Re: [jetty-dev] Adding in spnego authentication support

[Jesse McConnell <jesse.mcconnell@xxxxxxxxx>]

Just kerberos, and its a bit finicky in the setup as spnego has to be
configured correctly or else IE will fall back to just attaching an
ntlm token to the spengo authorization header instead of properly
using kerberos.

since the jvm has been steadly picking up basic support for these
things more a fall back to ntlm is reasonable at some
point....technically the spnego spec forbids the ntlm token coming
back but microsoft doesn't generally care about such things and does
it anyway and expects people to roll with it.  I have actually been
considering testing the token to see if its ntlm and warn the log or
something about it.  there is a fair amount of discussion on that out
on various mailing lists, etc :)

cheers,
jesse

--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx



On Thu, Aug 19, 2010 at 13:10, Chad La Joie <lajoie@xxxxxxxxx> wrote:
> Hey Jesse, out of curiosity, what forms of credentials does the spnego
> module support?  Only kerb or also things like NTLM?
>
> On Thu, Aug 19, 2010 at 13:58, Jesse McConnell
> <jesse.mcconnell@xxxxxxxxx> wrote:
>> I have a jetty-spnego module in the sandbox...the latest iteration as
>> no external dependencies so I am considering rolling it into
>> jetty-security now..
>>
>> any reasons not to?  I am also passively working on additional ldap
>> support for getting roles from AD but its not something that is easily
>> generic between a standard ldap server and the Microsoft variant...
>>
>> cheers,
>> jesse
>>
>> --
>> jesse mcconnell
>> jesse.mcconnell@xxxxxxxxx
>> _______________________________________________
>> jetty-dev mailing list
>> jetty-dev@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>>
>
>
>
> --
> Chad La Joie
> www.itumi.biz
> trusted identities, delivered
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>