跨多个域的Tomcat集成Windows身份验证 [英] Tomcat Integrated Windows Authentication across Multiple Domains

问题描述

我正在尝试创建一个单点登录系统，在该系统中，未连接任何域的DMZ上的Tomcat服务器上运行的应用程序能够针对多个域进行身份验证，同时仍使用Windows凭据自动登录用户

I am attempting to create a single sign on system in which an application running on a Tomcat server in a DMZ which is not joined to any domain, is able to authenticate against multiple domains while still automatically logging the user using their Windows Credentials.

关键要求:

• 必须支持多个域
• 如果用户位于受支持的域中，则不会提示用户输入凭据
• Web服务器不能在域上
• Web服务器位于DMZ中
• 必须支持Tomcat 6

这是否有可能，如果有的话，是否有任何框架可以做到这一点?我看过JOSSO，Shibboleth和OpenAM，但似乎都不满足所有五个要求.

Is this even possible and if so is there any sort of framework that supports doing this? I've looked at JOSSO, Shibboleth, and OpenAM but none of them seem to meet all five of the requirements.

JCIFS NtlmHttpFilter看起来完全符合我的要求，但是很遗憾，它已被弃用，不再推荐使用.

The JCIFS NtlmHttpFilter looks like exactly what I am looking for, unfortunately it is deprecated and is no longer recommended.

Visio图以供参考.

Visio diagram for reference.

推荐答案

Jespa可以做到这一点.如果域具有信任关系，则默认的Jespa HttpSecurityFilter将起作用.但是，您必须在防火墙上戳一个洞，以使Jespa可以与目标DC上的TCP端口445进行通信.并且您可能想要创建一个DNS记录文件(请参阅Jespa操作手册)以绕过DNS，并且仍然让Jespa使用多个域控制器.

Jespa can do this. If the domains have trusts, the default Jespa HttpSecurityFilter would work. You would have to poke a hole in the firewall for Jespa to talk to TCP port 445 on the target DCs though. And you would probably want to create a DNS Records File (see Jespa Operator's Manual) to bypass DNS and still have Jespa use multiple domain controllers.

如果域不信任，您实际上仍然可以这样做.但是您必须编写一些代码来设置Cookie，然后查找几个jespa.http.HttpSecurityService实例(每个域一个)中的一个来调用doFilter.这意味着您将编写一个小的请求路由器以选择正确的域.有关更详细的解释，请向IOPLEX支持.

If the domains do not have trusts, you can actually still do it. But you would have to write some code to set a cookie and then lookup one of several jespa.http.HttpSecurityService instances (one for each domain) to call doFilter on. Meaning you would write a little request router to select the right domain. For a more detailed explanation ask IOPLEX Support.

但是请注意，如果实际上没有将客户端加入域，则无论您使用哪种软件或协议，理论上都不可能进行真正的单点登录.您将必须使用辅助"或双重登录"样式的协议，例如OpenID或CAS，在该协议中您将被重定向到某个登录页面一次.然后，客户端可以进入任何数量的参与该"SSO"方案的站点，而无需再次提供凭据(至少无论如何对于会话的其余部分而言).

Note however that if clients are not actually joined to the domain, then true single sign-on is theoretically impossible regardless of what software or protocol you use. You would have to use a "secondary" or "double sign on" style protocol like OpenID or CAS where you get redirected to some login page once. Then the client can get into any number of sites participating in that "SSO" scheme without supplying credentials again (at least for the remainder of the session anyway).

这篇关于跨多个域的Tomcat集成Windows身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！