Jespa
Jespa is a pure Java software library that directly implements the Microsoft Windows protocols and logic necessary to easily and efficiently integrate Java applications into Windows environments.
Jespa has no dependencies on other packages or the host (not even DNS) and, as 100% Java, it is memory-safe and runs equally well on Linux, macOS, Windows or any other Java device.
Windows Silent SSO for Java HTTP Servers
The most popular feature of Jespa is the SPNEGO HTTP Single Sign-On (SSO) Jakarta servlet filter which implements the type of SSO built into Windows clients (herein referred to as Windows Silent SSO).
Windows Silent SSO does not require users to type in credentials. It simply reuses the credentials already entered to log into the client workstation or device. Compared to other common types of SSO, this is faster, more convenient and more secure because users are not manually typing in passwords.
Windows Silent SSO is supported by all of the popular browsers, by the various Windows programming APIs and by the major programming languages.
This might be why, in a market saturated with SSO solutions, Jespa has been sold in over 60 countries with thousands of active installations in use today.
Maximum Windows Compatibility
Jespa carefully mimics exactly the network behavior and encodings of Windows communication for maximum security and compatibility.
For example, the Jespa Kerberos initiator will locate DCs using the DC Locator protocol, follow Kerberos client and server redirects across forest trusts and transparently canonicalize the common Windows account name forms (backslash, principal name, alternate UPN suffix).
Jepsa implements SPN and channel bindings (also known as Extended Protection for Authentication or EPA) and AES SecureChannel NETLOGON. Using either SPN binding or session security will block an NTLM relay attack. Jespa properly implements and uses both by default.
By default, Jespa's LDAP client uses SPNEGO with SPN binding and SASL sealing. No CA certificate necessary.
More features ...
-
The
HssSetup
console menu program can quickly and easily create the required Computer account in AD DS, set the SPN and password and verify that it is working by requesting a Kerberos ticket like a browser client would.Jespa makes setting up an SPNEGO protected HTTP service much easier than the conventional Kerberos toolchain.
-
The
HttpSecurityService
provides SPNEGO with Kerberos and NTLM mechanisms, handles concurrent authentication states, deep-linking, processing redundant authentications and switching between SSO and explicit logins using alternative credentials. -
DC Locator with SRV and CLDAP ping
-
The DuoHttpSecurityService adds support for 2FA / MFA.
-
Efficient implementation that minimizes network communication and memory usage.
-
Transparent AD DS domain controller and DNS nameserver failover.
-
HTTP client with full Windows Silent SSO support including SPN and channel bindings.
-
Windows group membership checking uses group SIDs from the authenticated Windows security context to provide lightning fast access control.
-
Extensive, detailed and well-maintained documentation.
-
Enable Windows Silent SSO in existing SASL servers and clients.
-
As a proper library, Jespa uses no static configuration and has no host dependencies which allows any number of instances of Jespa components to run within the same JVM.
-
Easy to use API allows applications to set / change passwords on accounts, create, update, and delete accounts, manipulate security groups and perform a wide range of AD DS operations.
-
Cost effective licensing with steep discounts for multiple installations in the same network.
One installation may be used in production with up to 25 users for free. To get started, download the Jespa package and try the example webapp as described in the Install the Jespa Example Webapp in the Jespa Technical Documentation area.