Choosing Kerberos (SPNEGO) Java library for web application single sign-on
I'm currently working on implementing enterprise authentication mechanisms in our Java web-application, including single sign-on. Windows networks are what we primary target at, and Kerberos sounds a reasonable choice. Sidenote: as far as I understand, the protocol used in web (HTTP) environment to SSO is SPNEGO, and it's basically a wrapper around Kerberos. Thus it sounds that Kerberos HTTP SSO libraries in fact are using SPNEGO -- correct me if I'm wrong.
As I started investigating this topic, I realized that there's no obvious choice. Let me list those:
- Spring security Kerberos/SPNEGO extension. This was the first I looked at (as we are already using Spring security), but it seems to be stuck at v1.0.0 second milestone few years ago. Only this SO question gives slight hope it could be used for production.
- WAFFLE - Windows Authentication Functional Framework. Seems to be active and feature-rich. It can be 'plugged' as generic servlet, and also as a Spring security filter.
- SPNEGO SourceForge. Seems very lightweight, provides HTTP Servlet filter, tutorials are easy to follow.
Are there any particular reasons to choose one option over the other? Are there any other options around?
Answer
First of all, your assumption is correct. You need SPNEGO to perform SSO with HTTP.
- This can reasonably used in Spring only. If you have it, got for it. We are using it for more that two years. Does its job.
- This works on Windows only.
- Uses the same JGSS as the Spring stuff but is framework agnostic. This seems to work very well.
If you are using Tomcat 7, there is already built-in support. I have donated appropriate code. You should speficy what you exactly expect. If you have no expectations but the authentication use either 3 or 1 with Spring.