Tomcat authentication using SPNEGO/Kerberos and delegation

apache tomcat kerberos spnego

Solution 1

WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.

It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.

Solution 2

How about using the JAAS realm and using the kerberos 5 JAAS module?

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

Looks like it might require a little coding, but the pieces should be there.

Solution 3

Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.

Author by

Becky

Updated on July 24, 2022

Comments

Becky almost 2 years
I've got a list
```
<ul>
   <li>Coffee</li>
   <li>Tea</li>
   <li>Milk</li>
</ul>
```
css:
```
nav li{
    background-colour:#555;
    height:15px;
}
```
My question is how can I customise only the the <li>Tea</li>

EDIT: I'm looking for a way to have <li>Tea</li> as background-color:#999; height:25px; and all others to be background-color:#555; height:15px;.
- Harry over 8 years
  
  You could use nth-child() or nth-of-type() selectors to select the 2nd li but do you have a specific pattern?
- Amit over 8 years
  
  Use a css class to target your element. That's the "standard" way of doing things
- Becky over 8 years
  
  @Harry thanks. what if I specify a class for the li I need?
- Harry over 8 years
  
  @Becky Sure you can, that's another easier way to do it.
- Becky over 8 years
  
  @Harry is there a way to override nav li{} withtout !important ?
- Harry over 8 years
  
  @Becky: Yes, you can. Just make the selector more specific. You can read more about specificity here.
Tony Lee over 15 years

It seems this is half of what I need with getting the kerberos context into TomCat + modifying mod_spnego so I'd have a security context to impersonate when calling win32 code.
Scott Markwell over 15 years

I've successfully done Kerberos/SPNEGO authentication using JRE 6 and Tomcat, by implementing my own Tomcat Authenticator and Realm. In your case this could be accomplished through GSS-API and some headers sent to the client. Then that principal could be used to do other JAAS operations.
Tony Lee over 14 years

This looks very interesting, but doesn't seem to solve my problem. I don't see a way to impersonate (via win32) using the GSSContext. This is what I'm trying to do, but rather than delegate to another http server, I need to delegate over sspi. I'll clarify the question.
Tony Lee over 13 years

This is exactly what I was looking for (although the project is long over).