Welcome to the SPNEGO SourceForge project

The intent of this project is to provide an alternative library (.jar file) that application servers (like Tomcat) can use as the means for authenticating clients (like web browsers).

If your organization is running Active Directory (AD) and all of your web applications go through Microsoft's Internet Information Services (IIS), and IIS has Integrated Windows Authentication enabled, and everyone in your organization is using Internet Explorer (IE), then this project may not be of any interest to you.

This project may also not be of any interest to you if your organization is using jCIFS as the means to achieve Single Sign-On (SSO); there are other 3rd party products as well as open-source projects that will silently authenticate (no username/password prompt) browser requests to a protected web page. Perhaps some of these are more suitable for your organization's needs.

However, if your organization uses java based web/application servers, and you prefer Kerberos/SPNEGO instead of NTLM as the authentication protocol, and you would rather have a Java Servlet Filter (JSR-53) based implementation instead of a container specific authentication module (JSR-196), and you want SSO

(no username/password prompt), and you would like an easy way of enabling authorization (authZ) at the page/button/link level, then this project may be of some interest to you.

The most effective way to get started is to first go through the pre-flight checklist. One of the goals of the checklist is to identify configuration parameter values necessary during installation and configuration of the SPNEGO HTTP Servlet Filter. There are really only two steps to the install: 1) copy jar file and 2) modify web.xml file.

Unfortunately, that's just the servlet filter install. You may also need to create two configuration files that your Java Runtime (JRE) will need as a part of Java's security technology framework. Specifically, creating configuration files for the Java Authentication and Authorization Service (JAAS) package/extension and for the Java Generic Security Services (Java GSS) API. The pre-flight has instructions for these as well.

Finally, there's nothing in the code base that is specific to AD. Theoretically, this code should also work with MIT Kerberos. There is also nothing in the code base that is specific to Tomcat or IE, or Windows or UNIX (but feel free to post messages in the Forum about any successes and/or failures).

Links:

pre-flight checklist

install guide - tomcat

install guide - jboss

install guide - glassfish

enable authZ with LDAP

get user group info from LDAP

reference docs

api docs

download

Troubleshooting:

HelloKDC.java

hello_spnego.jsp

HelloKeytab.java

hello_delegate.jsp

SpnegoHelloClient.java

ExampleSpnegoAuthenticatorValve.java

Examples:

create keytab for client

create keytab for app server

credential delegation

protected SOAP Web Service

tomcat authenticator valve

jboss authenticator valve

authZ for standalone apps

protecting edit button on page

Licensing:

GNU LGPL

© 2009 Darwin V. Felix. All rights reserved.