Servlet Negotiate Security Filter

Sep 21, 2010 at 10:36 AM

may i know for this servlet, beside

 

  1. <filter>
  2.   <filter-name>SecurityFilter</filter-name>
  3.   <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
  4. </filter>
  5. <filter-mapping>
  6.   <filter-name>SecurityFilter</filter-name>
  7.   <url-pattern>/*</url-pattern>
  8. </filter-mapping>

 

anything else that we need to configure? what should i enter for

<param-name>waffle.servlet.spi.BasicSecurityFilterProvider/realm</param-name>
        <param-value>WaffleFilterDemo</param-value>

?

 

when pop up asking for username/password ( just like ntlm), i enter  domain\mywindow_login  and password, but fail to login in

 

 

 

 

 

 

 

Coordinator
Sep 21, 2010 at 11:13 AM

You shouldn't need to configure anything. All parameters are optional. The documentation (CHM in the downloaded package) has a reference to the parameters for each filter/authenticator/etc.

For NTLM you shouldn't be getting a popup. If you are, your browser is probably not in the intranet zone or there's a problem with the server-side (permissions, etc.).

Sep 21, 2010 at 11:17 AM

no, i purposely configured prompt for username and password,   for the   username: should i key in  domain\mycompany     password: mycomputerpassword ?

Sep 21, 2010 at 11:20 AM

if i set to automatic login in IE, i able to login in with waffle-filter example, but when i set prompt for username and password,  let say  userA want to login as userB.  but cannot login in

Coordinator
Sep 21, 2010 at 11:23 AM
cometta wrote:

if i set to automatic login in IE, i able to login in with waffle-filter example, but when i set prompt for username and password,  let say  userA want to login as userB.  but cannot login in

Okay, now I understand the problem.

The next two steps are:

  • Trace client-to-server conversation with IEHttpHeaders (or something like that) and confirm which protocol is selected by the browser.
  • Examine the server-side log (and possibly put waffle logging in DEBUG) to find out why the specified username/password isn't working. You should get a better error on the server (eg. invalid username/password or a privilege problem).

If you can't figure it out, post the server-side output here.

 

 

Sep 21, 2010 at 11:31 AM

this is my server log when i do manual login

 

21 Sep 2010 19:30:43,097 INFO [main] - Root WebApplicationContext: initialization completed in 12766 ms
21 Sep 2010 19:30:43,159 DEBUG [main] - [waffle.servlet.NegotiateSecurityFilter] loaded
21 Sep 2010 19:30:43,175 DEBUG [main] - initializing default secuirty filter providers
21 Sep 2010 19:30:43,175 INFO [main] - [waffle.servlet.NegotiateSecurityFilter] started
21 Sep 2010 19:31:10,113 INFO [http-8080-1] - GET /myapp/app, contentlength: -1
21 Sep 2010 19:31:10,191 INFO [http-8080-1] - authorization required
21 Sep 2010 19:31:22,848 INFO [http-8080-1] - GET /myapp/app, contentlength: -1
21 Sep 2010 19:31:22,848 INFO [http-8080-1] - security package: Negotiate, connection id: 127.0.0.1:8611
21 Sep 2010 19:31:22,864 INFO [http-8080-1] - token buffer: 1353 byte(s)
21 Sep 2010 19:31:23,395 INFO [http-8080-1] - continue token: oX8wfaADCgEBoQsGCSqGSIL3EgECAqJpBGdgZQYJKoZIhvcSAQICAwB+VjBUoAMCAQWhAwIBHqQRGA8yMDEwMDkyMTExMzEyM1qlBQIDBLG+pgMCASmpEBsOU1BTRVRJQS5DT00uTVmqFzAVoAMCAQGhDjAMGwpNWTAxLVAwODEk
21 Sep 2010 19:31:23,395 INFO [http-8080-1] - continue required: true
21 Sep 2010 19:31:23,395 INFO [http-8080-1] - GET /myapp/app, contentlength: -1
21 Sep 2010 19:31:23,395 INFO [http-8080-1] - security package: Negotiate, connection id: 127.0.0.1:8611
21 Sep 2010 19:31:23,410 INFO [http-8080-1] - token buffer: 1303 byte(s)
21 Sep 2010 19:31:23,410 INFO [http-8080-1] - continue token: oXIwcKADCgEBomkEZ2BlBgkqhkiG9xIBAgIDAH5WMFSgAwIBBaEDAgEepBEYDzIwMTAwOTIxMTEzMTIzWqUFAgME7semAwIBKakQGw5TUFNFVElBLkNPTS5NWaoXMBWgAwIBAaEOMAwbCk1ZMDEtUDA4MSQ=
21 Sep 2010 19:31:23,410 INFO [http-8080-1] - continue required: true

 

 

 

the log keep on repeat like above and i can see the pop up asking for username and password repeatedly

Coordinator
Sep 21, 2010 at 11:37 AM

The server says: this token that I got (for that user that you typed in) is valid, but requires continuation - browser, please continue. The browser takes the token that the server gave it and gives up. This is likely a combination of a client-side and a server-side privileges problem. I would try the following:

  • Run the server as a different user - LocalSystem, Administrator, domain account. If either resolves the problem, then your Active directory is not configured for delegation for this server and/or one of the accounts. I never know which one is which :)
  • Try wfetch instead of IE. It will give you a clear client-side error if that's the problem.

Let us know what you find.

 

Sep 21, 2010 at 1:27 PM

but i run the tomcat server on my local machine which is same username i use to do manual login

1. if i set my internet explorer automatically login , i able to login without problem

2. if i do not set it, then only have this problem.   

 

 

 

 

 

 

Sep 21, 2010 at 1:48 PM

do you think it related to because i'm using spring-security2 in my lib folder?

Coordinator
Sep 21, 2010 at 2:09 PM
cometta wrote:

do you think it related to because i'm using spring-security2 in my lib folder?

Now you're just guessing.

The automatic logon and the non-automatic logon are two completely different logons.

  • On the client, automatic logon uses your current security context (using your impersonation token, which was obtained by an interactive logon when you logged on the machine) to negotiate with the server.
  • On the client, entering a username and password does a network logon with the supplied credentials and uses the resulting impersonation token to negotiate with the server.

And this is just scratching the surface ...

Sep 22, 2010 at 2:16 AM

here is my testing results.  i set my browser to prompt for username and password and try waffle-filter

 

case 1, i set waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols =NTLM

     success when i enter email address as username , and window password as password

 

case 2, i set waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols =Negotiate

   i keep getting pop up asking for username password, and below at server log

22 Sep 2010 09:48:10,183 INFO [http-8080-1] - GET /myapp/app, contentlength: -1
22 Sep 2010 09:48:10,246 INFO [http-8080-1] - authorization required
22 Sep 2010 09:48:16,981 INFO [http-8080-1] - GET /myapp/app, contentlength: -1
22 Sep 2010 09:48:16,981 INFO [http-8080-1] - security package: Negotiate, connection id: 127.0.0.1:2627
22 Sep 2010 09:48:16,996 INFO [http-8080-1] - token buffer: 1352 byte(s)
22 Sep 2010 09:48:17,434 INFO [http-8080-1] - continue token: oX8wfaADCgEBoQsGCSqGSIL3EgECAqJpBGdgZQYJKoZIhvcSAQICAwB+VjBUoAMCAQWhAwIBHqQRGA8yMDEwMDkyMjAxNDgxN1qlBQIDC0anpgMCASmpEBsOU1BTRVRJQS5DT00uTVmqFzAVoAMCAQGhDjAMGwpNWTAxLVAwODEk
22 Sep 2010 09:48:17,434 INFO [http-8080-1] - continue required: true
22 Sep 2010 09:48:17,449 INFO [http-8080-1] - GET /myapp/app, contentlength: -1
22 Sep 2010 09:48:17,449 INFO [http-8080-1] - security package: Negotiate, connection id: 127.0.0.1:2627
22 Sep 2010 09:48:17,449 INFO [http-8080-1] - token buffer: 1302 byte(s)
22 Sep 2010 09:48:17,449 INFO [http-8080-1] - continue token: oXIwcKADCgEBomkEZ2BlBgkqhkiG9xIBAgIDAH5WMFSgAwIBBaEDAgEepBEYDzIwMTAwOTIyMDE0ODE3WqUFAgMLg7CmAwIBKakQGw5TUFNFVElBLkNPTS5NWaoXMBWgAwIBAaEOMAwbCk1ZMDEtUDA4MSQ=
22 Sep 2010 09:48:17,449 INFO [http-8080-1] - continue required: true

 

 

Is is a bug in waffle when using "negotiate" as protocol?

Coordinator
Sep 22, 2010 at 3:10 AM

This just says that NTLM works in your environment and not Kerberos. This thread is very similar.