How to specify own domain name?

Jul 14, 2011 at 3:01 PM


I discovered WAFFLE two days ago. Our company is going to include SSO login in our web applications. I am responsible for implementing that function and WAFFLE seems to be the best one of offered solutions. I am new to AD authentication, so I would like to ask you some questions @dblock:

1) Where exactly should I specify the name of users' group that I would like to authorize? For example, I am logged in local domain 'mydomain' and I would like to authenticate users belonging only to this group and no one else. For others I want to display login form (with username and password prompt). I tried to do it in <role-name> tags but it did not work (when I set another role name, instead of Everyone, I was still able to login).

2) After succesful authorization, I would like to make a session for authorized username and redirect him or her to next steps. In your example I added an servlet and I was being authorized correctly but when I was trying to call that servlet in URL (http://localhost:8080/my_app/my_servlet) I got 403 ERROR

3) Where can I find more detailed documentation? My Project Manager ordered me to describe him how WAFFLE works. I will be very grateful if you could tell me wether you have some class diagrams, or data flow scheme.



Jul 14, 2011 at 4:17 PM
  1. Your application's configuration. But it depends which authenticator you're using. Get it to (not) work and ask a separate question, posting all your configuration and server-side logs.
  2. Go through "troubleshooting negotiate" in the doc and if that doesn't help post a separate question. Again, a 403 can be anything, so you need to look at the logs.
  3. When WAFFLE was started, I did an internal presentation on Windows Authentication. It might be helpful: Waffle 1.0.ppt. A more Tomcat/Java-centric presentation is also available here.

Hope this helps.


Jul 15, 2011 at 7:53 AM

Hi @dblock

Thanks for your reply. According to your post, the content of my web.xml is:

<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app xmlns=""

  <description>Waffle Tomcat Authenticator Demo</description>
  <display-name>Waffle Demo</display-name>

    <display-name>Waffle Security Constraint</display-name>
      <web-resource-name>Protected Area</web-resource-name>
    <display-name>Login Page</display-name>
      <web-resource-name>Unprotected Login Page</web-resource-name>
Context.xml code:
<?xml version='1.0' encoding='utf-8'?>
  <Valve className="waffle.apache.MixedAuthenticator" principalFormat="fqn" roleFormat="both" allowGuestLogin="false" />
  <Realm className="waffle.apache.WindowsRealm" />
And my servlet code:
package com.wma.auth;


import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class Auth extends HttpServlet {

	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		PrintWriter out = response.getWriter();
		out.println("<h1>sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna</h1>");

	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		doGet(request, response);

It's only a test servlet. I would like to set it as protected area (if user is not authorized, he or she can't watch it). The problem is 
that even after correct login in login.jsp I can't get access to that servlet. I get error from Tomcat:
HTTP Status 403 - Access to the requested resource has been denied
The other issue is that I'm not being logged automatically. I'm logged into local domain, but after entering my web app I see login form. 
My goal is to set the configuration that after entering the site, WAFFLE verifies if an user belongs or not to a domain that name is specified. For
example: the local domain's name that should be authorized automatically is my_domain. When webapp detects that user is logged in my_domain, he or she 
gets the full access to site and webapp makes the session for him or her. Otherwise, if user doesn't belong to my_domain and is logged in other domain,
or try to open site from any other location, he or she must login via username/password form. I try to configure it on many ways, but still didn't find a
good one :(
After logging in I get an exception:
java.lang.IllegalStateException: Cannot call sendError() after the response has been committed
	at org.apache.catalina.connector.Response.sendError(
	at org.apache.catalina.realm.RealmBase.hasResourcePermission(
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
	at org.apache.catalina.core.StandardHostValve.invoke(
	at org.apache.catalina.valves.ErrorReportValve.invoke(
	at org.apache.catalina.core.StandardEngineValve.invoke(
	at org.apache.catalina.connector.CoyoteAdapter.service(
	at org.apache.coyote.http11.Http11Processor.process(
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
	at Source)
Jul 15, 2011 at 4:17 PM

Before you add your servlet, get it to work with Waffle samples. Then build on top of that, adding your servlet. Finally, look at the server-side log. It should say that the user logged in as himself (eg. DOMAIN\User), first. If that didn't happen, go through troubleshooting negotiate.