stackoom
  简体   繁体   中英

jxBrowser support for SPNEGO / Kerberos

 原文  2020-07-16 09:25:46       kerberos/ jxbrowser/ spnego

Question

We are evaluating to integrate jxBrowser in our desktop solution to handle authentication with an IDP (Keycloak).

In this integration we would like to support Kerberos authentication, and for that we would require support for SPNEGO.

Is this something that jxBrowser supports? Otherwise is it on the roadmap?

1 answers

solution1
 0  2020-07-20 20:25:13

In JxBrowser you can configure HTTP server authorization whitelist that represents a string with comma/semicolon separated list of URLs. This feature allows you to use Integrated Windows authentication (IWA) and Kerberos authentication for the listed domains. With IWA, Chromium can authenticate the user to a web server or proxy without even prompting the user for a username or password. It does this by using cached credentials which are established when the user initially logs in to the machine that the browser is running on. IWA is supported for Negotiate and NTLM challenges only.

The HttpAuthPreferences.serverWhitelist() method allows you to specify which servers should be whitelisted for integrated authentication. By default, integrated authentication is only enabled when there is an authentication challenge from a proxy or from a server which is in this permitted list. If this list is not set, Chromium engine will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet, then IWA requests from it will be ignored.

The HttpAuthPreferences.delegateWhitelist() method specifies the servers that Chromium may delegate to. If this list is not set, Chromium will not delegate user credentials even if a server is detected as Intranet.

If you specify multiple server names in the lists, separate them with commas. Wildcards (*) are allowed.

Example

Let's assume that IIS is running on 127.0.0.1. The NTLM/Negotiate authentication was enabled for the server.

By default, the server responds with 401 Unauthorized. After adding 127.0.0.1 to the whitelists, authentication passes without any additional requests.

engine.network().httpAuthPreferences().serverWhitelist("http://127.0.0.1");
engine.network().httpAuthPreferences().delegateWhitelist("http://127.0.0.1");

We haven't tested this solution with Kerberos authentication, because we don't have the required infrastructure yet, but you can try using this approach to configure the server and delegate whitelists with the addresses that use the Kerberos authentication. Please try this approach and let me know if it helps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spnego / Kerberos support with hessian Spnego Kerberos Spring SSO Java 6 SPNEGO Kerberos Optional SPNEGO Kerberos authentication Decrypt kerberos ticket using Spnego Tomcat Kerberos Spnego authorization not working HTTP/Spnego with Kerberos authentication for Finatra web server Accessing kerberos secured WebHDFS without SPnego SPNEGO/Kerberos in IIS with foreign domain keytab spring security using kerberos/spnego authentication
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM