Waffle API?

Mar 2, 2011 at 6:24 PM

Is there a possiblity to use Waffle directly from Java code without defining the Waffle servlet filter?

I already have a servlet which provides several authentication methods and want to add NTLM auth as additional possibility for authentication. What do you suggest how to accomplish this?

Thanks.

Coordinator
Mar 3, 2011 at 12:22 PM

The short answer is yes. Look at the filter source, reference waffle-jna.jar and copy the relevant pieces.

What are your other authentication methods? - I would think twice though before doing it, it might be easier to go the other way around. We had a similar story and spent a lot of time cramming multiple authentication methods into a single home-grown system. Eventually we ended up with Waffle and reimplemented our authentication mechanisms as standalone classes as waffle.servlet.spi.SecurityFilterProvider. Those can be registered with Waffle via a configuration file, offering a much cleaner model.

 

Mar 3, 2011 at 5:08 PM

Currently I have digest authentication with a shared secret for SSO between applications and form-based authentication. Both auth methods are backed by a user database. I now have to add NTLM/Kerberos authentication against Active Directory. Authentication will be based on AD group membership.

I now tried to integrate the filter with my application, but it is not working. Your waffle-filter demo runs fine. Here is the log:

2011-03-03 18:53:08,234 INFO  [http-8080-1] servlet.NegotiateSecurityFilter: GET /ws, contentlength: -1
2011-03-03 18:53:08,234 INFO  [http-8080-1] servlet.NegotiateSecurityFilter: authorization required
2011-03-03 18:53:08,249 INFO  [http-8080-1] servlet.NegotiateSecurityFilter: GET /ws, contentlength: -1
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: security package: Negotiate, connection id: 127.0.0.1:1963
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: token buffer: 40 byte(s)
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: continue token: TlRMTVNTUAACAAAAEAAQADgAAAAFgomi7J51AC4jtPgAAAAAAAAAAHwAfABIAAAABQEoCgAAAA9BAEkAVABJAE4AVABSAEEAAgAQAEEASQBUAEkATgBUAFIAQQABAAgARAAwADAAMQAEABYAYQBpAHQAaQBuAHQAcgBhAC4AZABlAAMAIABkADAAMAAxAC4AYQBpAHQAaQBuAHQAcgBhAC4AZABlAAUAFgBhAGkAdABpAG4AdAByAGEALgBkAGUAAAAAAA==
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: continue required: true
2011-03-03 18:53:08,249 INFO  [http-8080-1] servlet.NegotiateSecurityFilter: GET /ws, contentlength: -1
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: security package: Negotiate, connection id: 127.0.0.1:1963
2011-03-03 18:53:08,249 INFO  [http-8080-1] spi.NegotiateSecurityFilterProvider: token buffer: 182 byte(s)
2011-03-03 18:53:08,249 WARN  [http-8080-1] servlet.NegotiateSecurityFilter: error logging in user: Authentication failed.

Do you have any ideas? The filter is configured similar to the waffle-filter demo. I am using Windows XP with a Windows Server 2008 Active Directory.

Thank you for your suggestion to implement waffle.servlet.spi.SecurityFilterProvider, I think it will make sense to use the Waffle framework for all authentication aspects.

Mar 3, 2011 at 8:14 PM

Ok, I found the problem:

When I tried the waffle-filter demo, I accessed the local Tomcat on my computer via localhost:8080.

After integration of Waffle into the application I accessed it via a name which was registered only in my local hosts file (For development purposes I am running several Tomcat instances on my computer. To distinguish them I gave them names which I just registered in the hosts file)
Now I am using a "official" DNS name for accessing the Tomcat, and Waffle works as expected.

Coordinator
Mar 5, 2011 at 11:36 AM

There's a wealth of information about how to troubleshoot Negotiate here. Accessing localhost:8080 can work too.

Coordinator
Mar 5, 2011 at 11:38 AM
aitix wrote:

Currently I have digest authentication with a shared secret for SSO between applications and form-based authentication. Both auth methods are backed by a user database. I now have to add NTLM/Kerberos authentication against Active Directory. Authentication will be based on AD group membership

Fyi, I would like to see a Digest implementation in Waffle at least as demo, much like the Basic authenticator, since IIS does it "out-of-the-box". I had tried to implement it with Windows SSPI before, without much success.