Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-2496

Specialized AppServerTrusted authenticator handling Kerberos principals

    XMLWordPrintable

Details

    • patch

    Description

      I needed users within our organization to be able to login to XWiki via HTTP Negotiate. I'm sure this is a requirement for other companies as well.

      The easiest way IMHO to do this is to have Apache HTTPD do the heavy lifting with mod_auth_kerb. Implementing Java container/Realm HTTP Negotiate would be considerable more work.

      After Apache HTTPD has done the kerberos authentication one would expect to be able to simply use Xwiki's AppServerTrustedAuthServiceImpl as authentication implementation class and be done with it. However in Kerberos the user is authenticated as a principal which looks like this username@REALMNAME.TLD (for example: siepkes@EXAMPLE.COM). The @REALMNAME.TLD part makes it impossible to use AppServerTrustedAuthServiceImpl.

      I propose we include a simple class called AppServerTrustedKerberosAuthServiceImpl which chops off the @REALMNAME.TLD part of the principal. This works for me with: MIT-Kerberos, Apache 2 HTTP, mod_auth_kerb, mod_jk and Apache Tomcat 5.5.

      Theoretically this class should also work with IIS, mod_jk and Apache Tomcat 5.5, making it possible for Active Directory users to automatically login via SSO. I Haven't tested it, but for as far as I can see this shoud work.

      Attachments

        Activity

          People

            jerome Jerome Velociter
            jsiepkes Jasper Siepkes
            Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: