问题
I have a system protected by SSL - and clients use a smartcard for accessing their certificate. I use java's pkcs11.
I have posted this question here (even with bounty): pkcs11 sso (using prior windows login with smartcard)
The same smartcard is used for windows login - and I would like to save the client the touble of re-logging using the smartcard (PIN).
Many links I have read about this issue led me to the world of SSO: NTLM, Kerberose etc.
I feel SSO is a bit an overspec for what I wanted to acheive - And also by the looks of it - At least kerberose requires me to create a KDC server and other new components that will elongate my development time.
So - some introductory questions about SSO I couldn't find an answer to:
Will it actully solve the problem I presented? (The smartcards contain "classic" certificates signed by CA).
I would like a minimal solution (in terms of components) - which is the best implemnation for this? NTLM, Kerberose? I will probably have to use a jna wrapper like WAFFLE, right? By the way, I will use WINDOWS as OS.
Thank you for your help.
回答1:
The only way is to set up a Windows Active Directory (a KDC impl) to use the full power of SSO with Kerberos. There is no other option. Don't use NTLM, it has a lot of drawbacks. Waffle has its drawbacks. Due its different nature, it does not integrate into JGSS and makes it unusable comprehensively in Java. If you want to avoid licensing fees for Windows server, you may try Samba 4 which is an OSS alternative to the AD.
I am doing this for years in a corporate environment from Windows client to a Unix-based server.
来源:https://stackoverflow.com/questions/14106087/incorparating-sso-in-addition-instead-ssl