问题
We have a react application which used get that data from spring boot webservice. Both is deployed in a same server(tomcat). But we only need Kerberos authentication for webservice call from the React application. Anyone can open the React application but when it navigate then it calls to the webservcie to get the data. So if we configure the spring to support spnego kerberos spring sso, is it possible that browser will automatically pass( from React app, as react run on the browser) the logged in Windows credentials to the spring boot web service.
We are calling the service from react app as follows -
export const client = rest
.wrap(mime, { registry: registry })
.wrap(errorCode)
.wrap(defaultRequest, {
headers: {
'Content-Type': 'application/json',
'Accept': 'application/json'
},
method: 'GET'
})
export const fetchPDSIs = (Id) =>
APIHelpers.client(APIHelpers.buildPDSIReq(Id))
.then(
response => (response.entity || []).sort((a, b) => a.portalinstance.localeCompare(b.portalinstance))
,
response => {
global.msg.error(<div className='smallTextNotification'>`Fetching instances and portal for {Id} error: {response.status.code} -> {response.status.text}</div>)
return []
}
)
export const buildPDSIReq = (Id) => ({path: `${serverAddr}/msd232/pdsiii/${Id}`})
回答1:
Yes, it's possible, requirements on the client side:
- User logged into domain account on OS.
- Proper config in your browser, see Spring documentation
E.g. for Internet Explorer:
E.3 Internet Explorer
Complete following steps to ensure that your Internet Explorer browser is enabled to perform Spnego authentication.
Open Internet Explorer. Click Tools > Intenet Options > Security tab. In Local intranet section make sure your server is trusted by i.e. adding it into a list.
Kerberos auth is triggered by HTTP header returned from backend service:
WWW-Authenticate: Negotiate
If your OS and browser are correctly configured this will trigger service ticket generation, which browser will send as Authorization HTTP header value.
EDIT: If your application is split into frontend and backend hosted separately on different hosts, then you have to register SPN (and generate keytab) for the fronted host which users will enter. Example:
- Backend: api.test.com
- Frontend: application.test.com
For SSO to work, you have to register SPN: application.test.com, backend host name is irrelevant here. Command:
setspn -A HTTP/application.test.com@test.com ad_user_to_registern_spn_for
来源:https://stackoverflow.com/questions/56573623/how-to-pass-windows-authenticationbrowser-from-react-application-to-spnego-ker