How to bypass defaultAuthenticationMethod

Peter Schober peter.schober at univie.ac.at
Mon Feb 3 05:47:33 EST 2014


* Vishvjit Khalipe <vishvjit at gmail.com> [2014-02-02 23:46]:
> 1. "Out of curiosity, how do you do this? I thought once a login
> handler was chosen you can't just invoke another one (e.g. from a
> JSP)?"
> 
> -> Kerberos Login Handler sets "krbLoginFailed" attribute if Kerberos
> authentication fails. Based on the "krbLoginFailed" attribute we
> forward the request to user-password login jsp.

OK, that's using the same login handler, though, right?

> 2. "Shouldn't you be able to configure the Kerberos Login Handler in a
> way that it will not automatically attempt SPNEGO with Kerberos
> rightaway, but only on request of the subject?"
> 
> -> We don't want to introduce additional click for all users to
> achieve some exceptional cases... so far we have requested users to
> access the resource using a browser that is not configured for
> kerberos. However we want a solution where users won't have to fiddle
> with browser setting to directly use user/password authentication.

Unless I'm missing something your requirements seem to be contradicting.

On the one hand you want logins to be initiated via SPNEGO
automatically without user interaction (i.e., without giving subjects
the means to avoid the automatism). On the other hand you want exactly
that, to allow users to at will prevent this automatism fro mkicking
in.
Since neither the SP not the IDP can know when this use case applies,
it seems the only possibility to handle this is in the user interface,
giving people choice. And you don't want that either.

So either the choice needs to happen in the UI (making the simple case
1 click less simple for everyone) or you come up with some other
mechanism to provide choice to users to opt-out in certain contexts.
E.g. like you said, with different web browsers. I've seen people set
specific "user agent" strings to signal to the webserver that this
user agent should (or should not) be considered using SPNEGO with
Kerberos. But then you don't want people switching broswsers either.

Doesn't look like a Shibboleth or even SAML problem to me.
-peter


More information about the users mailing list