Long Story about WAFFLE

We (AppSecInc.) had a pickle.

Our application, written in Java and running exclusively on Windows, needed Windows authentication. We started with FORMS and had no idea how to do this. After logon we wanted to get the logged on user and his group memberships. We made several mistakes right there.
  • We got the username and used it for permissions. This is wrong because the username can change. We should have used the SID, but that was harder to get.
  • We enumerated local groups to find out group members. Then we used group names for permissions. This is wrong because group names change. We should have used the group SIDs.
From local users we extended this to support Active Directory. We made a mistake right there.
  • We attempted to enumerate domain groups via LDAP to find out those that the user is a member of. This is wrong because it ignores domain trusts. This is also very hard because groups can be nested (we never got it to work that way).
From active directory support we wanted to do single-sign-on. We couldn't do it, so we went back to the drawing board.

Waffle is all of the above done right, open-source and free.

Today we use let users switch between Integrated Windows Authentication and FORMS login. We then use the Waffle SSO Authenticator or the Waffle JAAS Login Module.

Last edited Oct 8, 2010 at 12:45 AM by dblock, version 6


No comments yet.