Configuring SPNEGO HTTP Servlet Filter

Question

I'm trying to implement Java SSO for a Web Application using de SPNEGO library from SourceForge. The example of hello_spnego.jsp at http://spnego.sourceforge.net works fine, but there are some things that I don´t understand yet about the next parameters:

1. spnego.prompt.ntlm enables Basic Authentication for clients who don´t support Kerberos. Which is the value recommended for this parameter and why?
2. spnego.allow.basic offers Basic Authentication in addition of Kerberos authentication. I understand that Basic Authentication request credential is not very safe. Which is the value recommended for this parameter and why?
3. spnego.allow.unsecure.basic. I think that its value must be false if the Basic Authentication is enabled, but I´m not sure.

Answer 1

The values of the parameters depend on your use case. If you have a strict kerberos/spnego only environment (safest, but all clients and users need to kerberos/spnego enabled) then use

• because we only allow kerberos 因为我们只允许使用kerberos
• s because we only allow kerberos 因为我们只允许使用kerberos
• not relevant because spnego.allow.basic=false 不相关，因为spnego.allow.basic = false

If you want to allow additional authentication mechanisms in addition to kerberos/spnego than you have to decide which ones: NTLM and/or basic. NTLM is not supported by this library so Basic is the only one left.

• because we want to allow basic for non-spnego/NTLM only clients 因为我们只允许非spnego / NTLM客户端使用基本客户端
• because we want to allow basic for non-spnego clients 因为我们要允许非spnego客户端使用basic
• we force basic authentication over HTTPS (if you dont do this and set the value to true here, then you transmit your credentials unencrypted and in plaintext, thats not want you want i guess) 我们通过HTTPS强制进行基本身份验证（如果您不执行此操作，并且在此处将值设置为true，那么您将以未加密和明文形式传输凭据，那是不想要的，我猜）