Spring Security Single Sign On in Windows Environment
I have a feeling I've stumbled into a technical black hole. There have been many questions and not many (recent) answers out there.
Short summary:
I have a Windows environment operating with a domain controller and Active Directory implementation (soon to be operating with Quest's Authentication Services). I have a series of Spring-based web applications I want to deploy to this environment and we need them to operate seamlessly with Single Sign-On using the domain credentials.
It looked like the answer was this:
http://blog.springsource.org/2009/09/28/spring-security-kerberos/
I was informed by some of the local AD admins that ktpass, though, was an unsafe (principals and keys stored in plain-text file) and outdated solution. Given the blog linked above is 3 years old, it was tough to argue.
Then I came across this:
http://forum.springsource.org/showthread.php?134465-JDK-7-0-and-Spnego-Extension-don-t-work!
Posted just a week or so ago, it looks like recent efforts to integrate SPNEGO extensions have shown that it's incompatible with JDK 7 and no longer supported!
It seems like this would be a common thing for people to want to do. I'm surprised that with a framework as widespread as Spring that there's not a simple way to achieve this. Is there another approach I haven't found in the documentation?
Thanks for any insights or suggestions.
Answer
Check out WAFFLE.
WAFFLE is a native Windows Authentication Framework consisting of two C# and Java libraries that perform functions related to Windows authentication, supporting Negotiate, NTLM and Kerberos. Waffle also includes libraries that enable drop-in Windows Single Sign On for popular Java web servers, when running on Windows.
It has a tutorial for using it with Spring Security.