Welcome to the SPNEGO SourceForge project

Integrated Windows Authentication and Authorization in Java

The intent of this project is to provide an alternative library (.jar file) that application servers (like Tomcat) can use as the means for authenticating clients (like web browsers).

If your organization is running Active Directory (AD) and all of your web applications go through Microsoft's Internet Information Services (IIS), and IIS has Integrated Windows Authentication enabled, and everyone in your organization is using Internet Explorer (IE), then this project may not be of any interest to you.

This project may also not be of any interest to you if your organization is using jCIFS as the means to achieve Single Sign-On (SSO); there are other 3rd party products as well as open-source projects that will silently authenticate (no username/password prompt) browser requests to a protected web page. Perhaps some of these are more suitable for your organization's needs.

However, if your organization uses java based web/application servers, and you prefer Kerberos/SPNEGO instead of NTLM as the authentication protocol, and you would rather have a Java Servlet Filter (JSR-53) based implementation instead of a container specific authentication module (JSR-196), and you want SSO
(no username/password prompt), and you would like an easy way of enabling authorization (authZ) at the page/button/link level, then this project may be of some interest to you.

The most effective way to get started is to first go through the pre-flight checklist. One of the goals of the checklist is to identify configuration parameter values necessary during installation and configuration of the SPNEGO HTTP Servlet Filter. There are really only two steps to the install: 1) copy jar file and 2) modify web.xml file.

Unfortunately, that's just the servlet filter install. You may also need to create two configuration files that your Java Runtime (JRE) will need as a part of Java's security technology framework. Specifically, creating configuration files for the Java Authentication and Authorization Service (JAAS) package/extension and for the Java Generic Security Services (Java GSS) API. The pre-flight has instructions for these as well.

Finally, there's nothing in the code base that is specific to AD. Theoretically, this code should also work with MIT Kerberos. There is also nothing in the code base that is specific to Tomcat or IE, or Windows or UNIX (but feel free to post messages in the Forum about any successes and/or failures).

pre-flight checklist
install guide - tomcat
install guide - jboss
install guide - glassfish
enable authZ with LDAP
get user group info from LDAP
reference docs
api docs


create keytab for client
create keytab for app server
credential delegation
protected SOAP Web Service
tomcat authenticator valve
jboss authenticator valve
authZ for standalone apps
protecting edit button on page


© 2009 Darwin V. Felix. All rights reserved.