Turn off the WAFFLE

Aug 19, 2011 at 6:44 AM

Hi! My question is how can I turn off WAFFLE if user is not logged into domain? Our company is going to integrate WAFFLE with our Java webapplication, but the problem is that if workers are not in company, they should also log into the application. Some of them haven't accounts on Active Directory server but they have accounts in our webapp. I thought about redirecting users who are not logged in domain and don't have accounts in Active Directory to unprotected login page and turn off the authentication via WAFFLE for all areas (auth then should be provided by our internal webapplication that does not connect to Active Directory Server). I have read this topic: http://waffle.codeplex.com/workitem/9527 but when I try to

             response.setHeader("Connection", "close");

it does not turn off the WAFFLE. Is there any way to do that?

The other question is how can I get Active Directory server IP address? I would like to obtain additional information about user (like name and surname) via OpenLDAP.


Aug 19, 2011 at 11:46 AM

I think that the workitem is a combination of optimism and wishful thinking. The only way I was ever able to do this reliably is to let the user choose upfront on a login page which authentication to use. The mixed authentication samples in Waffle do just that.

Active Directory is not one thing, it's potentially a bunch of servers. What you need is a domain controller. You can obtain this directly with JNA (that Waffle uses), with Netapi32Util.getDC. But maybe you don't even need to do that, depending on how OpenLDAP integrates on Windows you should be able to do this. In any case, I'd appreciate if you posted how you did it, with maybe working code, here.

Aug 19, 2011 at 12:32 PM

Thank you very much for your reply, dblock

I checked MixedAuthenticator demo, but is it possible to send redirect with "j_security_check" parameter that 'says' WAFFLE that user is ready to be authenticated? For example: I  have a login form and its action is set to some servlet. Servlet gets username and password from this form, check in database that sent data are correct and then send redirect to the same page with "j_security_check".

Aug 19, 2011 at 12:45 PM

If you're going to be sending the username/password to the server, you can just do basic auth. What you want is to try Negotiate/NTLM first, and if that fails try the database - but that can't work because this protocol can fail on both client and server, finishing with a 401 from the server and a local failure from the client.  This results in a popup and there's nothing you can do to prevent it.

Aug 24, 2011 at 4:15 PM

Choosing your login type up front is good, but I use a alternate approach: a separate URL is provided for external users, something like http://host/myApp/externalUserAccess.

I use JAAS and the Waffle servlet filter at the same time. In web.xml, I have a servlet whose url-pattern is /secure/externalUserAccess, and I set up a security constraint with that same url-pattern. When an external user hits that URL the container invokes my JAAS LoginModule (it does database authentication) and then my servlet, which immediately redirects to the main secured entry point. Since JAAS added a Principal to the request, the Waffle filter assumes authentication has already occurred and grants access.

It's too bad that the primary failure feature is a credentials popup that never accepts your password... that's a real point of frustration with users.

Aug 24, 2011 at 10:52 PM

That popup was designed in the past century, I can't believe it's still there ;)