Waffle API?

Mar 2, 2011 at 7:24 PM

Is there a possiblity to use Waffle directly from Java code without defining the Waffle servlet filter?

I already have a servlet which provides several authentication methods and want to add NTLM auth as additional possibility for authentication. What do you suggest how to accomplish this?

Thanks.

Mar 3, 2011 at 1:22 PM

The short answer is yes. Look at the filter source, reference waffle-jna.jar and copy the relevant pieces.

What are your other authentication methods? - I would think twice though before doing it, it might be easier to go the other way around. We had a similar story and spent a lot of time cramming multiple authentication methods into a single home-grown system. Eventually we ended up with Waffle and reimplemented our authentication mechanisms as standalone classes as waffle.servlet.spi.SecurityFilterProvider. Those can be registered with Waffle via a configuration file, offering a much cleaner model.

 

Mar 3, 2011 at 6:08 PM

Currently I have digest authentication with a shared secret for SSO between applications and form-based authentication. Both auth methods are backed by a user database. I now have to add NTLM/Kerberos authentication against Active Directory. Authentication will be based on AD group membership.

I now tried to integrate the filter with my application, but it is not working. Your waffle-filter demo runs fine. Here is the log:

2011-03-03 18:53:08,234 INFO  [http-8080-1] servlet.NegotiateSecurityFilter: GET /ws, contentlength: -1
2011-03-03 18:53:08,234 INFO  [http-8080-1] servlet.NegotiateSecurityFilter: authorization required
2011-03-03 18:53:08,249 INFO  [http-8080-1] servlet.NegotiateSecurityFilter: GET /ws, contentlength: -1
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: security package: Negotiate, connection id: 127.0.0.1:1963
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: token buffer: 40 byte(s)
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: continue token: TlRMTVNTUAACAAAAEAAQADgAAAAFgomi7J51AC4jtPgAAAAAAAAAAHwAfABIAAAABQEoCgAAAA9BAEkAVABJAE4AVABSAEEAAgAQAEEASQBUAEkATgBUAFIAQQABAAgARAAwADAAMQAEABYAYQBpAHQAaQBuAHQAcgBhAC4AZABlAAMAIABkADAAMAAxAC4AYQBpAHQAaQBuAHQAcgBhAC4AZABlAAUAFgBhAGkAdABpAG4AdAByAGEALgBkAGUAAAAAAA==
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: continue required: true
2011-03-03 18:53:08,249 INFO  [http-8080-1] servlet.NegotiateSecurityFilter: GET /ws, contentlength: -1
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: security package: Negotiate, connection id: 127.0.0.1:1963
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: token buffer: 182 byte(s)
2011-03-03 18:53:08,249 WARN  [http-8080-1] servlet.NegotiateSecurityFilter: error logging in user: Authentication failed.

Do you have any ideas? The filter is configured similar to the waffle-filter demo. I am using Windows XP with a Windows Server 2008 Active Directory.

Thank you for your suggestion to implement waffle.servlet.spi.SecurityFilterProvider, I think it will make sense to use the Waffle framework for all authentication aspects.

Mar 3, 2011 at 9:14 PM

Ok, I found the problem:

When I tried the waffle-filter demo, I accessed the local Tomcat on my computer via localhost:8080.

After integration of Waffle into the application I accessed it via a name which was registered only in my local hosts file (For development purposes I am running several Tomcat instances on my computer. To distinguish them I gave them names which I just registered in the hosts file)
Now I am using a "official" DNS name for accessing the Tomcat, and Waffle works as expected.

Mar 5, 2011 at 12:36 PM

There's a wealth of information about how to troubleshoot Negotiate here. Accessing localhost:8080 can work too.

Mar 5, 2011 at 12:38 PM
aitix wrote:

Currently I have digest authentication with a shared secret for SSO between applications and form-based authentication. Both auth methods are backed by a user database. I now have to add NTLM/Kerberos authentication against Active Directory. Authentication will be based on AD group membership

Fyi, I would like to see a Digest implementation in Waffle at least as demo, much like the Basic authenticator, since IIS does it "out-of-the-box". I had tried to implement it with Windows SSPI before, without much success.