Tomcat authentication using SPNEGO/Kerberos and delegation

大憨熊 提交于 2019-12-31 14:42:33

问题


Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation?

I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user.

EDIT: To clarify, I need to impersonate under Win32 using the GSS/SSPI context so when legacy code connects to another server, the delegated credentials are used.


回答1:


WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.

It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.




回答2:


How about using the JAAS realm and using the kerberos 5 JAAS module?

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

Looks like it might require a little coding, but the pieces should be there.




回答3:


Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.



来源:https://stackoverflow.com/questions/339101/tomcat-authentication-using-spnego-kerberos-and-delegation

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!