How to specify own domain name?

Jul 14, 2011 at 2:01 PM

Hi!

I discovered WAFFLE two days ago. Our company is going to include SSO login in our web applications. I am responsible for implementing that function and WAFFLE seems to be the best one of offered solutions. I am new to AD authentication, so I would like to ask you some questions @dblock:

1) Where exactly should I specify the name of users' group that I would like to authorize? For example, I am logged in local domain 'mydomain' and I would like to authenticate users belonging only to this group and no one else. For others I want to display login form (with username and password prompt). I tried to do it in <role-name> tags but it did not work (when I set another role name, instead of Everyone, I was still able to login).

2) After succesful authorization, I would like to make a session for authorized username and redirect him or her to next steps. In your example I added an servlet and I was being authorized correctly but when I was trying to call that servlet in URL (http://localhost:8080/my_app/my_servlet) I got 403 ERROR

3) Where can I find more detailed documentation? My Project Manager ordered me to describe him how WAFFLE works. I will be very grateful if you could tell me wether you have some class diagrams, or data flow scheme.

 

Thanks

Coordinator
Jul 14, 2011 at 3:17 PM
  1. Your application's configuration. But it depends which authenticator you're using. Get it to (not) work and ask a separate question, posting all your configuration and server-side logs.
  2. Go through "troubleshooting negotiate" in the doc and if that doesn't help post a separate question. Again, a 403 can be anything, so you need to look at the logs.
  3. When WAFFLE was started, I did an internal presentation on Windows Authentication. It might be helpful: Waffle 1.0.ppt. A more Tomcat/Java-centric presentation is also available here.

Hope this helps.

-dB.

Jul 15, 2011 at 6:53 AM

Hi @dblock

Thanks for your reply. According to your post, the content of my web.xml is:

<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
   version="2.5">

  <description>Waffle Tomcat Authenticator Demo</description>
  <display-name>Waffle Demo</display-name>

  <security-constraint>
    <display-name>Waffle Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>Everyone</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <display-name>Login Page</display-name>
    <web-resource-collection>
      <web-resource-name>Unprotected Login Page</web-resource-name>
      <url-pattern>/login.jsp</url-pattern>
    </web-resource-collection>
  </security-constraint>
  <servlet>
  	<description>
  	</description>
  	<display-name>Auth</display-name>
  	<servlet-name>Auth</servlet-name>
  	<servlet-class>com.wma.auth.Auth</servlet-class>
  </servlet>
  <servlet-mapping>
  	<servlet-name>Auth</servlet-name>
  	<url-pattern>/Auth</url-pattern>
  </servlet-mapping>
  
  <error-page>
   <error-code>401</error-code>
   <location>/401.html</location>
  </error-page>
  
  <login-config>
     <form-login-config>
		<form-login-page>/login.jsp</form-login-page>  
		<form-error-page>/error.html</form-error-page>  
	 </form-login-config>
  </login-config>
  
</web-app> 
 
Context.xml code:
 
<?xml version='1.0' encoding='utf-8'?>
<Context>
  <Valve className="waffle.apache.MixedAuthenticator" principalFormat="fqn" roleFormat="both" allowGuestLogin="false" />
  <Realm className="waffle.apache.WindowsRealm" />
</Context>
 
And my servlet code:
package com.wma.auth;

import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class Auth extends HttpServlet {

	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		PrintWriter out = response.getWriter();
		out.println("<h1>sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna</h1>");
		out.close();
	}

	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		doGet(request, response);
	}

}
 
It's only a test servlet. I would like to set it as protected area (if user is not authorized, he or she can't watch it). The problem is 
that even after correct login in login.jsp I can't get access to that servlet. I get error from Tomcat:
 
HTTP Status 403 - Access to the requested resource has been denied
 
The other issue is that I'm not being logged automatically. I'm logged into local domain, but after entering my web app I see login form. 
My goal is to set the configuration that after entering the site, WAFFLE verifies if an user belongs or not to a domain that name is specified. For
example: the local domain's name that should be authorized automatically is my_domain. When webapp detects that user is logged in my_domain, he or she 
gets the full access to site and webapp makes the session for him or her. Otherwise, if user doesn't belong to my_domain and is logged in other domain,
or try to open site from any other location, he or she must login via username/password form. I try to configure it on many ways, but still didn't find a
good one :(
After logging in I get an exception:
java.lang.IllegalStateException: Cannot call sendError() after the response has been committed
	at org.apache.catalina.connector.Response.sendError(Response.java:1292)
	at org.apache.catalina.realm.RealmBase.hasResourcePermission(RealmBase.java:840)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:545)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Unknown Source)
 
 
Coordinator
Jul 15, 2011 at 3:17 PM

Before you add your servlet, get it to work with Waffle samples. Then build on top of that, adding your servlet. Finally, look at the server-side log. It should say that the user logged in as himself (eg. DOMAIN\User), first. If that didn't happen, go through troubleshooting negotiate.