Configuring SPNEGO HTTP Servlet Filter

Question

I'm trying to implement Java SSO for a Web Application using de SPNEGO library from SourceForge. The example of hello_spnego.jsp at http://spnego.sourceforge.net works fine, but there are some things that I don´t understand yet about the next parameters:

1. spnego.prompt.ntlm enables Basic Authentication for clients who don´t support Kerberos. Which is the value recommended for this parameter and why?
2. spnego.allow.basic offers Basic Authentication in addition of Kerberos authentication. I understand that Basic Authentication request credential is not very safe. Which is the value recommended for this parameter and why?
3. spnego.allow.unsecure.basic. I think that its value must be false if the Basic Authentication is enabled, but I´m not sure.

Answer 1

The values of the parameters depend on your use case. If you have a strict kerberos/spnego only environment (safest, but all clients and users need to kerberos/spnego enabled) then use

• spnego.prompt.ntlm=false because we only allow kerberos
• spnego.allow.basic=false because we only allow kerberos
• spnego.allow.unsecure.basic=false not relevant because spnego.allow.basic=false

If you want to allow additional authentication mechanisms in addition to kerberos/spnego than you have to decide which ones: NTLM and/or basic. NTLM is not supported by this library so Basic is the only one left.

• spnego.prompt.ntlm=true because we want to allow basic for non-spnego/NTLM only clients
• spnego.allow.basic=true because we want to allow basic for non-spnego clients
• spnego.allow.unsecure.basic=false we force basic authentication over HTTPS (if you dont do this and set the value to true here, then you transmit your credentials unencrypted and in plaintext, thats not want you want i guess)