Take a look at CAS. It has the added value of: - keeps passwords away from your container and its applications - gives SSO ! - integrates well behind apache for a balancer and other mod_* - works with other languages - existing application integration
I have used it with success and replaced an expensive commercial proprietary application for SSO with it. http://www.ja-sig.org/products/cas/ email me off line if you need a hand with this. - [EMAIL PROTECTED] joe bob wrote: > Hi, > I would like to use kerberos in conjunction with container managed > security. I have configured a JAASRealm with Sun's kerberos LoginModule and > a basic scenario works fine. I.e, if a user accesses a protected URL, he is > challenged with a login screen. The user/password he enters is validated > against the kerberos system correctly. > > We now have a requirement to honor kerberos password policies, for example > the "mandatory-password-change" flag. When set, the user gets a valid > ticket > but all he can do is change his password. I tried doing this via my > standard > configuration and the kerberos LoginModule throws an exception indicating > the user must change his password but the tomcat form authentication logic > seems to treat this as an invalid login and just redirects the user to the > error page with no way for the application to differentiate this situation. > > Is it possible to honor kerberos password policies using JAAS and container > managed security? I have looked through the source and the answer appears > no. JAASRealm seems to catch various exceptions (e.g. > AccountExpiredException) but in the end just returns null to > FormAuthenticator as the authenticate() signature does not allow any > checked > exceptions to be thrown and the FormAuthenticator implementation doesn't > seem to anticipate any runtime exceptions from this method. > > I would much prefer to use container managed security for the usual reasons > but also to get (clustered) SSO support. Does anyone see something I missed > or have any ideas? Can I use the standard SSO valve with application > managed > security somehow? Seems doubtful. > > Thanks. > Kireet <[EMAIL PROTECTED]> > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
