Using WAFFLE on 64 bit OS

Nov 11, 2010 at 11:25 PM

Here is what I trying to achieve :

I am using JAAS for authenticating user on Windows (This is not a web app so no web server involved). I need to get the users domain from local OS and do domain authentication on remote windows server (using NTLM or Kerberos) . Here are my questions .

- Is WAFFLE tested on 64 OS ? Do I need to change the .dll to move from 32 bit to 64 bit?

- Is it possible to avoid use of .dll ? as it will have OS compatibility issues. 

- How do switch between NTLM and Kerberos. If the server is not a active directory then would like to authenticate user using NTLM. Is it possible to do using WAFFLE.

Thanks for your help.

 

 

 

 

Coordinator
Nov 12, 2010 at 12:55 AM
Edited Nov 12, 2010 at 12:56 AM

For the first two questions. Waffle works and has been tested on 64-bit OS. Waffle uses JNA, so there're no native DLLs involved (at least not visibly). There're no DLLs to place in any system directory or anything of that kind. If you're confused by the DLLs shipped with Waffle, there're C# managed DLLs that implement Waffle API, but those are used for C# clients only. For Java, you need waffle-jna.jar (and possibly another couple of JARs depending on your exact scenario, but no DLLs).

Waffle leverages Microsoft SSPI, so theoretically you don't need to do anything. Windows takes care of picking the right authentication protocol supported by the server. I am not quite sure what "using JAAS" really means though, so I might be wrong.

My recommendation is to try to implement something and see what happens :)

 

 

 

Nov 17, 2010 at 10:54 PM

Thanks for a quick reply, I am trying out the code. I am facing below issues.

- When I just used jar files packaged (commons-logging*.jar,jna.jar,platform.jar,waffle-jacob.jar) for authentication. I am getting auth fail.

- To debug the issue, I tried to get the source and used that in the product but then I started getting other errors during my server startup as its not able to locate certain jars which are internally used by waffle. Jars like :  apache.catalina, javax.wsdl,..

Do you any idea ?

as I mentioned earlier, mine is not a web based app and I am using for waffle windows auth through jaas.

Thanks in advance.

Coordinator
Nov 17, 2010 at 11:29 PM

Auth fail is not much to work with. Do you get an exception? What is it?

JAR-wise:

  • commons-logging is used by all, it's a logging API that wraps on top of any other logger that you might be using in your app (eg. log4j)
  • jna and platform.jar are Java Native Access
  • waffle 1.4 uses guava-r07.jar that's google's collections library (if you're on 1.4)
  • waffle-jacob.jar is for legacy COM interop, forget it

waffle-jna.jar has other runtime dependencies *if* you exercise that code, such as tomcat's Catalina - you should never hit that code in your application

Maybe you can build a small repro in the waffle source code tree that demonstrates your problem?

Nov 18, 2010 at 1:18 AM
Edited Nov 18, 2010 at 5:48 PM

I am getting "javax.security.auth.login.LoginException: Login Failure: all modules ignored" error on client (in my loginContext).

I don't have entire waffle source code active for now but I had to comment out commons-logging and waffle-jna as common-logging is conflicting with log4j from my project and with waffle-jna, my project server startup is failing b'use of apache.catalina. Can I get other code working without these two jars? where is the logging code ? I searched in the Waffle source for Jaas and I didn't find any logging code (just trying to find out what will fail without common-logging).

Coming back original error : "javax.security.auth.login.LoginException: Login Failure: all modules ignored". Do you have any idea?

Here is how I am using it.

OSAuth.java

 LoginContext lc = null;

 lc = new LoginContext("WAFFLE", new CallbackHandler(userName, decryptedPassword));

lc.login();

Login.config

WAFFLE {com.xxx.yyy.zzz.accesscontrol.WindowsLoginModule required returnNames=true debug=false;};

WindowsLoginModule.java

 public boolean login() throws LoginException {

.

.

//I commented out principal part for now

 IWindowsIdentity windowsIdentity = null;

       try {            

windowsIdentity = _auth.logonUser(username, password);  

     } catch (Exception e) {            

throw new LoginException(e.getMessage());        

}

        // disable guest login        /*if (!_allowGuestLogin && windowsIdentity.isGuest()) {            debug("guest login disabled: " + windowsIdentity.getFqn());            throw new LoginException("Guest login disabled");        }*/
        /*try {            _principals = new LinkedHashSet<Principal>();            // _principals.addAll(getUserPrincipals(windowsIdentity, _principalFormat));            if (_roleFormat != PrincipalFormat.none) {                for (IWindowsAccount group : windowsIdentity.getGroups()) {                    _principals.addAll(getRolePrincipals(group, _roleFormat));                }            }
            _username = windowsIdentity.getFqn();            debug("successfully logged in " + _username + " (" + windowsIdentity.getSidString()                    + ")");        } finally {            windowsIdentity.dispose();        }*/

return true;

 

Thanks.

 

Coordinator
Nov 18, 2010 at 1:50 PM

I would start with the following.

  • Is the login module initialized? Put a breakpoint / debug in initialize.
  • Are you hitting the login code when you actually do a login, is the username/password correct, and what happens there (what throws)?

Next, I would really figure out whether there's no way you can use waffle-jna.jar as-is without having to go recompile everything.

  • You're saying there's a startup problem with Tomcat dependencies. What are they?
  • You're saying you have a problem with logging, what is it?

Assuming everything failed ...

Commons-logging should not have any problems side-by-side with log4j (we use it this way), but lets assume it does (it would be helpful to always provide actual errors). In Waffle source you'll find a lot of

private Log _log = LogFactory.getLog(WindowsAuthenticationProvider.class)

There're two imports that support it.

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

You can replace those imports with log4j directly instead of trying to strip logging - there should be no other code changes than the imports, it's the same interface.

Back to JAAS. You found waffle.jaas.WindowsLoginModule. It implements javax.security.auth.spi.LoginModule and is built for JAAS. It's pretty trivial so you can duplicate it in your code. There's a unit test that uses that (waffle.jaas.WindowsLoginModuleTests) with JAAS. So we should assume it works - port the test and make sure it works with your code first. There's a waffle-jaas demo that works with Tomcat and does the following.

jaas.policy contains (and the server is started with  -Djava.security.auth.policy=<path-to-file>/jaas.policy)

grant Principal * * {
  permission java.security.AllPermission "/*";
};

The login.conf contains (and the server is started with -Djava.security.auth.login.config=<path-to-file>/login.conf)

Jaas {
    waffle.jaas.WindowsLoginModule sufficient debug=true principalFormat=both roleFormat=fqn;
};

Maybe you'll spot something different here ...