Active Directory Authentication

Jul 5, 2011 at 12:57 AM

I am trying to add active directory authentication in my tomcat server. The architecture is: end user ----- web server(tomcat)------app server(IIS). I am going to put AD protection on app server. Is it possible to use waffle to set static username/password in my web server and use them to authenticate in app server for each request?

Coordinator
Jul 5, 2011 at 4:18 PM

This looks like an odd setup. I am a bit confused by who's authenticating. You're saying that you want a specific user (hardcoded) on the tomcat web server to authenticate against the app server (ie. it's not the end-user that's authenticating?). Can you tell the full story maybe? :)

Jul 5, 2011 at 11:47 PM
dblock wrote:

This looks like an odd setup. I am a bit confused by who's authenticating. You're saying that you want a specific user (hardcoded) on the tomcat web server to authenticate against the app server (ie. it's not the end-user that's authenticating?). Can you tell the full story maybe? :)

Hi dblock, thanks for your reply. Yes, we want a hardcoded on the tomcat web server to authenticate against the app server. It is not end-user authenticating.

Here is the story: We have tomcat as web server and IIS as app server. We use HttpURLConnection for communications between web and app. They use to work fine, but now security request us to implement active directory authentication between web and app, so the app server knows who is sending request. Web server will run under windows. Both web server and app server are in the same domain. I am wondering if we can use the default web server windows username for the app server active directory authentication? Or can we hardcode it in our web server code?

Coordinator
Jul 6, 2011 at 8:49 PM

So yes, you need to implement both the client and the server side of Negotiate. For the client side, check out this thread. For the server side, well that's Waffle's main scenario.

Jul 7, 2011 at 2:22 AM
Edited Jul 7, 2011 at 6:25 AM
dblock wrote:

So yes, you need to implement both the client and the server side of Negotiate. For the client side, check out this thread. For the server side, well that's Waffle's main scenario.

Hi dblock, thanks very much for your help. But I am not cleared why we should implement both client and server side Negotiate. Should I just need client Negotiate? I looked at the thread and NegotiateSecurityFilterTest.testNegotiate() method. But still cannot figure out how these can be fit in my scenario. In here, the web server will send request to app server via HttpURLConnection. When the web server is the client side of WAFFLE, the app is not WAFFLE server. Also, WAFFLE use http session to save authenticate subject, but HttpURLConnection does not support session.