-
Jul 10th, 2012, 02:28 AM
#1
Pre-authentication in a non-Windows environment
Hello,
is it possible to pre-authenticate a user using Internet Explorer on Windows, with Spring Security, in a non-Windows server environment?
Here's an example of what I am attempting to do:
- a user running IE (or Firefox) on Windows connects to a Spring application running on Linux
- the application retrieves his browser's Windows user profile and authenticates him/her against ActiveDirectory using the ldap protocol
- the user uses the application...
Many thanks.
Philroc
Last edited by Philroc; Jul 10th, 2012 at 03:10 AM.
Reason: Wrong forum
-
Jul 10th, 2012, 02:59 AM
#2
I can move this post to the Spring Security forum. If I were you I'd explain a bit more what you want to do ("pre-authenticate" is a bit vague).
-
Jul 10th, 2012, 03:05 AM
#3
Yes, please move it.
I will explain a bit more.
-
Jul 10th, 2012, 10:33 AM
#4
It sounds as though you are wanting to use Kerberos. This is possible to do from a Windows or a Linux client using the Spring Security Kerberos extension. Note that this has not been released as a full release yet, so it is possible you will want to use Pre Authentication and Spring Security for authorization. The tricky part will be ensuring you get the setup correctly. The difficulty comes in due to the fact that LDAP configurations are often quite different (and thus the Kerberos setup). If you are not familiar with Kerberos, you will likely want to seek some additional materials on Kerberos.
-
Jul 12th, 2012, 05:13 AM
#5
Thank for the information, Rob.
In his article, Mike Wiesner (http://blog.springsource.com/2009/09...rity-kerberos/) says
that you are supposed to generate a service principal using a fully-qualified name, such as
"HTTP/web.springsource.com@SPRINGSOURCE.COM"/
My problem is that my test environment runs on Centos in a VirtualBox VM hosted on Windows 7 and does not have a fully-qualified name. Furthermore, its IP address is DCHP-generated.
Any idea how I can create a service principal with this "handicap"?
Many thanks.
Philroc
-
Jul 12th, 2012, 09:06 AM
#6
One way to deal with this is to update your hosts file or setup your own DNS server. If you are just wanting to play around with Kerberos I have used ApacheDS to do so. With whatever approach you take, setting up a Kerberos environment is not a simple task (you will likely need external resources if you have not done it before).
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Member
Reply With Quote