TOMCAT/WAFFLE Impersonate Request to Backend Webservice with SSO

328 views
Skip to first unread message

mas...@swotty.at

unread,
May 18, 2017, 8:39:15 AM5/18/17
to waffle

Hi,
I want to implement a tomcat SSO frontend, which connects to a IIS/.NET Webservice with SSO credentials from user.
Worksflow: IE with Windows Integrated Authentication <http/spnego> TOMCAT/WAFFLE with Impersonate = true <http/spnego> IIS/.NET Webservice
The Solution works great, if no Authorization Header is set manually and IIS and TOMCAT share the same server. (eq. DEV Environment, tcp:80 IIS, tcp:8080 TOMCAT)
Unfortunatly this doesnt work in PROD Environment and results in http 401 error. (different server which is a must for seperation of duty)
So i started to add manually a Authorization Header and all attempts to fix the problem failed so far.
I'm fairly new to JAVA and WAFFLE/JNA and i think that i forget something.
Currently i'm not shure where to start further investigations.
The solution works, if no Authorization is set manually on the same server.
Why? And is there a chance to get arround this by config change?
If the Authorization is set manually, should i focus on serverContext or clientContext, or both?
I spent multiple hours to understand and implement the Client/Server handshake SSO from Thomas (Daniel).
http://tuhrig.de/a-windows-sso-for-java-on-client-and-server/
It would be great, if somebody can help me with this issue.
regards Guenter


Handshake and Impersonation between Client and TOMCAT/WAFFLE seems OK.
May 17, 2017 1:53:19 PM waffle.servlet.NegotiateSecurityFilter doFilter
INFO: successfully logged in user: <domain>/<username>
May 17, 2017 1:53:19 PM waffle.servlet.NegotiateSecurityFilter doFilter
FINE: impersonating user
May 17, 2017 1:53:19 PM waffle.servlet.NegotiateSecurityFilter doFilter
FINE: terminating impersonation
May 17, 2017 1:53:19 PM waffle.servlet.NegotiateSecurityFilter doFilter
FINE: GET /CMDBedit/wizard, contentlength: -1
May 17, 2017 1:53:19 PM waffle.servlet.spi.NegotiateSecurityFilterProvider isPrincipalException
FINE: authorization: Negotiate YIIQOgY... ntlm post: false
May 17, 2017 1:53:19 PM waffle.servlet.NegotiateSecurityFilter doFilterPrincipal
FINE: previously authenticated Windows user: <domain>/<username>
May 17, 2017 1:53:19 PM waffle.servlet.NegotiateSecurityFilter doFilterPrincipal
FINE: re-impersonating user
May 17, 2017 1:53:19 PM waffle.servlet.NegotiateSecurityFilter doFilterPrincipal
FINE: terminating impersonation

Code Example:
String securityPackage = "Negotiate";
String spn = "<HTTP/servername.domain.suffix>";
IWindowsSecurityContext clientContext = WindowsSecurityContextImpl.getCurrent(securityPackage, spn);
String clientToken = Base64.getEncoder().encodeToString(clientContext.getToken());
String requestHeader = securityPackage + " " + clientToken;
System.out.println("SPN: "+spn);
System.out.println("TOK: "+requestHeader);
System.out.println("LEN: "+requestHeader.length());
System.out.println("TLE: "+clientToken.length());
System.out.println("USR: "+clientContext.getPrincipalName());
System.out.println("IDY: "+clientContext.getHandle());
params.put("Authorization", requestHeader); //  iterate over multiple params and add them to conn.setRequestProperty()

The respond is always the same = http 401.
Special Case: If i use Kerberos instead of Negotiate on the Client with local TOMCAT, the respond is OK.
On Server DEV/PROD this results in JNA Exception: "No security Provider found".

Here are the results for securityPackage = Negotiate:
Client with Local TOMCAT which connects to DEV IIS/.NET Webservice
SPN: HTTP/<server DEV>.<domain>.inside
TOK: Negotiate YIIQOAYGK....==
LEN: 5554
TLE: 5544
USR: <domain>\<username>
IDY: Sspi$CtxtHandle(auto-allocated@0x5d13c2f0 (16 bytes)) {
  Pointer dwLower@0=native@0x4596b0
  Pointer dwUpper@8=native@0x1ccaf90
}

Client connects to DEV TOMCAT Server which connects to DEV IIS/.NET Webservice (same server)
SPN: HTTP/<server DEV>.<domain>.inside
TOK: Negotiate TlRMTVNTUAABAAAAl7II4gcABwAyAAAACgAKACgAAAAGA4AlAAAAD1ZNQ01EV1QwMDFBVVNUUklB
LEN: 86
TLE: 76
USR: <domain>\<username>
IDY: Sspi$CtxtHandle(auto-allocated@0x16a15c70 (16 bytes)) {
  Pointer dwLower@0=native@0x1a13e0
  Pointer dwUpper@8=native@0xb94aae3250
}


Client connects to PROD TOMCAT Server which connects to PROD IIS/.NET Webservice (different server)
SPN: HTTP/<server DEV>.<domain>.inside
TOK: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==
LEN: 66
TLE: 56
USR: <domain>\<username>
IDY: Sspi$CtxtHandle(auto-allocated@0x146fe750 (16 bytes)) {
  Pointer dwLower@0=native@0x2ce8d0
  Pointer dwUpper@8=native@0x5735205680
}


Reply all
Reply to author
Forward
0 new messages