WAFFLE: Windows Authentication Framework (MOVED TO GITHUB DONT POST HERE)

New Post: Prompted for Windows Authentication using JBoss/Tomcat

dblock — Wed, 05 Jun 2013 14:01:48 GMT

WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

New Post: Prompted for Windows Authentication using JBoss/Tomcat

sharksnack — Wed, 05 Jun 2013 13:56:11 GMT

I have an evironment I am trying to setup using WAFFLE, but i continue to get a Windows authentication pop-up bic when I try to access the application. Here is the server-side log:

2013-06-05 08:36:28,637 INFO [waffle.servlet.NegotiateSecurityFilter] GET /public_html/controller, contentlength: -1
2013-06-05 08:36:28,637 INFO [waffle.servlet.NegotiateSecurityFilter] authorization required
2013-06-05 08:36:28,652 INFO [waffle.servlet.NegotiateSecurityFilter] GET /public_html/controller, contentlength: -1
2013-06-05 08:36:28,652 INFO [waffle.servlet.spi.NegotiateSecurityFilterProvider] security package: Negotiate, connection id: 10.64.4.34:50692
2013-06-05 08:36:28,668 INFO [waffle.servlet.spi.NegotiateSecurityFilterProvider] token buffer: 2843 byte(s)
2013-06-05 08:36:28,824 INFO [waffle.servlet.spi.NegotiateSecurityFilterProvider] continue token: oXwweqADCgEBoQsGCSqGSIL3EgECAqJmBGRgYgYJKoZIhvcSAQICAwB+UzBRoAMCAQWhAwIBHqQRGA8yMDEzMDYwNTEzMzYyOFqlBQIDBHEOpgMCASmpERsPQ0NDLkNPT1BDQU0uQ09NqhMwEaADAgEBoQowCBsGYXBwdHJp
2013-06-05 08:36:28,824 INFO [waffle.servlet.spi.NegotiateSecurityFilterProvider] continue required: true
2013-06-05 08:36:28,840 INFO [waffle.servlet.NegotiateSecurityFilter] GET /public_html/controller, contentlength: -1
2013-06-05 08:36:28,840 INFO [waffle.servlet.spi.NegotiateSecurityFilterProvider] security package: Negotiate, connection id: 10.64.4.34:50692
2013-06-05 08:36:28,840 INFO [waffle.servlet.spi.NegotiateSecurityFilterProvider] token buffer: 2786 byte(s)
2013-06-05 08:36:28,840 INFO [waffle.servlet.spi.NegotiateSecurityFilterProvider] continue token: oW8wbaADCgEBomYEZGBiBgkqhkiG9xIBAgIDAH5TMFGgAwIBBaEDAgEepBEYDzIwMTMwNjA1MTMzNjI4WqUFAgMErhemAwIBKakRGw9DQ0MuQ09PUENBTS5DT02qEzARoAMCAQGhCjAIGwZhcHB0cmk=
2013-06-05 08:36:28,840 INFO [waffle.servlet.spi.NegotiateSecurityFilterProvider] continue required: true

Here are my settings in the web.xml for WAFFLE:
 <filter>

    <filter-name>WaffleSecurityFilter</filter-name>
    <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
    <init-param>
      <param-name>principalFormat</param-name>
      <param-value>fqn</param-value>
    </init-param>
   <init-param>
     <param-name>roleFormat</param-name>
     <param-value>both</param-value>
   </init-param>
   <init-param>
     <param-name>allowGuestLogin</param-name>
     <param-value>false</param-value>
   </init-param>
   <init-param>
     <param-name>securityFilterProviders</param-name>
     <param-value>waffle.servlet.spi.NegotiateSecurityFilterProvider</param-value>
   </init-param>
   <init-param>
     <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
     <param-value>Negotiate</param-value>
   </init-param>
 </filter>
 <filter-mapping>
   <filter-name>WaffleSecurityFilter</filter-name>
   <url-pattern>/*</url-pattern>
 </filter-mapping>

This JBoss configuration, including these WAFFLE settings, are a direct copy from another installation that does work properly.

When we put in the user/password credentials into the pop-up, we just get propmpted for them again. In fact this happens several times, then it will give us a separate authentication error page.

The browser is already set with the "Enable Windows Intergrated Authentication" as checked, and the application server has been added to the Local Intranet zone.

Any ideas?

Thanks in Advance!

New Post: I can not call sendError () after carrying out the answer

dblock — Wed, 22 May 2013 11:23:55 GMT

New Post: I can not call sendError () after carrying out the answer

aridadrianadri — Wed, 22 May 2013 10:34:42 GMT

Hello:

I'm trying to create a web application single sign-on with waffle and I'm having problems with security. The requirement of my site, it only can access those users who have a specific role but if a user does not belong to that role, when he is trying to login, the application has to load a login from to give the change to login with other user.
To carry out this I was following the waffle-mixed-post example. I have a index.jsp with this code:

<body onload="doLogin()">
        <form method="POST" name="loginform" id="loginform" action="private/loadMainPage">
            <input type="hidden" name="j_negotiate_check"/>
        </form>
    </body>

As you can imagine, the javascript doLogin is doing a submit of the form.
This is my web.xml:

<resource-ref>
    <description>Conexion a BD de tomacat</description>
    <res-ref-name>jdbc/asisa</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
</resource-ref>
<servlet>
    <servlet-name>AsisaFileUpload</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>AsisaFileUpload</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<security-constraint>
    <display-name>Waffle security constraints</display-name>
    <web-resource-collection>
        <web-resource-name>Protected area</web-resource-name>
        <url-pattern>/private/*</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>USERSAD\aferrere</role-name>
        <!--<role-name>DOMASISA\GG_FTP_AD</role-name>-->
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>Login Page</display-name>
    <web-resource-collection>
        <web-resource-name>Unprotected Login Page</web-resource-name>
        <url-pattern>/login</url-pattern>
    </web-resource-collection>
</security-constraint>
<security-role>
    <role-name>USERSAD\aferrere</role-name>
    <!--<role-name>DOMASISA\GG_FTP_AD</role-name>-->
</security-role>


<error-page>
    <error-code>401</error-code>
    <location>/error_login</location>
</error-page>
<error-page>
    <error-code>403</error-code>
    <location>/login</location>
</error-page>

<login-config>
    <form-login-config>
        <form-login-page>/login</form-login-page>
        <form-error-page>/wrongLogin</form-error-page>
    </form-login-config>
</login-config>

The web site works fine at first; I mean, If an user with out the right role try to login the login form is loaded but the login form allow the access to all user. It seems that the security-constraint doesn't work at second time. The login form looks like that:

<body>
    <% 
        session.invalidate();
    %>
    <table cellspacing="0" cellpadding="0" class="tablacabecera">
            <tr>
                <td class="escudo">
                    <font size="1">
                        <img src="<c:url value='/resources/images/gif/asisa.gif'/>" />
                    </font>
                </td>
                <td class="area" align="center">
                    <h3></h3>
                </td>
                <td class="unidad">
                    Usuario<br>
                    <font color="blue" size="+2"><b><c:out value="${usuario}"/></b></font>
              </td>
            </tr>
            <tr>
                <td colspan="3" class="fondopuntos">
                    &nbsp;
                </td>
            </tr>
        </table>
    <div id="contenedora">
        <div class="arriba">
            <div class="abajo">
                <c:if test="${tipo == 'exito'}">
                    <h1 class="exitos" style="color:#008D00">${mensaje}</h1>
                </c:if>
                <c:if test="${tipo == 'error'}">
                    <h1 class="errores" style="color:#cc0000">${mensaje}</h1>
                </c:if>
                <c:if test="${tipo == '' }">
                    <h1 class="errores" style="color:#cc0000">${mensaje}</h1>
                </c:if>
                <div id="contenido">
                    <form method="POST" name="loginform" action="loadMainPage">
                        <div class="contenido-formulario">
                            <div class="campos" style="text-align:center;">
                                <table align="center">
                                    <tr>
                                        <td><label for="j_username">Usuario:</label></td>
                                        <td><input type="text" size="24" maxlength="30" name="j_username" id="j_username"/></td>
                                    </tr>
                                    <tr>
                                        <td><label for="j_password">Password:</label></td>
                                        <td><input type="password" size="24" maxlength="15" name="j_password" id="j_password"/></td>
                                    </tr>
                                    <tr>
                                        <td>&nbsp;</td>
                                        <td>&nbsp;</td>
                                    </tr>
                                    <tr>
                                        <td align="right"><input type="submit" name="1" value="Entrar" class="boton"></td>
                                        <td align="left"><input type="reset" name="Reset" value="Borrar" class="boton"></td>
                                    </tr>
                                </table>
                            </div>
                        </div>
                        <input type="hidden" name="j_security_check"/>
                    </form>
                </div>
            </div>
        </div>
    </div>
</body>

I'm runing the software in a Tomcat 6.0. The log of Tomcat give me the next message:

SEVERE: Error processing request
java.lang.IllegalStateException: I can not call sendError () after carrying out the answer
    at org.apache.catalina.connector.Response.sendError(Response.java:1292)
    at org.apache.catalina.realm.RealmBase.hasResourcePermission(RealmBase.java:845)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:545)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Unknown Source)

(The log was in Spanish so I apologize if the translation is not clear)
Could someone help me?

Thank you in advance for you help.

Commented Issue: Provide User information from AD to NegotiateAuthenticator and then to applications [10034]

OhadR — Fri, 05 Apr 2013 17:12:53 GMT

Combining Waffle and Com4j + Active Directory COM access thru ADO (described: http://weblogs.java.net/blog/2008/01/10/active-directory-authentication-hudson ) works. I was able to authenticate NTLM login AND to get the UPN (User Principal Name: first-name.last-name@yourdomain.com) and other AD info like user first name/last name, telephone number, etc.

The result:
* Waffle (unmodified) to authentify the user at the Tomcat Container level (SSO)
* In the different Java/Tomcat applications, I call a rather simple bean I developed from Com4J Kohsuke example. It is shared (tomcat\sharedlib) and uses Com4J (shared also) to call the ActiveX objects IADs (to get the root LDAP context) and ADsDSOObject to query the AD (I do not need to bind with AD as Waffle already did it).
This was needed because the JNA (used by Waffle) does not implement accesses to IAD and ADsDSOObject…

My idea of keeping unchanged Waffle and to retrieve the user’s Active Directory information in the different applications (using a bean calling Com4J) is bad: you may have to dig deeper than expected because applications have a lot of legacy code due to the evolution in authentication systems.

Why not improve the security Principal to store all useful Active Directory data directly from Waffle?
Comments: http://www.codeproject.com/Articles/572278/Java-Retrieving-information-such-as-users-email-an

New Post: how to specify target AD domain for authentication?

dblock — Fri, 22 Mar 2013 17:51:26 GMT

This project has moved to Github. Please email the new list.

New Post: how to specify target AD domain for authentication?

koti_bodipudi — Thu, 21 Mar 2013 18:51:29 GMT

@dblock: Could you please explain more details about what do you mean by Kerberos SPN problem.

How to configure SPN for this end point(server)?

How to disable Kerberos and do NTLM? is there way we can configure the filter for this?

I have a problem of access the server by name it does not authenticated, but if I use the IP address it authenticates with no problem.

Please help me on this.

Commented Issue: Provide User information from AD to NegotiateAuthenticator and then to applications [10034]

ChristopheDupriez — Mon, 18 Mar 2013 15:28:13 GMT

Combining Waffle and Com4j + Active Directory COM access thru ADO (described: http://weblogs.java.net/blog/2008/01/10/active-directory-authentication-hudson ) works. I was able to authenticate NTLM login AND to get the UPN (User Principal Name: first-name.last-name@yourdomain.com) and other AD info like user first name/last name, telephone number, etc.

The result:
* Waffle (unmodified) to authentify the user at the Tomcat Container level (SSO)
* In the different Java/Tomcat applications, I call a rather simple bean I developed from Com4J Kohsuke example. It is shared (tomcat\sharedlib) and uses Com4J (shared also) to call the ActiveX objects IADs (to get the root LDAP context) and ADsDSOObject to query the AD (I do not need to bind with AD as Waffle already did it).
This was needed because the JNA (used by Waffle) does not implement accesses to IAD and ADsDSOObject…

My idea of keeping unchanged Waffle and to retrieve the user’s Active Directory information in the different applications (using a bean calling Com4J) is bad: you may have to dig deeper than expected because applications have a lot of legacy code due to the evolution in authentication systems.

Why not improve the security Principal to store all useful Active Directory data directly from Waffle?
Comments: OhadR, the Waffle project is moved to GITHUB. No, I did not went thru making an article or finalized contribution to Waffle. Yes, I adapted my previous code to the new version of Waffle and 64bits environment. I can double check tomorrow what changed. You can write me directly at "dupriez", domain "destin" in BElgium.

Commented Issue: Provide User information from AD to NegotiateAuthenticator and then to applications [10034]

OhadR — Mon, 18 Mar 2013 14:41:39 GMT

Combining Waffle and Com4j + Active Directory COM access thru ADO (described: http://weblogs.java.net/blog/2008/01/10/active-directory-authentication-hudson ) works. I was able to authenticate NTLM login AND to get the UPN (User Principal Name: first-name.last-name@yourdomain.com) and other AD info like user first name/last name, telephone number, etc.

The result:
* Waffle (unmodified) to authentify the user at the Tomcat Container level (SSO)
* In the different Java/Tomcat applications, I call a rather simple bean I developed from Com4J Kohsuke example. It is shared (tomcat\sharedlib) and uses Com4J (shared also) to call the ActiveX objects IADs (to get the root LDAP context) and ADsDSOObject to query the AD (I do not need to bind with AD as Waffle already did it).
This was needed because the JNA (used by Waffle) does not implement accesses to IAD and ADsDSOObject…

My idea of keeping unchanged Waffle and to retrieve the user’s Active Directory information in the different applications (using a bean calling Com4J) is bad: you may have to dig deeper than expected because applications have a lot of legacy code due to the evolution in authentication systems.

Why not improve the security Principal to store all useful Active Directory data directly from Waffle?
Comments: great idea! > "Do post an article about how com4j lets you talk to AD, first " Did Christophe post the article? Was his idea integrated into Waffle? or is it still a stand-alone java file? I cannot find it in Waffle 1.5 ...

New Post: Waffle and GSS-API

dblock — Fri, 08 Feb 2013 14:00:22 GMT

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/. DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

New Post: Waffle and GSS-API

sanjayamin — Fri, 08 Feb 2013 09:03:32 GMT

I am working on POC using Waffle for kerberos SSO with JAAS on Windows 7 with stand-alone client. Could you please share Waffle JAAS client to get kerberos ticket or guide me for the steps to be perfomed with some examples. We need to avoid registry entry allowtgtsessionkey and hence want to try Waffle.

Thanks,
Sanjay

New Post: SSO with JAAS Login Module

dblock — Tue, 22 Jan 2013 22:42:26 GMT

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

New Post: SSO with JAAS Login Module

sanjayamin — Tue, 22 Jan 2013 10:46:57 GMT

Hi,

I am looking for SSO implementation using JAAS and kerberos with Desktop client. Is the Java web server mandatory for implementing SSO with JAAS using Waffle? Our existing implementation is with Jaas and Kerberos. We need to continue with Kerberos. Could you please guide me for the same?

Thanks,

Sanjay

New Post: Waffle throws AccessDeniedException if non-localhost access

dblock — Wed, 09 Jan 2013 15:46:08 GMT

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

New Post: Waffle throws AccessDeniedException if non-localhost access

jo_hn — Tue, 08 Jan 2013 09:53:27 GMT

Hi Folks,

I setup Tomcat 6 with Spring Security and Waffle as described in the help file. When I access my tomcat from the same machine (i.e. via localhost) everything works fine, but, when I try that from another machine, tomcat/spring/waffle throws the following error:

10:36:57.489 [http-8080-1] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@90550640: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: XXXREMOVEDXXX; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
10:36:57.509 [http-8080-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@47098a, returned: 0
10:36:57.519 [http-8080-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@1c3432a, returned: -1
10:36:57.529 [http-8080-1] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
	org.springframework.security.access.AccessDeniedException: Access is denied
        at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-

I started Tomcat via command line (either as admin or default user) or as a Windows Service (user local system).

Does anyone have an idea what I could try?

Many thanks in advance

John

---

IeHTTPHeaders:

GET /test HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, */*
Accept-Language: de
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; AskTbSTC-SRS/5.13.1.18132)
Accept-Encoding: gzip, deflate
Host: pc-032:8080
Connection: Keep-Alive
Cookie: JSESSIONID=E33691679D8C6A0E5CB9A78607ED3E82

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="BasicSecurityFilterProvider"
Transfer-Encoding: chunked
Date: Tue, 08 Jan 2013 09:51:24 GMT

GET /test HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, */*
Accept-Language: de
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; AskTbSTC-SRS/5.13.1.18132)
Accept-Encoding: gzip, deflate
Host: pc-032:8080
Connection: Keep-Alive
Authorization: Negotiate YIIFJAYGKwYBBQUCo....
Cookie: JSESSIONID=E33691679D8C6A0E5CB9A78607ED3E82

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate oXsweaADCgEBoQsGCSqGSIL3EgEC....
Connection: keep-alive
Transfer-Encoding: chunked
Date: Tue, 08 Jan 2013 09:51:24 GMT

GET /test HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, */*
Accept-Language: de
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; AskTbSTC-SRS/5.13.1.18132)
Accept-Encoding: gzip, deflate
Host: pc-032:8080
Connection: Keep-Alive
Authorization: Negotiate oYIE8jCCBO6iggTqBIIE...
Cookie: JSESSIONID=E33691679D8C6A0E5CB9A78607ED3E82

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate oW4wbKADCgEBomUEY2BhBgkqhkiG9....
Connection: keep-alive
Transfer-Encoding: chunked
Date: Tue, 08 Jan 2013 09:51:24 GMT

Commented Issue: Authentication not propagated to EJBs [11025]

maol — Fri, 04 Jan 2013 10:15:22 GMT

I went with jboss-negotiation (SPNEGO). There is much more to do in terms of configuration but it works for what I need to do.
Look at http://community.jboss.org/wiki/JBossNegotiation and what they do for this.
Comments: I also have this problem. In the servlet code when I do request.getRemoteUser() it is correct, but in an EJB if I do: context.getCallerPrincipal it returns anonymous :'( .

New Post: WindowsSecurityContextImpl not authenticating

dblock — Mon, 17 Dec 2012 17:23:01 GMT

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

New Post: WindowsSecurityContextImpl not authenticating

maloney — Mon, 17 Dec 2012 17:20:38 GMT

Hi,

I am using Waffle to authenticate users when they login. Now I have 2 versions of the code - in my branch version the authentication works fine, however in the trunk version it throws the following error:

com.sun.jna.platform.win32.Win32Exception: The token supplied to the function is invalid

I've inspected the 2 versions of the code and they have identical code around this area. When the inspecting the WindowsSecurityContextImpl there is a slight difference - it appears as though the credentials field is using 8 bytes in trunk but 16 bytes in branch.

This is the toString of the credentials field in trunk:

Sspi$CtxtHandle(allocated@0x18aedf50 (8 bytes)) {
Pointer dwLower@0=null
Pointer dwUpper@4=null
}
memory dump
[00000000]
[00000000]

and in branch:

Sspi$CredHandle(allocated@0xa588110 (16 bytes)) {
Pointer dwLower@0=native@0x243880
Pointer dwUpper@8=native@0x25dfcd0
}

If anyone can point me in the right direction of what is going wrong here that would be much appreciated.

Thanks,

New Post: how to enable anonymous login?

dblock — Mon, 08 Oct 2012 11:58:06 GMT

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

New Post: how to enable anonymous login?

tuvbunn2 — Mon, 08 Oct 2012 09:35:27 GMT

Hi,

I have Waffle working on my tomcat.

But i have a question, is there any posibility to enable a anonymous access?

when i cancel the popupwindow of the authentication i get the error This request requires HTTP authentication ().

Im using the following web.xml configuration:

<filter> <filter-name>SecurityFilter</filter-name>

<filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>SecurityFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

The strange thing is, when i just press ok in firefox i can access the website. on Ie or mobile devices the popupwindow say that i have to enter data.

I tried to enable the guest login with the init params in the filter tag

<init-param>

<param-name>allowGuestLogin</param-name>

<param-value>true</param-value>

</init-param>

but that didnt chance anything ;)

I hope someone can help me.

Thx,