Hi All, I am working on an implementation for SPENGO/NEGOTIATE implementation for geronimo. I have done some research on this and have come to the following conclusion to develop one implementation for geronimo.
1) Browser access a secured resource 2) Our custom authenticator will respond with 401 response and a header WWW-Authenticate: NEGOTIATE. This will tell the browser that we want to use NEGOTIATE Authentication protocol. 3) The browser will now require a service ticket. Now we need to send a request to AD to issue a ticket. 4) The browser tries to access the resource again and sends another http request with the following header WWW-authorization: NEGOTIATE encoded-spnego-token, heere encoded-spnego-token is SPNEGO token encoded in base64...basically it is a wrapper around a service ticket. 5) The custom authentication unwraps the the spnego token and acquires the service ticket. 6) If all is well than authenticator returns success and control is passed to servlet container which sends back the requested resource Here are some of my inputs on how we can develop a solution for Apache Geronimo 1) A custom valve can be written which can than be introduced in the pipeline. Will this new valve use AuthenticatorBase or will it be enough to have it extend ValveBase. There is an example were ssovalve is introduced in the pipleline for geronimo. 2) We may have to implement interfaces org.ietf.jgss GSSName, GSSContext, GSSName and make use of classes like GSSManager and GSSException 3) Some configurations on the browser side may also be required however I am not sure on this as of now. 4) Does this require code changes to BasicAuthenticator FormAuthenticator, AuthenticatorBase of tomcat. Please provide your comment and suggestions. Thanks and Regards Ashish Jain
