Information Technology Reference
In-Depth Information
Fig 20: Straightforward SPNEGO
In our experience, the same web application may have to support both
internal (LAN) users as well as external users (B2B and B2C) who do not have
a prior Windows LAN login session. Implementing the model above would
mean that an application (or its interceptor) would need to understand and
implement two different protocols (SPNEGO and CAS) to cater to these two
sets of users.
As we suggested in the last section, a Two-Layer Protocol Architecture can
alleviate this complexity. The application interceptors only understand CAS
as always. The CAS server itself is capable of issuing an SPNEGO challenge
and validating the token presented by the browser, so SPNEGO should be
delegated
to the CAS server, as shown below:
