2013年12月18日 星期三

[筆記] Kerberos Authentication with SPNEGO




SPNEGO 

如果要開發使用Kerberos認證的Web Application,那就一定要了解SPNEGO這個認證機制,SPNEGO 全名叫做 Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spen-go",根據Wiki的描述:

SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

參考上圖整個SPNEGO 的流程如下:

  1. Client Web Browser does HTTP GET for resource.
  2. Web server returns HTTP 401 status and a header: WWW-Authenticate: Negotiate
  3. Client generates a NegTokenInit, base64 encodes it, and resubmits the GET with an Authorization header: Authorization: Negotiate .
  4. Server decodes the NegTokenInit, extracts the supported MechTypes (only Kerberos V5 in our case), ensures it is one of the expected ones, and then extracts the MechToken (Kerberos Token) and authenticates it. If more processing is required another HTTP 401 is returned to the client with more data in the the WWW-Authenticate header. Client takes the info and generates another token passing this back in the Authorization header until complete.
  5. When the client has been authenticated the Web server should return the HTTP 200 status, a final WWW-Authenticate header and the page content.

有實作SPNEGO 相關的專案
  1. safe 
  2. Alfredo
  3. sourceforge - spnego
  4. spring-kerberos


Reference:
[1] Introducing Alfredo, Kerberos HTTP SPNEGO for Java
張貼留言