Reputation: 652
Java app secured by KERBEROS
I would like to secure my Java web app by KERBEROS. Do anyone know what is required to do that and how much I would have to change my app if my current users are stored in MySQL database? Is necessary to use VPN? If I undersatnd right, each of clients authenticate over KDS in same domain, but my app is on remote server (not in same domain?).
Upvotes: 1
Views: 453
Answers (1)
Reputation: 9481
You have to give us more details about the your app and your environment. What kerberos does, it provides the way for the user to prove that he is indeed who he claims he is. Optionally you can verify that he is coming from IP address that he is claiming to come from, although later is rarely users due to NAT / Proxies / Load balancers.
What container does your app run in? Most of the modern servlet containers ( JBoss / Websphere ) provide kerberos authentication out of the box. You just need to adjust your web.xml or in case of websphere just configure the app correctly.
Do you have kerberos infrastructure in place? If you are in enterprise windows environment with an Active Directory domain controller you already do. In this case you need to configure workstations to be on the domain. The simplest case is if your workstations are members of the domain and the active directory controller is also your DNS server, and your application is running in the local domain and your browser is IE or Chrome. Otherwise you need to do some extra configuration.
The VPN is not necessary, although if you have one it will simplify things a bit.
As for your domain question there is a lot of confusion especially with Windows admins over what domain actually is. Domain could be DNS domain like stackoverflow.com and domain could be active directory domain which is something completely deifferent. In classical Unix kerberos the kerberos domain is called REALM and there is a configuration file that maps DNS domains to Kerberos realms.
Your app could be in any DNS domain you want, it could be in any Active Directory domain also, but in this case there must be a trust relationship established between different domains.
The bottom line is, as a bare minimum you have to configure two things. The DNS server must have SRV records so that the browser could find the KDC server. And you have to register your app in the KDC.
For more details google look here :
Upvotes: 2
Related Questions
- jdbc kerberos oracle authentication
- Java process for authentication on Windows against AD (kerberos)
- Java Kerberos Authentication
- Authenticating with different Kerberos KDC in the same Java application
- Simple Kerberos client in Java?
- Java and Kerberos
- Access a SharePoint website from a Java application with Kerberos authentication
- Kerberos with Java
- Authentication: Kerberos or SSL?
- Kerberos authentication from my custom servlet?