Kerberos and HTTP Session using Spring Security

108 views
Skip to first unread message

cc

unread,
Nov 17, 2015, 4:29:09 AM11/17/15
to waffle
Hi everyone,

We have a stateful application, utilizing Spring Security's create-session="ifRequired" attribute.

When using Kerberos, correct me if I'm wrong, but it seems like the user's Kerberos token is constantly verified, the SessionManagementFilter is not used.

Is this 'works as designed'?  Does the Kerberos protocol expect to verify the token on every request?  Does the application server contact the domain controller to verify the token?

Is there a way to configure the Spring Security to first check the Session, and only perform Negotiate when there is no valid session?


Many thanks,
Chris




Daniel Doubrovkine

unread,
Nov 17, 2015, 6:55:46 AM11/17/15
to waffle...@googlegroups.com
I believe SessionManagementFilter should be used, however if the protocol chosen is NTLM and not Kerberos (Negotiate automatically chooses) then the auth is per-connection, so you might be seeing a lot of re-auth. Logs should clear that.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

Message has been deleted

Daniel Doubrovkine

unread,
Nov 18, 2015, 7:08:42 AM11/18/15
to waffle...@googlegroups.com
A forward request you mean it opens a new connection to a different (server/)port and tries to make a request? That can't work, even internally it's an authentication hop going to a different server/port and would require to support proxy auth. Swap the forward to a normal HTTP redirect?

On Wed, Nov 18, 2015 at 3:34 AM, cc <chris.c...@googlemail.com> wrote:
I have some additional information. 

Jetty performs a REDIRECT from /autologon to /autologon/, which works.  Jetty then performs a FORWARD from /autologon/ to the welcome page /autologon/home.html.  The /autologon/home.html request is intercepted by spring security and waffle, and it's the FORWARD request which seems to fail.

Anyone have any simliar experience with this issue?

Best regards, Chris

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages