使用SPNEGO / Kerberos和委派的Tomcat认证 [英] Tomcat authentication using SPNEGO/Kerberos and delegation

问题描述

有没有实现Kerberos身份验证被Tomcat使用Apache模块，同时还支持Kerberos委派？

Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation?

我已经看了mod_spnego它扔掉了SSPI上下文它创建只保留主体名称。相反，我正在寻找一个模块，将允许发送到Tomcat票的代表团 - 也就是，以发送用于验证的服务票据和使用它的服务器端代表用户访问其他服务。

I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user.

编辑：为了澄清，我需要使用GSS / SSPI上下文，所以当传统code连接到另一台服务器上，将使用委派凭据的Win32下模仿

To clarify, I need to impersonate under Win32 using the GSS/SSPI context so when legacy code connects to another server, the delegated credentials are used.

推荐答案

WAFFLE （Windows身份验证功能框架）现在提供该功能从v1.4beta开始。

WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.

它提供了使用本地的Windows API来验证用户ServletFilter中，无论是使用基本或协商身份验证。然后，用户可以模拟，和原生API的调用将与模拟用户的访问令牌来执行。

It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.

这篇关于使用SPNEGO / Kerberos和委派的Tomcat认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！