GWT-Application + Waffle Filter doesn't work

[DennisMh]

Hi all,

I try to use the Waffle-filter example in my GWT Application on a tomcat 9.
My workflow:

1. Add the filter of the example to the web.xml
2. Do a RPC-Call 
3. Get User Principal in the ServiceImpl RPC-method --> returns null

Code snippet in the method of the ServiceImpl: 

HttpServletRequest request = getThreadLocalRequest();
request.getSession().getId(); //works ruturns the correct session

request.getRemoteUser(); //returns null

Principal principal = request.getUserPrincipal(); //returns null

Is the workflow correct or do I have to do anything more/diffrent?

In the network trace of the waffle-filter example there is a "

WWW-Authenticate:

Negotiate oRswG..." in the Response Header and in the Request Header I find the "

Authorization:

Negotiate oXcwdaADCgEBolo...". In the GWT-App network trace of the RPC-Call I miss these Attributes, so there is no authentication made.

In the tomcat log I can see that while deploying the waffle filter is load ("INFO waffle.servlet.spi.SecurityFilterProviderCollection - loading 'waffle.servlet.spi.NegotiateSecurityFilterProvider'", not?). Deploying ends without errors.

Please help me to get that to work.

In addition to that I have to establish authentication to a windows domain controller which isn't in the same domain / active directory as the server and the domains don't trust each other. So I cannot use waffle, not? Can I combine a JCIFS-filter for the other domain and the waffle-filter for the authentication to the same domain?

Thanks for your help in advance.

Dennis

[Peter Leong]

Hi Dennis,

This might be a little late but I use Waffle with GWT. The authentication takes place before the GWT app loads (via Main.html).  I'm using Tomcat with MixedAuthenticator valve and WindowsRealm realm.

web.xml excerpt:

   

 <error-page>
        <location>/WEB-INF/error.jsp</location>
    </error-page>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Sensitive</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Everyone</role-name>
        </auth-constraint>
    </security-constraint>

    <!-- Resources excepted from authentication -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>excepted</web-resource-name>
            <url-pattern>/index.jsp</url-pattern>
            <url-pattern>/logout.jsp</url-pattern>
            <!-- Browsers request this automatically -->
            <url-pattern>/favicon.ico</url-pattern>
            <url-pattern>/media/corp-mark.png</url-pattern>
            <url-pattern>/Main/gwt/standard/standard.css</url-pattern>
            <!-- Excluded from security.
            Authenticity is checked manually to prevent whacky RPC message when session expired -->
            <url-pattern>/dispatch/*</url-pattern>
        </web-resource-collection>
        <!-- no auth-constraint -->
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/WEB-INF/login.jsp</form-login-page>
            <form-error-page>/WEB-INF/login-error.jsp</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <role-name>Everyone</role-name>
    </security-role>

index.jsp

<%
    response.sendRedirect("Main.html?j_negotiate_check");
%>

- Pete