WAFFLE & Portal

Jul 19, 2010 at 3:45 PM
How could WAFFLE be used to authenticate users to Windows content providers via a portal hosted on LINUX?
Coordinator
Jul 19, 2010 at 6:54 PM

It can't. Waffle uses Win32 API and hence is a Windows-only solution.

Jul 19, 2010 at 7:20 PM
Thanks for replying. Would you know of anything out there that does?
Coordinator
Jul 19, 2010 at 7:38 PM

Most people front *nix servers with IIS. Jespa might work with Kerberos.

It sounds like you want to authenticate users, then proxy requests to content providers on behalf of those users. That's another can of worms. Maybe you want to describe your scenario a bit more in-depth?

Jul 19, 2010 at 7:44 PM
Yep. You got it. Since the user is already authenticated when they log on to their desktop, it makes sense to not have to re-authenticate to Windows content providers a 3rd time after already authenticating to the portal with SSO. We're currently doing the IIS thing, but was hopeful we could solve it in code when we stumbled across WAFFLE.
Coordinator
Jul 19, 2010 at 10:30 PM

This requires impersonation, something that IIS has by default and Waffle has as a feature request. On IIS when you choose Integrated Authentication, the server thread that accepts the request impersonates the calling user and then can make calls on the user's behalf. Waffle has all the necessary pieces (including the impersonation code), but I don't plan to put them together before a while. So Waffle will do what IIS does, on Windows, with a Tomcat/Jetty/Websphere server as soon as I wrote it or someone contributed it. You could then use Waffle, again, to make client-to-server calls with authentication. All that on Windows - but that's better than having IIS + Tomcat on 2 servers.

*nix is not in Waffle scope. But generally it's probably feasible with Kerberos since that mechanism allows for impersonation. Then, even if you did implement it, a Kerberos-only Windows environment is likely not to fly very well because of  a vast amount of clients that want to do NTLM cause they are too old or domains aren't properly setup with SPNs. I am basically telling you to give up :)