java - Tomcat Integrated Windows Authentication across Multiple Domains

Question

I am attempting to create a single sign on system in which an application running on a Tomcat server in a DMZ which is not joined to any domain, is able to authenticate against multiple domains while still automatically logging the user using their Windows Credentials.

Key Requirements:

• Must support multiple domains
• Users must not be prompted for credentials if they are on a supported domain
• Web server CANNOT be on a domain
• The Web server is located in a DMZ
• Must support Tomcat 6

Is this even possible and if so is there any sort of framework that supports doing this? I've looked at JOSSO, Shibboleth, and OpenAM but none of them seem to meet all five of the requirements.

The JCIFS NtlmHttpFilter looks like exactly what I am looking for, unfortunately it is deprecated and is no longer recommended.

---

Visio diagram for reference.

Answer 1

Jespa can do this. If the domains have trusts, the default Jespa HttpSecurityFilter would work. You would have to poke a hole in the firewall for Jespa to talk to TCP port 445 on the target DCs though. And you would probably want to create a DNS Records File (see Jespa Operator's Manual) to bypass DNS and still have Jespa use multiple domain controllers.

If the domains do not have trusts, you can actually still do it. But you would have to write some code to set a cookie and then lookup one of several jespa.http.HttpSecurityService instances (one for each domain) to call doFilter on. Meaning you would write a little request router to select the right domain. For a more detailed explanation ask IOPLEX Support.

Note however that if clients are not actually joined to the domain, then true single sign-on is theoretically impossible regardless of what software or protocol you use. You would have to use a "secondary" or "double sign on" style protocol like OpenID or CAS where you get redirected to some login page once. Then the client can get into any number of sites participating in that "SSO" scheme without supplying credentials again (at least for the remainder of the session anyway).