stackoom
  简体   繁体   中英

Tomcat Integrated Windows Authentication across Multiple Domains

 原文  2013-08-02 22:57:50       java/ tomcat/ active-directory/ windows-integrated-auth

Question

I am attempting to create a single sign on system in which an application running on a Tomcat server in a DMZ which is not joined to any domain, is able to authenticate against multiple domains while still automatically logging the user using their Windows Credentials.

Key Requirements:

  • Must support multiple domains
  • Users must not be prompted for credentials if they are on a supported domain
  • Web server CANNOT be on a domain
  • The Web server is located in a DMZ
  • Must support Tomcat 6

Is this even possible and if so is there any sort of framework that supports doing this? I've looked at JOSSO, Shibboleth, and OpenAM but none of them seem to meet all five of the requirements.

The JCIFS NtlmHttpFilter looks like exactly what I am looking for, unfortunately it is deprecated and is no longer recommended.

Visio diagram for reference. 在此处输入图片说明

2 answers

solution1
 1 ACCPTED  2013-11-13 04:21:17

Jespa can do this. If the domains have trusts, the default Jespa HttpSecurityFilter would work. You would have to poke a hole in the firewall for Jespa to talk to TCP port 445 on the target DCs though. And you would probably want to create a DNS Records File (see Jespa Operator's Manual) to bypass DNS and still have Jespa use multiple domain controllers.

If the domains do not have trusts, you can actually still do it. But you would have to write some code to set a cookie and then lookup one of several jespa.http.HttpSecurityService instances (one for each domain) to call doFilter on. Meaning you would write a little request router to select the right domain. For a more detailed explanation ask IOPLEX Support.

Note however that if clients are not actually joined to the domain, then true single sign-on is theoretically impossible regardless of what software or protocol you use. You would have to use a "secondary" or "double sign on" style protocol like OpenID or CAS where you get redirected to some login page once. Then the client can get into any number of sites participating in that "SSO" scheme without supplying credentials again (at least for the remainder of the session anyway).

solution2
 0  2013-08-03 10:05:55

There is not way getting around Kerberos for which you need domain access. NTLM is no option because it's proprietary and do not expect to find a complete OSS implementation. There is only Jespa .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Windows Integrated Security with Tomcat SQLException: this driver is not configured for integrated authentication tomcat Understanding JSessionId across multiple domains Linking Apache to Tomcat with multiple domains multiple domains to single webapp in tomcat Java AD Authentication across Trusted Domains Windows Authentication with Tomcat Integrated Windows Authentication using NTLMv2 login into Jira using Integrated Windows Authentication or NTLM Integrated Windows Authentication (NTLM) in a Java/WebLogic app?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM