Tomcat Integrated Windows Authentication across Mu

2019-08-19 03:28发布

I am attempting to create a single sign on system in which an application running on a Tomcat server in a DMZ which is not joined to any domain, is able to authenticate against multiple domains while still automatically logging the user using their Windows Credentials.

Key Requirements:

  • Must support multiple domains
  • Users must not be prompted for credentials if they are on a supported domain
  • Web server CANNOT be on a domain
  • The Web server is located in a DMZ
  • Must support Tomcat 6

Is this even possible and if so is there any sort of framework that supports doing this? I've looked at JOSSO, Shibboleth, and OpenAM but none of them seem to meet all five of the requirements.

The JCIFS NtlmHttpFilter looks like exactly what I am looking for, unfortunately it is deprecated and is no longer recommended.


Visio diagram for reference. enter image description here

2条回答
萌系小妹纸
2楼-- · 2019-08-19 03:51

There is not way getting around Kerberos for which you need domain access. NTLM is no option because it's proprietary and do not expect to find a complete OSS implementation. There is only Jespa.

查看更多
淡お忘
3楼-- · 2019-08-19 03:59

Jespa can do this. If the domains have trusts, the default Jespa HttpSecurityFilter would work. You would have to poke a hole in the firewall for Jespa to talk to TCP port 445 on the target DCs though. And you would probably want to create a DNS Records File (see Jespa Operator's Manual) to bypass DNS and still have Jespa use multiple domain controllers.

If the domains do not have trusts, you can actually still do it. But you would have to write some code to set a cookie and then lookup one of several jespa.http.HttpSecurityService instances (one for each domain) to call doFilter on. Meaning you would write a little request router to select the right domain. For a more detailed explanation ask IOPLEX Support.

Note however that if clients are not actually joined to the domain, then true single sign-on is theoretically impossible regardless of what software or protocol you use. You would have to use a "secondary" or "double sign on" style protocol like OpenID or CAS where you get redirected to some login page once. Then the client can get into any number of sites participating in that "SSO" scheme without supplying credentials again (at least for the remainder of the session anyway).

查看更多
登录 后发表回答