Re: Kerberos in Browser based Applications
- From: Love Hörnquist Åstrand <lha@xxxxxx>
- Date: Thu, 05 Mar 2009 12:28:47 -0800
http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1047
For tomcat, jboss, java-common, ruby examples how to get it working.
Love
5 mar 2009 kl. 11:44 skrev Wyllys Ingersoll:
I documented using Kerberos with an Apache Web server and Firefox a while ago (for Solaris 10),
but the ideas are very similar for Linux or non-Solaris as long as you stick with Apache, Firefox,
and a Kerberos package that is based-on MITs codebase.
http://blogs.sun.com/wyllys/entry/kerberos_web_authentiation_with_apache
The doc may be a bit out of date, but I believe most of the steps are still correct and apply
to newer releases of Solaris as well as Linux, albeit with some slight different pathnames
and settings.
Just getting web-based authentication configured and working is only the beginning, though.
To extend the reach and the use of the tickets to other processes (such as having the
forwarded ticket then be used to authenticate to other backend services on behalf of the user)
would require additional work for both the web server and the middleware that it
needs to talk to. Getting this to work with Tomcat or other web servers will definitely
require some additional effort and digging around, I don't know what the current state
of the art is in those areas.
-Wyllys
Frank Gruellich wrote:Hi,
I have set up a Kerberos realm. A user and a service (let's say a
database) are both included as principals in KDC database and the
service restricts access to */dbuser@xxxxxxxxxxxx User and service can
communicate perfectly using a database CLI at the users machine.
Now these days CLIs aren't "state-of-the-art" anymore and $managers
refuse to use them. Let's throw a long discussion and platform
independent, Web2.0 ready and more buzzwords into the pot and we get the
need for a browser based web frontend to the service. And that's the
point where I do not get the full picture about Kerberos.
How would that work in a fully kerberized environment using all these
great features like single-sign-on and never transmitting a password
over the wire? For sure, I would have to add the webserver to the KDC
database, but what then? Would I add the webserver principal to the ACL
list of the service and add another authentication/authorization layer
into the web application? Could I somehow forward the users ticket for
the service to the webserver and make the application to give it to the
service proving this way that the user requested access to the service?
That would keep all authentication on service side, but is it a good
idea to give a service ticket to another machine? Would that even work
given that the users machine IP# is added to the tickets, AFAICS?
In the current setup the software involved are MIT Kerberos, an OpenLDAP
server as service, e.g. phpLDAPadmin as web application, Apache httpd
running it, and various browsers used to access it running on different
OS's. But I'm more interested in the general Kerberos idea how to do
that. However, if you point me to specific software I should use in
this setup I would be happy, too.
Thanks in advance for some enlightenment.
Kind regards,
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
- Prev by Date: Re: Kerberos in Browser based Applications
- Next by Date: Creating a Kerberos user principal using LDAP
- Previous by thread: Re: Kerberos in Browser based Applications
- Next by thread: Using Smartcard with PK-INIT does not respond
- Index(es):
Relevant Pages
|
