i have an embeded tomcat running on a web-application and i want to implement a SSO-Login for it. It should work as follows: The user of in an intranet (where Kerberos in use) can access this webApp without re-entering their credentials after they authenticated their selves against Kerberos. I had a suggestion in order get it done, that looks like the following handshake:
1- User enters the URL in a browser to access the App. 2- In Kerberos over http it is common to use SPNEGO Protocol (is that correct?). The server sends back after this request the following header: HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate 3- If the browser can understand SPNEGO (that does the most), it sends back the following header: Authorization: Negotiate a87421000492aa874209af8bc028 4- Evtl. sends the the Server a token confirmation back.
* must tomcat be involved in this scenario somewhere ? * can i get this done without passing through tomcat? * where should the authentication in the webApp be implemented? (valve or normal servlet in the webApp)? * does anybody have an idea to get this better or simpler or is it ok? * some code examples would be very helpfull