为Web应用程序单点登录选择Kerberos(SPNEGO)Java库 [英] Choosing Kerberos (SPNEGO) Java library for web application single sign-on

问题描述

我目前正在努力在Java Web应用程序中实现企业身份验证机制，包括单点登录. Windows网络是我们的主要目标，而Kerberos听起来是一个合理的选择.旁注:据我了解，Web(HTTP)环境中用于SSO的协议是SPNEGO，它基本上是Kerberos的包装.因此，听起来Kerberos HTTP SSO库实际上正在使用SPNEGO －如果我错了，请纠正我.

I'm currently working on implementing enterprise authentication mechanisms in our Java web-application, including single sign-on. Windows networks are what we primary target at, and Kerberos sounds a reasonable choice. Sidenote: as far as I understand, the protocol used in web (HTTP) environment to SSO is SPNEGO, and it's basically a wrapper around Kerberos. Thus it sounds that Kerberos HTTP SSO libraries in fact are using SPNEGO -- correct me if I'm wrong.

当我开始研究这个主题时，我意识到没有明显的选择.让我列出这些:

As I started investigating this topic, I realized that there's no obvious choice. Let me list those:

1. Spring安全性Kerberos/SPNEGO扩展.这是我第一次查看(因为我们已经在使用Spring安全性)，但是几年前它似乎停留在v1.0.0的第二个里程碑上.只有这个 SO问题，它才有望将其用于生产.
2. WAFFLE-Windows身份验证功能框架.似乎很活跃并且功能丰富.可以将其插入"为通用Servlet，也可以作为 Spring安全过滤器.
3. SPNEGO SourceForge .似乎很轻巧，提供了HTTP Servlet过滤器，教程很容易理解.

1. Spring security Kerberos/SPNEGO extension. This was the first I looked at (as we are already using Spring security), but it seems to be stuck at v1.0.0 second milestone few years ago. Only this SO question gives slight hope it could be used for production.
2. WAFFLE - Windows Authentication Functional Framework. Seems to be active and feature-rich. It can be 'plugged' as generic servlet, and also as a Spring security filter.
3. SPNEGO SourceForge. Seems very lightweight, provides HTTP Servlet filter, tutorials are easy to follow.

是否有某些特殊的理由选择一个选项而不是另一个?周围还有其他选择吗?

Are there any particular reasons to choose one option over the other? Are there any other options around?

推荐答案

首先，您的假设是正确的.您需要SPNEGO才能通过HTTP执行SSO.

First of all, your assumption is correct. You need SPNEGO to perform SSO with HTTP.

1. 只能在Spring中合理使用.如果有，那就去买.我们已经使用了两年多.发挥作用.
2. 这仅适用于Windows.
3. 使用与Spring相同的JGSS，但与框架无关.看来效果很好.

如果您正在使用Tomcat 7，则已经内置了支持.我已经捐赠了适当的代码.您应该毫不掩饰您的确切期望.如果您别无所求，但是对Spring的身份验证请使用3或1.

If you are using Tomcat 7, there is already built-in support. I have donated appropriate code. You should speficy what you exactly expect. If you have no expectations but the authentication use either 3 or 1 with Spring.

这篇关于为Web应用程序单点登录选择Kerberos(SPNEGO)Java库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！