Waffle + Websphere + AD

Nov 22, 2010 at 11:49 AM


Hello,

I'm trying to provide authentication for my web-app.

The users are stored in a windows Active Directory running in a pc on our local intranet so I am trying to understand if Waffle is a viable solution in this context.

So, I have put jna.jar, platform.jar and waffle-jna.jar on the WEB-INF/lib folder of my web-app and I've setup the following rules on web.xml :


    <filter>
        <filter-name>SecurityFilter</filter-name>
        <filter-class>
            waffle.servlet.NegotiateSecurityFilter
        </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>SecurityFilter</filter-name>
        <url-pattern>/requests/*</url-pattern>
    </filter-mapping>

   <security-role>
   <role-name>IT\TestUsers</role-name>
   </security-role>


   <security-constraint>
       <display-name>Waffle Security Constraint</display-name>
       <web-resource-collection>
           <web-resource-name>Protected Area</web-resource-name>
           <url-pattern>/requests/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
           <role-name>IT\TestUsers</role-name>
       </auth-constraint>
   </security-constraint>

I've setup the details for the AD in Websphere and I get a successful 'Test Connection' .

I've already instructed the administrators to create an AD group called 'TestUsers' and add to it the username which I use for logon on my pc.

So when I click on /requests/* links, I get a pop-up requesting my username/password

I get the following output:

 


[NegotiateSecurityFilter] : GET /Web/requests/, contentlength: -1 [?.doFilter:?]
[NegotiateSecurityFilterProvider] : security package: NTLM, connection id: 127.0.0.1:1770 [?.doFilter:?]
[NegotiateSecurityFilterProvider] : token buffer: 40 byte(s) [?.doFilter:?]
[NegotiateSecurityFilterProvider] : continue token: TlRMTVNTUAACAAAABAAEADgAAAAFgoGiTHxZt3bPTAIAAAAAAAAAAJ4AngA8AAAABQCTCAAAAA9JAFQAAgAEAEkAVAABABgAQwBJADAAOQA4ADgAUgBDAEwAMAA0ADgABAAqAGkAdAAuAGMAbwByAHAAbgBlAHQALgBjAG8AbQBiAGEAbgBrAC4AZwByAAMARABDAEkAMAA5ADgAOABSAEMATAAwADQAOAAuAGkAdAAuAGMAbwByAHAAbgBlAHQALgBjAG8AbQBiAGEAbgBrAC4AZwByAAAAAAA= [?.doFilter:?]
[NegotiateSecurityFilterProvider] : continue required: true [?.doFilter:?]
[NegotiateSecurityFilter] : GET /Web/requests/, contentlength: -1 [?.doFilter:?]
[NegotiateSecurityFilterProvider] : security package: NTLM, connection id: 127.0.0.1:1771 [?.doFilter:?]
[NegotiateSecurityFilterProvider] : token buffer: 158 byte(s) [?.doFilter:?]
[NegotiateSecurityFilter] : error logging in user: Password given is not correct
 [?.doFilter:?]
[NegotiateSecurityFilter] : GET /Web/requests/, contentlength: -1 [?.doFilter:?]
[BasicSecurityFilterProvider] : logging in user: u304361 [?.doFilter:?]
[NegotiateSecurityFilter] : error logging in user: Program-client does not have any particular permission [?.doFilter:?]

 

 

 

Is this the correct way to go or am I missing something basic?


Sorry in advance for the 'newie' question/s I am posting but I'm really new to this technology :-)



With regargs,

Antony

Nov 22, 2010 at 2:41 PM

The error code to be exact is :

"A required privilege is not held by the client."

and my OS is : Windows 2000 with SP4

..and I am still trying to find a solution :)

Coordinator
Nov 22, 2010 at 10:09 PM

First, if you get a popup, that means SSO has failed. It has either failed at authentication or at authorization. The output you provided is from typing a username/password, the whole point is to avoid doing that :) Dump the user's group memberships (the Waffle demos do that) and find out whether IT\TestUsers is in the list.

Next, I am confused where you get that error "a required privilege is not held by the client".