开发者

Single Sign On with Java + Exchange 2007 EWS

开发者 https://www.devze.com 2023-01-08 19:32 出处:网络
I\'ve been working on a project which uses SPNEGO to have Single Sign On for a Java based webapp. At the moment, it is working successfully with Jetty + SPNEGO and Active Directory so if you visit my

I've been working on a project which uses SPNEGO to have Single Sign On for a Java based webapp. At the moment, it is working successfully with Jetty + SPNEGO and Active Directory so if you visit my test page, it can output the auth_user as well as the Negotiate token if th开发者_StackOverflow社区e browser has been configured properly.

The next step of the project is to be able to pass that user and token to the Exchange Web Services as the authentication so I can access the remote users exchange directory (mail, contacts etc)

I've run JAX-WS to generate the stub files from the Services.wsdl file and able to connect to Exchange using these classes. The only problem is that it will only authenticate the user that is running the web server, not the remote user.

I've also noticed that I can't find the correct class to pass the token, rather than username and password to the EWS. Also, the generated files don't have any references to SPNEGO.

Does anyone know of a possible solution, or does it look like I'll have to generate the SOAP calls manually rather than using the generated classes?

Thanks for your time


I think, the best way to authenticate against the EWS is to use the user that is running the web server. This is your "Service Account" for the Exchange Web Services. This account needs the privilege "Exchange Web Services Impersonation" (ms-Exch-EPI-Impersonation).

If you want to access the remote users exchange data you have to use "exchange impersonation" in your calls. For the individual exchange server user ("Act As Account") you have to allow the Service Account that he can impersonate them by settings the privilege "Allow Impersonation to Personal Exchange Info" (ms-Exch-EPI-May-Impersonate).

So, every call is authenticated using the same Service Account, but then you act as a specific user/mailbox using exchange impersonation in your calls.

The single sign-on in your webapp is used to determine the current "Act As Account" to use for the exchange impersonation. You need the users email address or SID for this.


We've managed to get a solution up and running now using Apache HTTP Client 4.1 alpha / Samba JCIFS library and generating the SOAP requests. This allows us to have multiple users logged in without any configuration required to their exchange account.

We did use HttpClient 3.1 but run into problems due to the change in NTLM protocol with newer versions of windows so we upgraded to the latest version.

0

精彩评论

暂无评论...
验证码 换一张
取 消