Spring Security Single Sign On in Windows Environment

Raevik picture Raevik · Feb 6, 2013 · Viewed 12.5k times · Source

I have a feeling I've stumbled into a technical black hole. There have been many questions and not many (recent) answers out there.

Short summary:

I have a Windows environment operating with a domain controller and Active Directory implementation (soon to be operating with Quest's Authentication Services). I have a series of Spring-based web applications I want to deploy to this environment and we need them to operate seamlessly with Single Sign-On using the domain credentials.

It looked like the answer was this:

http://blog.springsource.org/2009/09/28/spring-security-kerberos/

I was informed by some of the local AD admins that ktpass, though, was an unsafe (principals and keys stored in plain-text file) and outdated solution. Given the blog linked above is 3 years old, it was tough to argue.

Then I came across this:

http://forum.springsource.org/showthread.php?134465-JDK-7-0-and-Spnego-Extension-don-t-work!

Posted just a week or so ago, it looks like recent efforts to integrate SPNEGO extensions have shown that it's incompatible with JDK 7 and no longer supported!

It seems like this would be a common thing for people to want to do. I'm surprised that with a framework as widespread as Spring that there's not a simple way to achieve this. Is there another approach I haven't found in the documentation?

Thanks for any insights or suggestions.

Answer

sourcedelica picture sourcedelica · Feb 7, 2013

Check out WAFFLE.

WAFFLE is a native Windows Authentication Framework consisting of two C# and Java libraries that perform functions related to Windows authentication, supporting Negotiate, NTLM and Kerberos. Waffle also includes libraries that enable drop-in Windows Single Sign On for popular Java web servers, when running on Windows.

It has a tutorial for using it with Spring Security.