I need to implement single sign-on in my java web application which can achieve the following features: All the computer joined in my domain smb.local , after user login in the computer, and type http://localhost:8080, my application know to use the current logined user to login into my web application. So what protocal should I implement ? Or any reference ? Thanks very much !
+1
A:
Recently I worked with CAS from Jasig, you can also check OpenSSO or Josso to have a SSO. From there, you'll find the documentation of each project and how to integrate it in your application.
For the automatic connection "as long as your logged on the computer", I'm not sure that's even possible. If it is you'll certainly need a specific browser (and some plugins for this browser).
Colin Hebert
2010-10-06 14:54:52
A:
Is the authentication centralized anywhere (LDAP, for example)?
MashedPotatoJohnson
2010-10-06 14:55:46
+2
A:
If you want to "automatically" extract the user's Windows credentials, one option (maybe the only one?) is NTLM. Once you've actually got the credentials, you'll need to check them against the authoritative source - Active Directory exposes details as LDAP, so most security frameworks would be able to cope with this.
I've done such a thing a few years ago with Spring Security, including deriving privileges based on Windows group membership, and it worked very well.
Andrzej Doyle
2010-10-06 14:59:16
But you still have to log in again on the SSO server, right ?
Colin Hebert
2010-10-06 15:01:05
CAn Kerberos support automatically extract the user's windows credential?
MemoryLeak
2010-10-07 01:46:04
@Colin: Which SSO server? In this case I'm assuming that we're using Windows' Active Directory as the provider, and that you're *already* logged into the domain. Even if you're not, you'll be prompted for your **Windows** credentials, so at least it's still "single sign-on" in that there's one set of credentials and one authoritative source rather than having to remember another combination.
Andrzej Doyle
2010-10-07 07:56:16
@MemeryLeak: I've not used Kerberos before so I couldn't say for sure. However, to my knowledge this is simply the protocol that the application and the security server (in this case Active Directory) use to communicate. What you're asking about is how the application obtains passwords from the user, which can/should be completely separate, so I see no reason why you a Kerberos backend should stop you getting automatic access to the user's credentials.
Andrzej Doyle
2010-10-07 07:58:41
@Andrzej Doyle, Well your web application will have to check the user "ticket" against an authority (ie. your LDAP server) how will it get this ticket ? Unless your browser get himself a ticket (but I don't know how) the user will have to prove that he is logged and obtain a ticket to access the web application.
Colin Hebert
2010-10-07 08:08:57