Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
276 views
in Technique[技术] by (71.8m points)

java - Tomcat Integrated Windows Authentication across Multiple Domains

I am attempting to create a single sign on system in which an application running on a Tomcat server in a DMZ which is not joined to any domain, is able to authenticate against multiple domains while still automatically logging the user using their Windows Credentials.

Key Requirements:

  • Must support multiple domains
  • Users must not be prompted for credentials if they are on a supported domain
  • Web server CANNOT be on a domain
  • The Web server is located in a DMZ
  • Must support Tomcat 6

Is this even possible and if so is there any sort of framework that supports doing this? I've looked at JOSSO, Shibboleth, and OpenAM but none of them seem to meet all five of the requirements.

The JCIFS NtlmHttpFilter looks like exactly what I am looking for, unfortunately it is deprecated and is no longer recommended.


Visio diagram for reference. enter image description here

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Jespa can do this. If the domains have trusts, the default Jespa HttpSecurityFilter would work. You would have to poke a hole in the firewall for Jespa to talk to TCP port 445 on the target DCs though. And you would probably want to create a DNS Records File (see Jespa Operator's Manual) to bypass DNS and still have Jespa use multiple domain controllers.

If the domains do not have trusts, you can actually still do it. But you would have to write some code to set a cookie and then lookup one of several jespa.http.HttpSecurityService instances (one for each domain) to call doFilter on. Meaning you would write a little request router to select the right domain. For a more detailed explanation ask IOPLEX Support.

Note however that if clients are not actually joined to the domain, then true single sign-on is theoretically impossible regardless of what software or protocol you use. You would have to use a "secondary" or "double sign on" style protocol like OpenID or CAS where you get redirected to some login page once. Then the client can get into any number of sites participating in that "SSO" scheme without supplying credentials again (at least for the remainder of the session anyway).


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...