Use Windows Realm and dataSource Realms.

Apr 19, 2011 at 4:24 PM

Hi,

I have some problems with waffle:

I want use 2 different methods of authentication in my app.
1. Try to authenticate with Active Directory (form or SSO, this isn't important now)
2. If 1 is not successful, try to authenticate with a DataSource Realm.

My context config file is :

             <Valve className="waffle.apache.MixedAuthenticator" principalFormat="both" roleFormat="both" allowGuestLogin="false"/>
            <Realm className="org.apache.catalina.realm.LockOutRealm" >
                 
                <!-- Realm for Windows authentication -->
                <Realm className="waffle.apache.WindowsRealm" />
                 
                <!-- Realm with clear text password -->
                <Realm className="com.openpricer.tomcat.ExtendedDataSourceRealm"
                      dataSourceName="jdbc/OP" localDataSource="true"
                       userTable="ACTIVEUSERS" userNameCol="username" userCredCol="userpassword"
                        userRoleTable="USERPRIVILEGES" roleNameCol="privilegename" />


<!-- Realm with encrypted passwords-->
                <Realm className="com.openpricer.tomcat.ExtendedDataSourceRealm"
                       dataSourceName="jdbc/OP" localDataSource="true" digest="SHA"
                       userTable="ACTIVEUSERSCRYPT" userNameCol="username" userCredCol="cryptpassword"
                     userRoleTable="USERPRIVILEGES" roleNameCol="privilegename" />                   
            </Realm>
             

But this don't work: The browser reload logon.jsp without any error message or log.

Before this I had the following configuration, and it worked fine:

  <Valve className="com.openpricer.tomcat.ExtendedFormAuthenticator" characterEncoding="UTF-8" />  

<Realm className="org.apache.catalina.realm.LockOutRealm" >              

<!-- Realm with clear text password -->
                <Realm className="com.openpricer.tomcat.ExtendedDataSourceRealm"
                      dataSourceName="jdbc/OP" localDataSource="true"
                       userTable="ACTIVEUSERS" userNameCol="username" userCredCol="userpassword"
                        userRoleTable="USERPRIVILEGES" roleNameCol="privilegename" />
                 
                <!-- Realm with encrypted passwords-->
                <Realm className="com.openpricer.tomcat.ExtendedDataSourceRealm"
                       dataSourceName="jdbc/OP" localDataSource="true" digest="SHA"
                       userTable="ACTIVEUSERSCRYPT" userNameCol="username" userCredCol="cryptpassword"
                     userRoleTable="USERPRIVILEGES" roleNameCol="privilegename" />   
                 
            </Realm>
                      

Some person had similar problems? Some idea?

Thank you a lot.

Best regards,

Marc

Coordinator
Apr 19, 2011 at 11:08 PM

I don't think this is going to work. The Negotiate protocol often terminates on the client side, so in 50% of the cases you'll be left with a client that has a popup that asks him to enter credentials. And then you don't get the credentials on the server even if the user enters them (the client will try a login to Active Directory, which will fail because those don't represent actual AD credentials).

I think you have to try the mixed strategy, letting users choose whether they want to use their windows credentials or their database credentials. Then you'll have to code a Waffle provider, the realm strategy is not going to work either. Fortunately that's relatively easy since there's already an example that does basic auth. 

Apr 20, 2011 at 2:27 PM

We will try this. Thank you for your answer.

Best regards,

Marc