Technical informations about WAFFLE

Apr 18, 2011 at 10:49 AM

Hallo, we (Elanor company) have implemented authentication of our web application using your solution, the WAFFLE (Tomcat servlet filter) and are pleased to see that it works very well. But for the "zero configuration", where we need not to configure any settings of the domain controller or the domain name, we couldn't find any technical information on how it works in background. We haven't found any on your web. We can't only say to our customers (some of them are big companies/banks with a security departments, who will check this solution against security problems), that it works. We have to say them some technical informations. Therefore we would like to ask you for detailed technical specifications for the Windows API that is used in the WAFFLE framework so that we could possibly pass them to the security department of our customers.
Thanks a lot
Best regards

Tomáš Andraško
Elanor, s.r.o. Prague
Java programmer
branch Ostrava, Czech republic

Apr 18, 2011 at 10:52 AM

Waffle uses the Security Support Provider Interface, aka SSPI. SSPI is a well-defined API for obtaining integrated security services for, among other things, authentication for any distributed application protocol. A client-server conversation is an example of such an application. SSPI is a Microsoft proprietary implementation of GSSAPI, an IETF standard.

I have a very detailed explanation with pictures on my blog, here. Please ask here or on those pages if you have any specific questions.