blank page when security is used

Nov 23, 2011 at 1:17 AM

Hi,

I'm new to Waffle. I'm trying to secure my simple webapplication. I do not have JSP. Only 1 html page that loads Javascript files (I'm using TIBCO General Interface). I need to create a proxy class that will allow me to load the code on one server and call the backend services on another server. The proxy is working fine, but I'm now trying to use single sign on to authenticate the users.

I followed the steps defined in the WAFFLE Help of Waffle 1.4 for "Servlet Single-Signon Security Filter". When I try to access my html page I'm asked to log in 3 times (maybe loading background resources?). I can see in the log:

2011-11-23 12:11:58.257|INFO|GET /test/, contentlength: -1
2011-11-23 12:11:58.273|INFO|authorization required
2011-11-23 12:11:58.304|INFO|GET /test/, contentlength: -1
2011-11-23 12:11:58.320|INFO|security package: Negotiate, connection id: 10.28.35.xxx:59319
2011-11-23 12:11:58.320|INFO|token buffer: 3061 byte(s)
2011-11-23 12:11:58.601|INFO|continue token: oYGK...29t
2011-11-23 12:11:58.601|INFO|continue required: true
2011-11-23 12:11:58.601|INFO|GET /test/, contentlength: -1
2011-11-23 12:11:58.601|INFO|security package: Negotiate, connection id: 10.28.35.xxx:59319
2011-11-23 12:11:58.601|INFO|token buffer: 3004 byte(s)
2011-11-23 12:11:58.617|INFO|continue token: ...4uY29t
2011-11-23 12:11:58.617|INFO|continue required: true
2011-11-23 12:12:00.007|INFO|GET /test/, contentlength: -1
2011-11-23 12:12:00.007|INFO|security package: Negotiate, connection id: 10.28.35.xxx:59319
2011-11-23 12:12:00.007|INFO|token buffer: 3061 byte(s)

so it seems to work fine. However, I only get a blank page in return:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type></HEAD>
<BODY></BODY></HTML>

Where I should have Javascript, loaded and div element created.

Do I need to do something else to get this to work? Please let me know or point me to some documentation/website to help me fix this.

Cheers,

Ben

Nov 23, 2011 at 1:21 AM

Posting my web.xml in case it's useful:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	id="WebApp_ID" version="2.5">
	<display-name>App-Proxy</display-name>
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
	</welcome-file-list>

	<filter>
		<filter-name>SecurityFilter</filter-name>
		<filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
		<!-- tried without the init-param but same result -->
		<init-param>
			<param-name>principalFormat</param-name>
			<param-value>fqn</param-value>
		</init-param>
		<init-param>
			<param-name>roleFormat</param-name>
			<param-value>both</param-value>
		</init-param>
		<init-param>
			<param-name>securityFilterProviders</param-name>
			<param-value>waffle.servlet.spi.BasicSecurityFilterProvider waffle.servlet.spi.NegotiateSecurityFilterProvider</param-value>
		</init-param>
		<init-param>
			<param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
			<param-value>Negotiate NTLM</param-value>
		</init-param>

	</filter>

	<filter-mapping>
		<filter-name>SecurityFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<session-config>
		<session-timeout>30</session-timeout>
	</session-config>

	<servlet>
		<servlet-name>BWProxyServlet</servlet-name>
		<servlet-class>com.test.web.BWProxyServlet</servlet-class>
		<init-param>
			<param-name>BWServerURL</param-name>
			<param-value>http://serv1:9955</param-value>
		</init-param>
		<init-param>
			<param-name>requestType</param-name>
			<param-value>SOAP</param-value>
		</init-param>
		<init-param>
			<param-name>log4j.level</param-name>
			<param-value>DEBUG</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>BWProxyServlet</servlet-name>
		<url-pattern>/CLERequest/*</url-pattern>
	</servlet-mapping>


</web-app>
Nov 23, 2011 at 6:13 AM

Alright, after a lot of testing and playing around, it seems that "negotate" doesn't work and it doesn't seem to fall back to NTLM.

I've tried with JCIFS and it works. :/

Any idea what I'm doing wrong?

Nov 23, 2011 at 11:40 PM
Edited Nov 23, 2011 at 11:42 PM

Ok, I changed the filter config to the following (forcing NTML) and it's working:

<filter>
	<filter-name>SecurityFilter</filter-name>
	<filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
	<init-param>
		<param-name>principalFormat</param-name>
		<param-value>both</param-value>
	</init-param>
	<init-param>
		<param-name>roleFormat</param-name>
		<param-value>both</param-value>
	</init-param>
	<init-param>
		<param-name>securityFilterProviders</param-name>
		<param-value>waffle.servlet.spi.BasicSecurityFilterProvider waffle.servlet.spi.NegotiateSecurityFilterProvider</param-value>
	</init-param>
	<init-param>
		<param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
		<param-value>NTLM</param-value>
	</init-param>
</filter>

Anyone can tell me why Negociate doesn't work with IE (8.0)? I'm not a security expert. Also, to log in, a username and password window pops-up, even in IE. Is that normal? Cheers, Ben

Coordinator
Nov 24, 2011 at 5:41 PM

You should isolate the failure scenario (sounds like you have one) and follow Troubleshooting Negotiate. Most likely you don't have a valid SPN for that server.