Newbie question on using NegotiateAuthenticator valve

Mar 22, 2011 at 3:51 AM

I am looking at Waffle to do SSO on Windows environment, where my application runs on the Tomcat server.

My application has its own authentication mechanism implemented through a "plugin" that is supposed to validate username/password retrieved from the HTTP request against some database and return appropriate code if the user is authenticated.

From what I can tell, if I setup Tomcat with the NegotiateAuthenticator valve, the valve will do all the NTLM/Kerberos negotiation and authenticate the user such that by the time my application gets called (and triggers the plugin mentioned above), the user would have already been authenticated.  In essence my plugin code would have to do no work.  Is my understanding correct?

Thanks.

Coordinator
Mar 22, 2011 at 11:03 AM

Yes.

Mar 23, 2011 at 3:12 PM
Edited Mar 23, 2011 at 3:13 PM

Thanks for the reply.  To validate:

  1. The user is already logged into the windows domain.  The user goes to the application URL. The NegotiateAuthenticator will validate that the user is already logged in, and let the user through.
  2. The user is not logged into the windows domain.  The NegotiateAuthenticator valve will challenge the user for authentication.  The application will never see anything if the challenge fails.

I have two alternative scenarios to handle the second situation above (the user is not already logged in).

  • The user is ALWAYS redirected to a custom login page (unprotected I assume) which will do an application-based authentication.  The plugin described in my first post will then do the authentication directly with AD.
  • Let the NegotiateAuthenticator valve do the challenge.  If there is failure, force connection close and redirect to an unprotected custom login page (mentioned in some other posting here).

I realize this would require source code changes, but before I dive in further, do these sound feasible?  Which approach would be easier.

Coordinator
Mar 25, 2011 at 12:21 PM

You're wrong about (2). The browsers will popup a dialog.

It's also possible to give users the ability to login with a form or with negotiate depending on their preference. This allows users who are already logged in to just press a button without any questions asked, or to enter some other credentials to login. This is called "mixed" authentication and waffle has a sample. I wrote about it here.

I think the mixed authenticator fully covers your scenario. Give it a try.