Tomcat authentication using SPNEGO/Kerberos and delegation

Asked 3/12, 2008 at 23:15 Answered 20/1, 2011 at 7:48

Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation?

I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user.

EDIT: To clarify, I need to impersonate under Win32 using the GSS/SSPI context so when legacy code connects to another server, the delegated credentials are used.

Tetrad answered 3/12, 2008 at 23:15 Comment(0)

WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.

It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.

Taunyataupe answered 20/1, 2011 at 7:48 Comment(1)

This is exactly what I was looking for (although the project is long over). – Tetrad 20/1, 2011 at 17:21

How about using the JAAS realm and using the kerberos 5 JAAS module?

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

Looks like it might require a little coding, but the pieces should be there.

Lindyline answered 19/1, 2009 at 20:44 Comment(2)

It seems this is half of what I need with getting the kerberos context into TomCat + modifying mod_spnego so I'd have a security context to impersonate when calling win32 code. – Tetrad 24/1, 2009 at 1:5

I've successfully done Kerberos/SPNEGO authentication using JRE 6 and Tomcat, by implementing my own Tomcat Authenticator and Realm. In your case this could be accomplished through GSS-API and some headers sent to the client. Then that principal could be used to do other JAAS operations. – Gloom 28/1, 2009 at 23:57

Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.

Labellum answered 4/11, 2009 at 16:25 Comment(1)

This looks very interesting, but doesn't seem to solve my problem. I don't see a way to impersonate (via win32) using the GSSContext. This is what I'm trying to do, but rather than delegate to another http server, I need to delegate over sspi. I'll clarify the question. – Tetrad 5/11, 2009 at 0:30

Recommended topics

Hot tags