Pass through Negotiate authentication to downstream service

Mar 28, 2012 at 10:07 PM

Thanks for a great library!  It's so much cleaner to have Negotiate/NTLM straight to Tomcat vs doing IIS reverse proxy via the ISAPI redirect like we were doing before. Thanks!

I wanted to try to get another scenario working. I want to use the userPrincipal for a downstream http call to a webservice on another server (internal to the enterprise where the user can't reach). Basically, I want to use the user's windows credentials on that http call.  Right now, the downstream server recognizes this call as coming from the user that the tomcat server is running as.

I initially thought this is what was meant by 'impersonate' but that's not the same thing. I already have a good user principal inside the intranet ( in the form of DOMAIN\username ), but I now want to use this on a downstream call. I understand WAFFLE may not even want to do this, so any suggestions are welcome!


Mar 29, 2012 at 1:08 PM
Edited Mar 29, 2012 at 1:09 PM

Thanks for your nice comments.

What are you making those HTTP calls with? If that doesn't support NTLM client-side out of the box, you can definitely implement it with Waffle. Someone wrote both a client and a server without HTTP here:, you want the client side and you want those Authorization headers produced by waffle to go onto the HTTP request. Waffle test code also has a bunch of examples of both client and server side.

Mar 29, 2012 at 2:09 PM

Thanks, I'll take a look.  The client would have to be anything that can run on the jvm, as this code will be run within a grails and/or spring webapp.. so it can be java, groovy, clojure, whatever http client that lets me pass an end user's Authorization headers into a downstream http call.  I was thinking of using Apache's HttpClient: though I don't see a documented way of passing along Authorization headers.. maybe I'm missing something basic with HttpClient itself...

Mar 29, 2012 at 2:15 PM

I really don't know anything about those clients. But I am sure they all let you pass headers around :)