|
|||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectnet.sourceforge.spnego.SpnegoHttpFilter
public final class SpnegoHttpFilter
Http Servlet Filter that provides SPNEGO authentication. It allows servlet containers like Tomcat and JBoss to transparently/silently authenticate HTTP clients like Microsoft Internet Explorer (MSIE).
This feature in MSIE is sometimes referred to as single sign-on and/or Integrated Windows Authentication. In general, there are at least two authentication mechanisms that allow an HTTP server and an HTTP client to achieve single sign-on: NTLM and Kerberos/SPNEGO.
NTLM
MSIE has the ability to negotiate NTLM password hashes over an HTTP session
using Base 64 encoded NTLMSSP messages. This is a staple feature of Microsoft's
Internet Information Server (IIS). Open source libraries exists (ie. jCIFS) that
provide NTLM-based authentication capabilities to Servlet Containers. jCIFS uses
NTLM and Microsoft's Active Directory (AD) to authenticate MSIE clients.
SpnegoHttpFilter
does NOT support NTLM (tokens).
Kerberos/SPNEGO
Kerberos is an authentication protocol that is implemented in AD. The protocol
does not negotiate passwords between a client and a server but rather uses tokens
to securely prove/authenticate to one another over an un-secure network.
SpnegoHttpFilter
does support Kerberos but through the
pseudo-mechanism SPNEGO
.
Localhost Support
The Kerberos protocol requires that a service must have a Principal Name (SPN)
specified. However, there are some use-cases where it may not be practical to
specify an SPN (ie. Tomcat running on a developer's machine). The DNS
http://localhost is supported but must be configured in the servlet filter's
init params in the web.xml file.
Modifying the web.xml file
Here's an example configuration:
<filter>
<filter-name>SpnegoHttpFilter</filter-name>
<filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
<init-param>
<param-name>spnego.allow.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.localhost</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.unsecure.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.login.client.module</param-name>
<param-value>spnego-client</param-value>
</init-param>
<init-param>
<param-name>spnego.krb5.conf</param-name>
<param-value>krb5.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.login.conf</param-name>
<param-value>login.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.preauth.username</param-name>
<param-value>Zeus</param-value>
</init-param>
<init-param>
<param-name>spnego.preauth.password</param-name>
<param-value>Zeus_Password</param-value>
</init-param>
<init-param>
<param-name>spnego.login.server.module</param-name>
<param-value>spnego-server</param-value>
</init-param>
<init-param>
<param-name>spnego.prompt.ntlm</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.logger.level</param-name>
<param-value>1</param-value>
</init-param>
</filter>
Example usage on web page
<html> <head> <title>Hello SPNEGO Example</title> </head> <body> Hello <%= request.getRemoteUser() %> ! </body> </html>
Take a look at the reference docs for other configuration parameters.
See more usage examples at http://spnego.sourceforge.net
Nested Class Summary | |
---|---|
static class |
SpnegoHttpFilter.Constants
Defines constants and parameter names that are used in the web.xml file, and HTTP request headers, etc. |
Field Summary | |
---|---|
private SpnegoAuthenticator |
authenticator
Object for performing Basic and SPNEGO authentication. |
private static Logger |
LOGGER
|
Constructor Summary | |
---|---|
SpnegoHttpFilter()
|
Method Summary | |
---|---|
void |
destroy()
|
void |
doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain)
|
void |
init(javax.servlet.FilterConfig filterConfig)
|
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
private static final Logger LOGGER
private transient SpnegoAuthenticator authenticator
Constructor Detail |
---|
public SpnegoHttpFilter()
Method Detail |
---|
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
init
in interface javax.servlet.Filter
javax.servlet.ServletException
public void destroy()
destroy
in interface javax.servlet.Filter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
IOException
javax.servlet.ServletException
|
|||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |