0

Where should we get started setting up single sign on for a single Windows (Active Directory) domain with a Java web application?

What I DON'T mean by single sign on is that the user signs into one Java website explicitly, and then stays signed in for other Websphere sites.

We're looking for something that will effectively "detect" the Windows user that is currently logged in on the client browser's PC (Windows XP, soon to be Windows 7), and supply that user's login name to the Java WebSphere application.

The software is Java/WebSphere, with a Flex front end which we can put in a JSP if needed. (Currently it's just an html page, which is preferrable. GraniteDS is used for remoting.)

The server is NOT a Windows server, so Waffle is not an option. Research so far seems to indicate that we need to use something called SPNEGO, but I've yet to find information about what the Java developer's role is when setting it up.

I'd be interested in both server-side (WebSphere) config & requirements as well as Java application configuration & code required (this seems to be difficult to locate even via Google).

Mifune
  • 370
  • 1
  • 5
  • 14

1 Answers1

1

The Java application developer only needs to configure the Web application to rely on authentication from the container (Websphere Application Server).

The rest is all up to the configuration of the container to provide the right credentials, etc. The WAS administrator would do something like this for SPNEGO/Kerboros: http://www.redbooks.ibm.com/abstracts/sg247771.html. Further, browser configuration would need to add the site hosted by Websphere to the domains allowed within the Intranet zone and the security mechanism.

A much better 'hack' might be (not tested) to put Websphere behind IIS as in http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing.

In all cases, you will still need to figure out how to get Flex to get the browser to do Windows NTLM authentiation, or for it to so itself. Best of luck.

Akber Choudhry
  • 1,755
  • 16
  • 24
  • We'll take a look at these links and see how it goes. One of the aspects we're looking for is how to "configure the Web application to rely on authentication from the container", not sure if that's part of a spec, app server specific, or what. – Mifune Feb 01 '13 at 21:42
  • Good. Keep us updated on how it goes. Regarding your question, it is part of the servlet spec and the web.xml of the application defines the roles and type of authentication. Containers differ on implementation but ultimately their job is to provide a user (principal) and roles to the web app. All the web app has to do is to query the user and their roles from the request. i.e. if not present, then not authenticated. For more info, please see this link: http://www.informit.com/articles/article.aspx?p=24253 – Akber Choudhry Feb 04 '13 at 18:36