tomcat on local env + empty login = success?

May 19, 2011 at 7:26 PM

I implemented the negotiate (NTLM + Kerberos) authentication filter. When I use FireFox for testing, it prompts me for a username and password. If I put in a bogus username/password, it refuses to authenticate me and I get the proper result, that I can't see my website. However, if I just click "ok" and enter a blank username and blank password, it authenticates successfully and I can see my website. Why would it authenticate successfully with the empty username and password?

May 19, 2011 at 8:13 PM
Edited May 19, 2011 at 9:08 PM

Second question, and unrelated..

I see from the config files that WindowsAuthProviderImpl is one of the important classes. My goal is, from within my custom class, to get the username of the user who is being authenticated from waffle. I think I can basically make the waffle class a ref in my bean, then somehow use that reference to find the username. Any tips on how to do that? I do see there is a "String username" being passed around in certain methods, but I don't understand where those methods are called from, or how to get a reference to that username from another class. Thanks...





I have seen this thread but it did not clarify the issue. Is the 'anonymous login' allowed due to a setting in tomcat? Or in waffle? Or spring security .. ?

May 19, 2011 at 9:18 PM

You probably have anonymous logon enabled on the server. Check server-side logs (waffle output) to see that you're effectively logged in as an anonymous user. You can either disable it on your server or Active Directory (it really depends on the version of the server, google can help) or in Waffle configuration (depends on whether you chose to use a filter or valve or authenticator or spring security module, the waffle doc will help).

You should not reference Waffle. Regardless of which module you're using Waffle deals with authentication and sets all the username to something that you can retrieve from the server-side session. Look in the code in the demos that come with waffle - in your bean you should be able to do request.getUserPrincipal().getName().

May 23, 2011 at 7:34 PM
Edited May 23, 2011 at 7:34 PM

Unfortunately I cannot touch the server settings (I can only touch tomcat and my web app for the most part..) and the only thing I could find on waffle was setting allowGuestLogin=false, which I had already done. I don't see any other relevant documentation in the .chm, am I missing something or looking at the wrong docs? I appreciate your time... sorry about all the questions.

May 23, 2011 at 9:35 PM

First, a few bugs were fixed in 1.4. Try that. If it doesn't, post server-side logs that have "such and such user logged on" and your .xml configuration where you disabled anonymous logon.

May 27, 2011 at 4:22 PM

Ok here's the waffle config code. I have AllowGuestLogon=false which I thought was what would prevent anonymous logins.

<!-- windows authentication provider -->
	<bean id="waffleWindowsAuthProvider" class="" />
	<!-- collection of security filters -->
	<bean id="negotiateSecurityFilterProvider" class="waffle.servlet.spi.NegotiateSecurityFilterProvider">
		<constructor-arg ref="waffleWindowsAuthProvider" />
	<bean id="basicSecurityFilterProvider" class="waffle.servlet.spi.BasicSecurityFilterProvider">
		<constructor-arg ref="waffleWindowsAuthProvider" />
	<bean id="waffleSecurityFilterProviderCollection" class="waffle.servlet.spi.SecurityFilterProviderCollection">
				<ref bean="negotiateSecurityFilterProvider" />   			
				<ref bean="basicSecurityFilterProvider" />   			
	<!-- spring filter entry point -->
	<sec:http entry-point-ref="negotiateSecurityFilterEntryPoint">
		<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
		<sec:custom-filter ref="waffleNegotiateSecurityFilter" position="BASIC_AUTH_FILTER" />

	<bean id="negotiateSecurityFilterEntryPoint" class="waffle.spring.NegotiateSecurityFilterEntryPoint">
		<property name="Provider" ref="waffleSecurityFilterProviderCollection" />
	<!-- spring authentication provider -->
	<sec:authentication-manager alias="authenticationProvider" />
	<!-- spring security filter -->
	<bean id="waffleNegotiateSecurityFilter" class="waffle.spring.NegotiateSecurityFilter">
		<property name="Provider" ref="waffleSecurityFilterProviderCollection" />
		<property name="AllowGuestLogin" value="false" />
		<property name="PrincipalFormat" value="fqn" />
		<property name="RoleFormat" value="both" />

The user name that was being logged on as reported by the waffle stdout message was NT Authority/Anonymous Logon. If there are further steps I need to take to disable anonymous login, I have not figured them out yet.

May 31, 2011 at 8:05 PM

Looks correct to me. Can we see the server-side log that has the anonymous user logged in (waffle output)? 

The code says this:

_log.debug("logged in user: " + windowsIdentity.getFqn() + " (" + windowsIdentity.getSidString() + ")");
if (! _allowGuestLogin && windowsIdentity.isGuest()) {
	_log.warn("guest login disabled: " + windowsIdentity.getFqn());
	throw new GuestLoginDisabledAuthenticationException(windowsIdentity.getFqn());

Also, confirm that you're using 1.4 please.

The next step would be to debug this, ie. figuring out whether _allowGuestLogin is not set from the config or whether windowsIdentity.isGuest is not returning the right thing for this user.