Tomcat authentication using SPNEGO/Kerberos and delegation
Solution 1
WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.
It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.
Solution 2
How about using the JAAS realm and using the kerberos 5 JAAS module?
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
Looks like it might require a little coding, but the pieces should be there.
Solution 3
Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.
Becky
Updated on July 24, 2022Comments
-
Becky almost 2 years
I've got a list
<ul> <li>Coffee</li> <li>Tea</li> <li>Milk</li> </ul>
css:
nav li{ background-colour:#555; height:15px; }
My question is how can I customise only the the
<li>Tea</li>
EDIT: I'm looking for a way to have
<li>Tea</li>
asbackground-color:#999; height:25px;
and all others to bebackground-color:#555; height:15px;
.-
Harry over 8 yearsYou could use
nth-child()
ornth-of-type()
selectors to select the 2ndli
but do you have a specific pattern? -
Amit over 8 yearsUse a css class to target your element. That's the "standard" way of doing things
-
Becky over 8 years@Harry thanks. what if I specify a class for the
li
I need? -
Harry over 8 years@Becky Sure you can, that's another easier way to do it.
-
Becky over 8 years@Harry is there a way to override
nav li{}
withtout!important
? -
Harry over 8 years@Becky: Yes, you can. Just make the selector more specific. You can read more about specificity here.
-
-
Tony Lee over 15 yearsIt seems this is half of what I need with getting the kerberos context into TomCat + modifying mod_spnego so I'd have a security context to impersonate when calling win32 code.
-
Scott Markwell over 15 yearsI've successfully done Kerberos/SPNEGO authentication using JRE 6 and Tomcat, by implementing my own Tomcat Authenticator and Realm. In your case this could be accomplished through GSS-API and some headers sent to the client. Then that principal could be used to do other JAAS operations.
-
Tony Lee over 14 yearsThis looks very interesting, but doesn't seem to solve my problem. I don't see a way to impersonate (via win32) using the GSSContext. This is what I'm trying to do, but rather than delegate to another http server, I need to delegate over sspi. I'll clarify the question.
-
Tony Lee over 13 yearsThis is exactly what I was looking for (although the project is long over).