Firefox shows authentication required popup

Jul 25, 2010 at 12:14 PM

I'm calling the waffle-filter example in Firefox. In about:config I have added localhost to "network.negotiate-auth.trusted-uris". Now if I call the sample in Firefox http://localhost:7070/waffle-filter/ the logfile shows:

25.07.2010 13:54:22 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /waffle-filter/, contentlength: -1
25.07.2010 13:54:22 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: authorization required

And in the browser the popup is shown:

   Authentication Required.
   A username and password are being requested by http://localhost:7070. The site says: "WaffleFilterDemo"

If I click "cancel" I'm sucessfully logged in and the logfile shows:

25.07.2010 13:56:02 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /waffle-filter/, contentlength: -1
25.07.2010 13:56:02 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: security package: Negotiate, connection id: 127.0.0.1:58620
25.07.2010 13:56:02 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: token buffer: 124 byte(s)
25.07.2010 13:56:02 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue token: oYG6MIG3oAMKAQGhDAYKKwYBBAGCNwICCqKBoQSBnk5UTE1TU1AAAgAAAA4ADgA4AAAAFcKK4lzxnYYNO80lcCrIAQAAAABYAFgARgAAAAYBsB0AAAAPQwBBAFAAUgBJAEMAQQACAA4AQwBBAFAAUgBJAEMAQQABAA4AQwBBAFAAUgBJAEMAQQAEAA4AYwBhAHAAcgBpAGMAYQADAA4AYwBhAHAAcgBpAGMAYQAHAAgAAhiSWvArywEAAAAA
25.07.2010 13:56:02 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue required: true
25.07.2010 13:56:02 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /waffle-filter/, contentlength: -1
25.07.2010 13:56:02 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: security package: Negotiate, connection id: 127.0.0.1:58620
25.07.2010 13:56:02 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: token buffer: 121 byte(s)
25.07.2010 13:56:02 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue token: oRswGaADCgEAoxIEEAEAAABDh+CIwTbjqQAAAAA=
25.07.2010 13:56:02 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue required: false
25.07.2010 13:56:02 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: successfully logged in user: caprica\Soundlink

Any idea why I'm getting the popup in Firefox (IE is working)? My environment is Windows 7 without AD and Tomcat 6.0.28. Do I have to add some settings in Firefox?

Coordinator
Jul 25, 2010 at 6:42 PM

It's because firefox is interpreting WWW-Authenticate headers a little too literally and trying BASIC auth first. It's trying the authentication providers in order they appear, without having any preference in terms of what's "more secure" or "best". In the samples the configuration says the following:

<init-param>
 <param-name>securityFilterProviders</param-name>
 <param-value>
  waffle.servlet.spi.BasicSecurityFilterProvider
  waffle.servlet.spi.NegotiateSecurityFilterProvider
 </param-value>
</init-param>

This means BASIC auth first, then Negotiate. Flipping the order fixes the Firefox problem. In your web-inf\web.xml I would remove all the init-params that you're not using (the default is the "better" order where Negotiate is first). I'll change the sample configuration as well to avoid confusion, thank you for pointing this out.

Jul 25, 2010 at 9:04 PM

Yes, flipping the order or removing the parameter fixes this problem. Thank you.

Regarding removing all init-params I'm not using. I've seen that for the parameter roleFormat the value in the sample is both, but the default value in the source code is fqn. Is there a special reason for this, or would I use both only if I plan to ask for the sid in my code?

Coordinator
Jul 26, 2010 at 11:58 AM

Correct. The roleFormat parameter defines what format of the user's groups to add to the list of roles. The demo says both for demo purposes. If you plan to use SIDs, then you should use "sid", if you plan to use names, use "fqn", and if you plan to use both, use "both".