Disable Login Prompting with non-sso browsers

Aug 25, 2010 at 10:50 PM

Is there a way to configure WAFFLE so that users who haven't enabled their browser for SSO get logged in as a guest user without being prompted?

I've tried removing the BasicSecurityFilterProvider from the sample's web.xml but I still get prompted to type my credentials when not browsing with integrated windows authentication turned on. (allowGuestLogin is set to true)


What I want to have is a situation where users who haven't enabled integrated windows authentication (i.e. Internet mode browsing) will be send to a custom page describing what to do.

Aug 26, 2010 at 1:48 AM

I don't think it's possible.

A client that has no SSO enabled (eg. doesn't have the server in the Intranet Zone) does a GET request. It's indistinguishable from any other GET request. He is responded with a 401 to challenge him for authentication. The client then decides what to do. I believe IE will popup a logon box, whatever you do, because it's capable of Negotiate when you enter credentials on the client (you may simply be logged into another domain). Other browser experience may vary.

I believe the only alternative is to use the mixed authenticator (see samples) and start with a page rather than with a challenge. On that page you can explain to people what to do and those who got it will press the "login" button that will challenge and then authenticate them automatically. Also, customize the 401 Access Denied page, so that users who tried a few times to enter credentials give up and get presented with an explanation.

Hope this helps, let us know what you do and how it works out.

Aug 26, 2010 at 9:28 PM

Thank you.

I've had a need (specifically with SSO filters) to have a filter exclusion pattern. The reason for this is that often non-browser clients will access web services, so I need SSO disabled for a particular url-pattern.

Because filters don't have exclude-pattern, I usually handle this via subclassing and use an init-param. Unfortunately when I subclass NegotiateSecurityFilter, your init method actually throws a ServletException if any unknown parameters were present, with the message "Invalid Parameter: excludePattern"

I understand fail-fast typo catches, but is there another benefit to throwing the ServletException there?

Aug 26, 2010 at 9:41 PM

There's really no other benefit, but it's an important feature (to catch configuration errors). Feel free to refactor this so you can override parts of init and not end up in the exception, I'd like a patch like that.

Aug 27, 2010 at 2:23 PM

Ok, I will try to patch it and provide a unit test in the next week or so.