Tomcat authentication using SPNEGO/Kerberos and delegation

Question

Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation?

I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user.

EDIT: To clarify, I need to impersonate under Win32 using the GSS/SSPI context so when legacy code connects to another server, the delegated credentials are used.

score 7 · Accepted Answer · answered Jan 20 '11 at 07:48

7

WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.

It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.

answered Jan 20 '11 at 07:48

Nico

811
10
18

This is exactly what I was looking for (although the project is long over). – Tony Lee Jan 20 '11 at 17:21

score 4 · Answer 2 · answered Jan 19 '09 at 20:44

4

How about using the JAAS realm and using the kerberos 5 JAAS module?

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

Looks like it might require a little coding, but the pieces should be there.

answered Jan 19 '09 at 20:44

Suppressingfire

3,246
23
17

It seems this is half of what I need with getting the kerberos context into TomCat + modifying mod_spnego so I'd have a security context to impersonate when calling win32 code. – Tony Lee Jan 24 '09 at 01:05
I've successfully done Kerberos/SPNEGO authentication using JRE 6 and Tomcat, by implementing my own Tomcat Authenticator and Realm. In your case this could be accomplished through GSS-API and some headers sent to the client. Then that principal could be used to do other JAAS operations. – Scott Markwell Jan 28 '09 at 23:57

score 2 · Answer 3 · answered Nov 04 '09 at 16:25

2

Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.

answered Nov 04 '09 at 16:25

Pat Gonzalez

249
2
7

This looks very interesting, but doesn't seem to solve my problem. I don't see a way to impersonate (via win32) using the GSSContext. This is what I'm trying to do, but rather than delegate to another http server, I need to delegate over sspi. I'll clarify the question. – Tony Lee Nov 05 '09 at 00:30

Tomcat authentication using SPNEGO/Kerberos and delegation

3 Answers3

Linked