Tony Lee  2009-11-05 00:30:22

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP