Hi Garoad,Yes, I've done this before in the MS tech stack, using Kerberos. And, I must admit that overall it is pretty damn slick. We were able to get the user's principle, passed to the app server, across web service calls, and right down into the SQL server, where we had views and procs that restricted data access.
client browers => IIS => Other Web Services => SQL ServerWe also implemented auditing based upon the Kerberos principle being available in the SQL server layer.
With this enabled, users did not need to authenticate into the web application at all. Just being logged into windows was all that was needed. Overall, from a coding point of view (C#), this was simple to code. But the server config for trust sharing was a bit complicated to get setup. Also, it may have been an IE feature that was picking up the Kerberos tickets and passing them to the next IIS host. But, I think that it is part of the network layer when Kerberos is used.
If you make any progress on this, please share, as I too would like to know how to do this in Java web application.
Thanks Grant On 4/4/2011 11:32 PM, Garoad wrote:
The way I understand Shiro's current Active Directory support (I'm using this now), the user needs to provide a username and password to authenticate. Ideally though, users who are already logged into the Active Directory windows intranet domain (their login to their Windows PC) should simply be able to go to the site and either be denied access (if they don't have access to the app) or let in if they have access (which would be determined by checking for their username in the application's database). I'm not really sure how this works, but I've seen it done and I know stuff like Microsoft's Sharepoint basically does this (it somehow "knows" which user is logged into the PC and limits access to pages accordingly) as well as some commercial software. (I think via Kerberos?) I think this is commonly called "Integrated Windows Authentication" as well as possibly just SSO. If I could get something like this working for any generic Java app in some re-usable form it would be very valued. (We're also using Flex/AMF with GraniteDS for the front end if that matters.) -- View this message in context: http://shiro-user.582556.n2.nabble.com/SSO-with-a-Windows-domain-tp6236647p6241141.html Sent from the Shiro User mailing list archive at Nabble.com.
<<attachment: grant-genereux.vcf>>
