We are planning to use Crowd for an custom application by integrating with Spring Security. Besides we want to provide SSO by NTLM for our customer.
My questions:
Thanks in advance,
Ralf Borchers
Communardo Software GmbH
Community moderators have prevented the ability to post new answers.
I've been working on an NTLM-based SSO module for a while now that's based on the Windows Integrated Authentication for Crowd-enabled Applications code. Unfortunately that code is a bit dated but migrating it to use the Crowd REST library is fairly straightforward. I've used a substantial portion of the NTLM code from the Servlet Filter classes of the Spring Security NTLM extension library to in my own code make it easier to follow.
Answer to Question 1:
Crowd itself doesn't support NTLM - you'll need to write a servlet filter or use the Servlet filter code that is in the WIA code.
What I've learned so The NTLM authentication handshake process will happen between the browser and the domain controller. Once this happens, you'll call the
RestCrowdHttpAuthenticationFactory.getAuthenticator().authenticateWithoutValidatingPassword(request, response, userName);
method because the user will have been authenticated at that point.
Answer to Question 2:
Since you have to do the NTLM authentication in your code, you can support whichever versions you'd like. :-)
I have a slightly more difficult task of preventing the HTTP Authentication box from popping up and redirecting users to a login page, though it looks like using the AuthenticationFailureHandler class may work to make this happen (not sure if this is a requirement for you, but I thought I'd mention it just in case it is).
The IWAAC plugin (Integrated Windows Authentication for Apps using Crowd) does exactly what you are looking for. It is based on Kerberos: https://marketplace.atlassian.com/plugins/com.cleito.iwaac/server/overview
You can download IWAAC and test it for free at: https://www.cleito.com/products/iwaac/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As an example of how you do NTLM/NTLMv2 authentication in a platform-independent manner in a Java application (not necessarily spring enabled) I can refer to TechTime NTLMv2/NTLMv1 authenticator for seraph-enabled applications, like Jira and Confluence.
http://techtime.co.nz/x/AwCxAg
The NTLM Authenticator works in conjunction with IOPlex Jespa library (http://www.ioplex.com).
Jespa provides the core class you can call on from a servlet filter of your application.
Our authenticator works both in Crowd environment as well as without Crowd.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.