> Does that mean that Tomcat treats WIA similar to HTTP BASIC (or maybe > DIGEST) unless you've approved a particular domain/host? That's > interesting. Can you just enter anything you'd like? For instance, can > I authenticate to a server that is expecting WIA from a Linux > workstation just by entering my domain credentials into the dialog? > That certainly sounds nice: the Microsoft Windows crowd doesn't have > to authenticate (explicitly, that is... their credentials are that > they are currently logged-into a machine on the network) but everyone > else can also get in. >
If tomcat is setup to work with SPNEGO authentication, then when a new session requires authentication, the server asks the client for a kerberos token. Under IE this will be passed silently. Under FF if you have configured the "network.automatic-ntlm-auth.trusted-uris" to the url of the server, this will be passed silently. If you setup your *nix machines to login to active directory they will have a kerberos token. If you also make the FF setting change, they to will then be able to silently login by sending through the kerberos token. I think as you configure the server, you can specify what to do it SPNEGO fails. I guess one option would be to fail back to http basic. If you didn't want to get the *nix machines to login to active directory, then I guess that would be a way to go. Guess that it all depends on the security requirements HTH Chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
