installing WAFFLE as a Service. Client application can get requestrequest.RemoteUser

Jul 22, 2011 at 10:18 PM
Edited Jul 24, 2011 at 9:51 PM


  • I have a situation. where in I need to install this Waffle based application as a servlet. (Done, and then hitting the servlet from browser shows me the remoteUser. url is: http://localhost:8080/SimpleSSO/Servlet1) - deployed on JVM1.
  • There is another webapplicationWF which should send the user's request to http://localhost:8080/SimpleSSO/Servlet1, and in return get the remoteUser from this servlet back. Once i have this remoteUser, i can connect to LDAP etc... from my webapplicationWF and authorize him/her. - deployed on JVM2.

Is this possible. There are many reasons why i need to keep Waffle as a seperate servlet based webapp.

I tried, newUrl(). but the waffleServlet give me back 401 unauthorized. I tried httpget, it also gave me 401 unauthorized. Basically looks like i cannot call this waffle servlet from another webapp.

I thought of making waffle as a standalone service, to which multiple requestors on different JVM can forward the request and get their remoteUser back, and then do their SSO. Is this possible at all? im also opened to put this waffle service on the same jvm, which means i will have to install this waffle service multiple times one on each cluster and with each webapplicationWF.



Scenario 1:

webapplicationWF (without waffle Negotiate filter) - is a j2ee webapp. it has logic and some webservices written in Apache axis and are exposed from inside. - runs on Tomcat.

clients:- users uses internet Explorer, connects to this webapplicationWF, from intranet- enter login creds from index.jsp present inside webapplicationWF and get in this webapp. And other applications can call webservices hosted inside this webapplicationWF normally.

Scenario 2:

BUT when i configured Waffle as a filter in the webapplicationWF for /* , Negotiate is happening perfectly, user from IE is able to log inside the webapp without having to put user name pwd. (I use the request.remote user and do authenticate from LDAP.) But unfortunately when other applications(webapp2) wants to call the webservices hosted inside webapplicationWF. the webapp2 fails to get the access with 401 unauthorized error.

Thank you,


Jul 25, 2011 at 12:19 PM

If you want to call a web service hosted inside an application that's behind Negotiate (Waffle) from a client, you need to implement the Negotiate protocol in this client. You can do this with Waffle, this is a similar discussion.

Jul 25, 2011 at 2:49 PM

dblock, thank you for your quick respose-

so you mean, I will have to implement my client something like this - (Taken from - NegotiateSecurityFilterTests) - I hope this works if the service(waffle)- is deployed on UNIX.

public void testNegotiate() throws IOException, ServletException {
  String securityPackage = "Negotiate";
  // client credentials handle
  IWindowsCredentialsHandle clientCredentials = null;
  WindowsSecurityContextImpl clientContext = null;
  // role will contain both Everyone and SID
  try {
   // client credentials handle
   clientCredentials = WindowsCredentialsHandleImpl.getCurrent(securityPackage);
   // initial client security context
   clientContext = new WindowsSecurityContextImpl();
   // filter chain
   SimpleFilterChain filterChain = new SimpleFilterChain();
   // negotiate
   boolean authenticated = false;
   SimpleHttpRequest request = new SimpleHttpRequest();
       String clientToken = Base64.encode(clientContext.getToken());
       request.addHeader("Authorization", securityPackage + " " + clientToken);
       SimpleHttpResponse response = new SimpleHttpResponse();
       _filter.doFilter(request, response, filterChain);
       Subject subject = (Subject) request.getSession().getAttribute("");
       authenticated = (subject != null && subject.getPrincipals().size() > 0);
       if (authenticated) {
           assertEquals(0, response.getHeaderNames().length);
       assertTrue(response.getHeader("WWW-Authenticate").startsWith(securityPackage + " "));
       assertEquals("keep-alive", response.getHeader("Connection"));
       assertEquals(2, response.getHeaderNames().length);
       assertEquals(401, response.getStatus());
       String continueToken = response.getHeader("WWW-Authenticate").substring(securityPackage.length() + 1);
       byte[] continueTokenBytes = Base64.decode(continueToken);
       assertTrue(continueTokenBytes.length > 0);
             SecBufferDesc continueTokenBuffer = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, continueTokenBytes);
             clientContext.initialize(clientContext.getHandle(), continueTokenBuffer);
         assertTrue(filterChain.getRequest() instanceof NegotiateRequestWrapper);
         assertTrue(filterChain.getResponse() instanceof SimpleHttpResponse);        
         NegotiateRequestWrapper wrappedRequest = (NegotiateRequestWrapper) filterChain.getRequest();
         assertEquals("NEGOTIATE", wrappedRequest.getAuthType());
         assertTrue(wrappedRequest.getUserPrincipal() instanceof WindowsPrincipal);
  } finally {
   if (clientContext != null) {
   if (clientCredentials != null) {

Jul 25, 2011 at 3:38 PM

Well, it won't work on *nix, Waffle is windows only and assumes you're on a windows machine joined to a domain. On *nix you will have to do something different, such as Basic auth. If it's still unclear, write a very simple description of your scenario, again. -dB.

Jul 25, 2011 at 4:54 PM
  • My JEE webappWF which has Waffle(Negotiate), shall reside on *nix boxes.
  • users(people) will use windows (specifically InternetExplorer) to connect to these webapp, and would require SSO. And as you said will be joined to a domain.
  • The catch here is the webapp2 which is a caller to the waffle enabled webapp, will also reside on *nix, and the windows user(people) will say click a button to call the webservice to the webapp on *nix which is behind waffle.

I guess this is a valid usage scenario for waffle correct?

Jul 25, 2011 at 7:41 PM

Won't work. Waffle is Windows-only. How are you joining your *nix machine to the domain?


Jul 26, 2011 at 5:51 PM


  • Sorry, i will take my previous post back. I was just told that my apps will be hosted on windows. - Which is good. (hence delay in reply...)
  • Now how do you think the caller of the webservice should be implemented. Given that the webservice is hosted on a seperate webapp and is behind waffle. - can you point me to some code.
Jul 26, 2011 at 7:38 PM

Your post above that copies one of the tests is a good place to start.