Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Adding in spnego authentication support 
We've had a few groups try to implement SPNEGO in Shib and have found
similar issues with browser behavior.  In particular a number of
browsers that don't want to handle SPNEGO seem to just immediately
prompt the user for BASIC auth without returning them back to the
server first.

On Thu, Aug 19, 2010 at 14:19, Jesse McConnell
<jesse.mcconnell@xxxxxxxxx> wrote:
> Just kerberos, and its a bit finicky in the setup as spnego has to be
> configured correctly or else IE will fall back to just attaching an
> ntlm token to the spengo authorization header instead of properly
> using kerberos.
>
> since the jvm has been steadly picking up basic support for these
> things more a fall back to ntlm is reasonable at some
> point....technically the spnego spec forbids the ntlm token coming
> back but microsoft doesn't generally care about such things and does
> it anyway and expects people to roll with it.  I have actually been
> considering testing the token to see if its ntlm and warn the log or
> something about it.  there is a fair amount of discussion on that out
> on various mailing lists, etc :)
>
> cheers,
> jesse
>
> --
> jesse mcconnell
> jesse.mcconnell@xxxxxxxxx
>
>
>
> On Thu, Aug 19, 2010 at 13:10, Chad La Joie <lajoie@xxxxxxxxx> wrote:
>> Hey Jesse, out of curiosity, what forms of credentials does the spnego
>> module support?  Only kerb or also things like NTLM?
>>
>> On Thu, Aug 19, 2010 at 13:58, Jesse McConnell
>> <jesse.mcconnell@xxxxxxxxx> wrote:
>>> I have a jetty-spnego module in the sandbox...the latest iteration as
>>> no external dependencies so I am considering rolling it into
>>> jetty-security now..
>>>
>>> any reasons not to?  I am also passively working on additional ldap
>>> support for getting roles from AD but its not something that is easily
>>> generic between a standard ldap server and the Microsoft variant...
>>>
>>> cheers,
>>> jesse
>>>
>>> --
>>> jesse mcconnell
>>> jesse.mcconnell@xxxxxxxxx
>>> _______________________________________________
>>> jetty-dev mailing list
>>> jetty-dev@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>>>
>>
>>
>>
>> --
>> Chad La Joie
>> www.itumi.biz
>> trusted identities, delivered
>> _______________________________________________
>> jetty-dev mailing list
>> jetty-dev@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>>
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>



-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered

Back to the top