Single sign-on in Java / VNC

Question

Background

On the project I work on we have GUI applications running on several different servers. Due to their user interface similarities I am investigating combining their OMIs into a single unified interface. Currently these applications are all remotely viewable via VNC. I plan to take advantage of this by having the master display run several VNC viewers under the covers and wrap an interface around these VNC sessions to make them appear like native applications.

Problem

I am looking for pointers for architecting a single sign-on solution. I want to eliminate each application's individual login and instead have users login to the unified display only. When they do that they would then be automatically logged in to each of the individual apps.

Constraints

1. The applications are all Swing-based Java apps running on Linux.
2. Authentication is performed by a Windows 2003 Server machine with Active Directory.
3. I'd strongly prefer an off-the-shelf solution to a custom-built one.

Ideas

My investigation has pointed me towards Kerberos and GSSAPI. Kerberos's ticket-based mechanism seems well-suited to the task.

One tricky bit is that these applications are always running. I need the unified display to somehow "tell" them when the user has logged in. It's not like normal Kerberized programs where they will perform a Kerberos login at startup.

If I use Kerberos I'm not sure how to transfer tickets to the various application servers. Is there a standard way to transfer them? Do I just use "scp" or something? Or do I develop my own socket-based network protocol and have the Java programs connect to each other and transfer tickets that way?

I don't want to get too bogged down in the details, though. I'd appreciate even general ideas like "have you considered Technology X?" or "try XYZ instead of VNC, it does this for you."

---

Updates

I'll edit in answers and clarifications here...

Have you considered that some authentication must take place anyway and that VNC only exports the view to a running program, so a VNC session cannot transport tickets?

Yes, indeed. Java + VNC is what we have right now. I could change out VNC for something else if there's a better way to remotely view the apps. Without rewriting them, that is. The ideal solution would be to separate them into distinct client and server pieces and put all the GUI code into the client, but that's 5-star difficulty and I need 1- or 2-star.

Have you considered the case when two users log in the same time? Will they see the same app? Or will this be forbidden?

Yeah, I've considered that. They will either see the same app or it will be forbidden. Either solution is okay as far as this particular system goes, so this isn't a big deal.

Have you considered just using an X Server on your local host and export the clients applications windows?

Yeah, this would be great. Can this be done with already-running apps? I have to connect to these apps after they've already started. I can't start them on demand when somebody fires up the central viewer.

Answer 1

RealVNC Enterprise Edition supports AD authentication (~$50 per exported desktop). Perhaps you can simply let people auth into the apps that way. FreeNX supports PAM authentication so you could perhaps hack something together with winbind, especially if your linux dist makes AD setup easy.

One last thing is running your apps in VirtualBox which can run in a headless mode via RDP. You can authenticate against PAM and thus winbind. This also has the advantage of being windows friendly on the client side via Remote Desktop which is pre-installed or readily available for windows.

Answer 2

Okey, I will try and start this list. Have you considered...

• JAAS? Should include the GSS API, but was very cumbersome the last time I tried it.
• that some authentication must take place anyway and that VNC only exports the view to a running program, so a VNC session cannot transport tickets?
• a browser based solution with an embedded Java VNC client? At least the IE is able to carry out kerberos authentication, I don't know about the other browsers, or HOW the IE does that.
• the case when two users log in the same time? Will they see the same app? Or will this be forbidden?
• just using an X Server on your local host and export the clients applications windows?

EDIT: More considerations:

• When using the X Server variant, use Xmove to move the programs to the X Server.
• You can use SSH authentication with private/secret keys and let the user enter one passphrase to connect all your servers. SSH agent is the keyword.
• With the existing SSH connections, start XMove on all the machines, collect all GUIs and send them to the client. You could even write a little MainWindow, with Buttons for each app, and when clicked, export only one of the apps, so it seems like they have been started from the main GUI.