Security gurus,
I am trying to implement a simple Single Sign-on solution and have been having pretty hard time getting it to work! I am wondering if you would be able to help me out..
The description of the problem and the attempts I made are presented below.
We have a web app that is restricted and hosted on IIS (windows 2000) server.
Now, I have a JSP that has the following link:
Secure Page
When the users click on it, they need to be able to access the Secure Page without being prompted for windows challenge (uid/pwd) window. mysite.com is configured to accept both 'BASIC' and 'Intergrated Windows Authentication'.
In the JSP, I know the username, password and domain. Somehow, I need to pass this authentication info to IIS, so that it does not prompt for uid/pwd pop-up.
Some of the approaches tried:
1) <form name="postForm" action="http://username:password@mysite.com" method="post" target="_blank" >
</form>
Secure Page
This thows an HTTP 405 (page expired) error. Even trying to access www.yahoo.com gives 405 error. Even if this worked, the uid and pwd will be visible in the browser and so, it is not acceptable.
2) Tried setting HTTP headers (appropriately Base64 encoded) but that did not work either. Here, I am not sure if I am soing the right stuff. Tried using the WWW-Authenticate and Authenticate headers.
3) The following link that has a good thread, but it does not address my prob. It is related, but not of direct help.
http://www.jguru.com/forums/view.jsp?EID=393110
Any leads that you could provide, would be of HUGE help. This has been giving me sleepless nights for a week! It shouldn't be that hard to accomplish this. Not sure where am I doing it wrong.
Thanks,
Anant