0

I'm setting up an authorization server that use Kerberos (SSO) to authenticate users inside windows network. And, it use basic authentication to authenticate users outside network.

When I try access to /oauth/authorize endpoint with a machine inside the network, kerberos SSO works perfectly without asking me for username & password. BUT when i try access to the same endpoint with a machine outside the network a browser login popup appears and hide my custom login page until I click on cancel.

I want to disable login popup when accessing to /oauth/authorize endpoint.

My config: 

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .exceptionHandling()
            .authenticationEntryPoint(spnegoEntryPoint())
            .and()
        .authorizeRequests()
            .antMatchers("/", "/home", "/check", "/favicon.ico").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login").permitAll()
            .and()
        .logout()
            .permitAll()
            .and()
        .addFilterBefore(
                    spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
                    BasicAuthenticationFilter.class);
}

@Bean
public SpnegoEntryPoint spnegoEntryPoint() {
    return new SpnegoEntryPoint("/login");
}
Houssam Rafiki
  • 118
  • 10
  • If kerberos fails, basic authentication is applied by default and it use username/password of Windows Active Directory. – Houssam Rafiki Mar 25 '19 at 14:16
  • When I try access to `/ oauth / authorize` endpoint with a machine inside the network, kerberos works perfectly without asking me for username & password. BUT when i try access to the same endpoint with a machine outside the network a browser login popup appears and hide my custom login page until I click on cancel. – Houssam Rafiki Mar 25 '19 at 14:23
  • 1
    *If kerberos fails, basic authentication is applied by default* That's wrong. The dialog is for Kerberos. However, you cannot enter username and password for Kerberos, because your are not in the domain. – dur Mar 25 '19 at 16:09
  • See also https://stackoverflow.com/questions/29680/suppress-ntlm-dialog-box-after-unauthorized-request. Maybe it works with a different browser. What browser do you use? – dur Mar 25 '19 at 16:25
  • Possible duplicate of https://stackoverflow.com/questions/45039117/kerberos-authentication-through-spring-security-failing-in-ie11-and-chrome-but-n – dur Mar 25 '19 at 16:34

0 Answers0