Have Waffle working over HTTPS?

[Michael Kong]

I used Waffle for Windows Authentication for my application, it worked great.  Then my client is asking to use HTTPS instead of HTTP. So I enabled HTTPS in tomcat. 

I have followed the Tomcat instruction to create a key store using command line tool, and put the key store  into the tomcat root folder. 

Then I modified server.xml  and web.xml to enable the forwarding to port 8443 for https. 

After restarted the server, the HTTPS part is working, but sadly, the Windows Authentication stopped working. I wonder if there are any conflict between Waffle and HTTPS?  

Here is the security-constraint I have to add to WEB.xml in order to make HTTPS work, I feel it might block windows authentication. If I remove it, Waffle will work, but HTTPS goes back to HTTP.  Any idea? 

<!--Configure for Form Authentication-->

<login-config>

   <auth-method>FORM</auth-method>

  <form-login-config>

    <form-login-page>/logon.jsp</form-login-page>  

    <form-error-page>/logon.jsp</form-error-page>  

  </form-login-config>

</login-config>

<security-constraint>

<web-resource-collection>

<web-resource-name>SSL</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

[Daniel Doubrovkine]

You'll have to give some more detail about it "not working". There should be no conflicts. I would treat this as a new problem and go through troubleshooting as usual.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

[Michael Kong]

In my logon code, I have the following to get the principal name from Windows Credential: 

//Get Users Windows Credential

try {

Principal principal = request.getUserPrincipal();

String principalName = principal.getName();

int beginIndex = principalName.lastIndexOf('\\'); 

userNumber = principalName.substring(beginIndex+1, principalName.length()); //get the user name after the domain

}

After switched to HTTPS, the Principal principal = request.getUserPrincipal() is NULL now. Not sure what caused that.  

[Jürgen Wagner]

I have jetty running with http and https in parallel and there is no functional difference between how Waffle works on either port.

The getRemoteUser() or getUserPrincipal() work fine in the application.

It's some time that I have worked with Tomcat but I seem to remember there was also not much more to configure than to simply switch off the HTTP connector and define an HTTPS connector instead. That should alone already do the trick. Am I missing something?

--J.

[Daniel Doubrovkine]

I can't think of a single reason why it would behave differently - I suggest comparing logs next.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michael Kong]

Just provided an update in case someone is looking at this:

I was wrong about HTTPS not working after I removed this part.  It turned out I just lost the auto forward ability from http://localhost:8080 to https://localhost:8443. My old http link not longer works, I have to type in https://localhost:8443. 

<security-constraint>

<web-resource-collection>

<web-resource-name>SSL</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

Also, the above was not part of the standard Tomcat SSL set up. I don't know where that came from and what does it do.  Any info would be appreciated.