来自 Java Web 应用程序的 SharePoint Web 服务使用 CXF 和 Kerberos/NTLM 身份验证
我有一个来自 Web 应用程序的 Java EE Web 应用程序,我必须使用需要 Kerberos/NTLM 身份验证的 SharePoint Web 服务,我该如何实现。我使用 CXF 来使用 Web 服务,并且它本身使用 Windows 集成身份验证进行身份验证的 Web 应用程序。
I have a Java EE web application from the web app I have to consume a SharePoint web-service which expects Kerberos/NTLM authentication how can I achieve. I am using CXF for consuming web-service and the web application it self uses Windows Integrated Authentication for authentication.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
看一下 SPNEGO 协议,这是 Sharepoint(技术上是 IIS)用于单点登录身份验证的协议。我不熟悉 CXF,但通常大多数 Web 服务平台都允许您根据请求提供附加标头。基本上你需要的是:
看这里 http://appliedcrypto.com/spnego/spnego_jaasclient.html 这里 http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html 了解更多详细信息。
适用于您想要对共享点的浏览器用户进行身份验证的情况。您必须在 Web 应用程序中实现 SPNEGO 协议,例如您可以使用 this 包来完成。大多数现代应用程序服务器都支持 SPNEGO 协议 [JBoss、WebSphere]。实现 SPNEGO 协议后,您可以从“Authorization”标头中获取 kerberos 令牌。
然后您有两个选择:
如果您使用与 SharePoint 前端相同的身份运行您的 Web 应用程序,您只需将相同的令牌重新发送到共享点即可。
如果您以不同的身份运行,则必须使用用户的令牌前往 Active Directory 并代表您的用户请求共享点服务的票证。您的网络应用程序运行所使用的帐户必须受到 Active Directory 中委派的信任
此外,我不确定 SharePoint 是否接受 SOAP 标头中的 kerberos 令牌,我相信您必须使用 HTTP 标头进行身份验证。
这个问题可能会帮助您
如果您想使用单点登录功能意味着使用当前用户身份查看
这里
Take a look at the SPNEGO protocol, this is what Sharepoint ( technically IIS ) uses for Single Sign On authentication. I am not familar with CXF, but generally most of the WebServices platforms allow you to supply additional headers with your request. Basically what you need is:
Look here http://appliedcrypto.com/spnego/spnego_jaasclient.html and here http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html for more details.
For the case when you want to authenticate browser users to sharepoint. You have to implement SPNEGO protocol in your web app for example you can use this package do it you. Most of the modern app servers support SPNEGO protocol [ JBoss, WebSphere ]. After you implemented SPNEGO protocol, you can grab the kerberos token from 'Authorization' header.
Then you have two options:
In case you run your web-app with the same identity as the SharePoint front-end you can just resend the same token to the sharepoint.
In case you running as a different identity, you have to use the user's token to go to active directory and request a ticket for sharepoint service on behalf of your user. The account that your web-app runs under has to be trusted for delegation in Active Directory
Also, I am not sure that SharePoint accepts kerberos tokens within SOAP headers, I believe you have to authenticate using HTTP headers.
This question might help you
If you want to use single sign on feature meaning using current user identity take a look
here