My scenario: I'm using Waffle's NegotiateSecurityFilter for SSO on Apache Tomcat to authenticate users for my web app. Now my application wants to consume the Microsoft Exchange Web Services (EWS) impersonating the logged in user from java. The calls to
Exchange Web Services should be with the windows user credentials of the logged in user, so e.g. if the webapp creates an appointment it will be in the mailbox of the logged in user. To consume the Exchange Web Services via SOAP I'm using JAX-WS (Metro)
http://jax-ws.java.net/ . Calling the EWS with the service account of Apache Tomcat works, but now I want to impersonate the logged in user.
As far as I understand the protocols I'm facing a "double hop" problem (or "two hop") and have to use Kerberos and the web server has to be trusted for delegation. NTLM is not possible, because it can't delegate the credentials
by design (client -> web-server / web-server -> EWS). So the "NegotiateSecurityFilterProvider/protocols" is "Negotiate".
My first try was to activate the new impersonation feature in Waffle 1.4 and hoped, that this would be enough to call the EWS with the logged in users credential. A problem is, that JAX-WS (Metro) uses the java.net.Authenticator for the credentials,
and the Authenticator seems to be static and only initialized at at the first call.
Another try was to use the Java EWS API from Microsoft http://archive.msdn.microsoft.com/ewsjavaapi It uses the HttpClient 3.1 and JCIFS 1.3.15 for the Web Services calls but
I think HtppClient 3.1 doesn't supports Kerberos.
I know this is not the right place to ask how to consume EWS but maybe someone can point me in the right direction.
- Is my theory correct, that it should be possible to make Web Service calls with the logged in user, or is this technically not possible with Waffle's impersonation?
- Is there a way around the static Authenticator problem when using JAX-WS (Metro) with Kerberos? (Basic Authentication would work, but I don't have the users password).
- Any other ideas how to consume a SOAP Webservice from Microsoft using the logged in user credentials?
So, I'm clutching at straws, but maybe someone has some hints.