Waffle to create Single Sign-On for an exsisting Java application.
571 views
Skip to first unread message
Jeremiah Dixon
Aug 6, 2019, 2:18:09 PM8/6/19
to waffle
I am a new hire software engineer straight out of college, the company I am working at has given me my first assignment and it is single sign on. I have little knowledge about cyber security or this area in general. How can I use Waffles to create single-on for our application. I have scoured the internet for code examples, tutorials, literally anything to help and can't find a basic tutorial on how to implement Waffle for SSO. Where do I begin with this. I am fresh out of college so bare with me, because I do not know a vast majority I probably need to know for this task.
Daniel D.
Aug 7, 2019, 12:44:30 PM8/7/19
to waffle...@googlegroups.com
Start here: https://github.com/Waffle/waffle/blob/master/Docs/ServletSingleSignOnSecurityFilter.md
Use this list for questions when you've tried everything and get stuck.
On Tue, Aug 6, 2019 at 2:18 PM Jeremiah Dixon <dixonje...@gmail.com> wrote:
I am a new hire software engineer straight out of college, the company I am working at has given me my first assignment and it is single sign on. I have little knowledge about cyber security or this area in general. How can I use Waffles to create single-on for our application. I have scoured the internet for code examples, tutorials, literally anything to help and can't find a basic tutorial on how to implement Waffle for SSO. Where do I begin with this. I am fresh out of college so bare with me, because I do not know a vast majority I probably need to know for this task.
--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/waffle-users/deaa64d0-8265-44ed-a45d-66008de37684%40googlegroups.com.
Jürgen Wagner
Aug 7, 2019, 1:05:31 PM8/7/19
to waffle...@googlegroups.com
Waffle does Single-Sign-On with
Windows, i.e., against Active Directory accounts. If you have a
Java web application running under, e.g., Jetty or Tomcat, it's
just a matter of adding a filter into the web.xml of the
application, and the use of REMOTE_USER to do SSO with the Windows
login context.
Also have a look at OpenID Connect -
this is a much more general concept of single-sign-on for
applications that may be totally unrelated and run on the
Internet.
The first question you have to ask
about SSO is always what the security domain is within which you
want to use it. Then you can investiate which principles and tools
are suitable for that scenario.
Best,
--Jürgen
To view this discussion on the web visit https://groups.google.com/d/msgid/waffle-users/CALCE7pm66nFk3BSKBkDi9PSMvN9TFewjpchD-Rv71bLPySMrxw%40mail.gmail.com.
Jeremiah Dixon
Aug 20, 2019, 9:36:10 AM8/20/19
to waffle
I need to get single sign-on working with WAFFLE in a Windows Java Application that has a Linux Based Server. Both have access to the same Active Directory.
I am trying to use something like this bit of code to do authentication, however I clearly can't split the code between the server and client because the server isn't Windows.
What I want to do is use authenticate through the AD using the token WAFFLE gets, however I don't know what kind of token that WAFFLE uses or how it gets it to do a look up in the AD.
What kind of 'token' is being passed between the client and the server in this code, and is it stored in the AD?
private void negotiate() {
IWindowsSecurityContext clientContext = WindowsSecurityContextImpl.getCurrent( "NTLM", "localhost" );
String securityPackage = "Kerberos";
int count = 0;
// initialize a security context on the client
clientContext = WindowsSecurityContextImpl.getCurrent( securityPackage, clientContext.getPrincipalName() );
// create an auth provider and a security context for the client
// on the server
WindowsAuthProviderImpl provider = new WindowsAuthProviderImpl();
// now you would send the byte[] token to the server and the server will
// response with another byte[] token, which the client needs to answer again
IWindowsSecurityContext serverContext = null;
// Step 1: accept the token on the server and build a security context
// representing the client on the server
byte[] tokenForTheServerOnTheClient = clientContext.getToken();
serverContext = provider.acceptSecurityToken("server-connection", tokenForTheServerOnTheClient, securityPackage);
do {
count++;
// Step 2: If you have already build an initial security context for the client
// on the server, send a token back to the client, which the client needs to
// accept and send back to the server again (a handshake)
if (serverContext != null) {
byte[] tokenForTheClientOnTheServer = serverContext.getToken();
SecBufferDesc continueToken = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, tokenForTheClientOnTheServer);
clientContext.initialize(clientContext.getHandle(), continueToken, clientContext.getPrincipalName());
System.out.println(tokenForTheClientOnTheServer);
}
tokenForTheServerOnTheClient = clientContext.getToken();
serverContext = provider.acceptSecurityToken("server-connection", tokenForTheServerOnTheClient, securityPackage);
} while (clientContext.isContinue() && count < 5);
if(count >= 5) {
System.out.println("Unable to authenticate the user.");
}else {
// at the end of this handshake, we know on the server side who the
// client is, only by exchanging byte[] arrays
System.out.println(serverContext.getIdentity().getFqn());
}
}
IWindowsSecurityContext clientContext = WindowsSecurityContextImpl.getCurrent( "NTLM", "localhost" );
String securityPackage = "Kerberos";
int count = 0;
// initialize a security context on the client
clientContext = WindowsSecurityContextImpl.getCurrent( securityPackage, clientContext.getPrincipalName() );
// create an auth provider and a security context for the client
// on the server
WindowsAuthProviderImpl provider = new WindowsAuthProviderImpl();
// now you would send the byte[] token to the server and the server will
// response with another byte[] token, which the client needs to answer again
IWindowsSecurityContext serverContext = null;
// Step 1: accept the token on the server and build a security context
// representing the client on the server
byte[] tokenForTheServerOnTheClient = clientContext.getToken();
serverContext = provider.acceptSecurityToken("server-connection", tokenForTheServerOnTheClient, securityPackage);
do {
count++;
// Step 2: If you have already build an initial security context for the client
// on the server, send a token back to the client, which the client needs to
// accept and send back to the server again (a handshake)
if (serverContext != null) {
byte[] tokenForTheClientOnTheServer = serverContext.getToken();
SecBufferDesc continueToken = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, tokenForTheClientOnTheServer);
clientContext.initialize(clientContext.getHandle(), continueToken, clientContext.getPrincipalName());
System.out.println(tokenForTheClientOnTheServer);
}
tokenForTheServerOnTheClient = clientContext.getToken();
serverContext = provider.acceptSecurityToken("server-connection", tokenForTheServerOnTheClient, securityPackage);
} while (clientContext.isContinue() && count < 5);
if(count >= 5) {
System.out.println("Unable to authenticate the user.");
}else {
// at the end of this handshake, we know on the server side who the
// client is, only by exchanging byte[] arrays
System.out.println(serverContext.getIdentity().getFqn());
}
}
On Wednesday, August 7, 2019 at 1:05:31 PM UTC-4, Jürgen Wagner wrote:
Waffle does Single-Sign-On with Windows, i.e., against Active Directory accounts. If you have a Java web application running under, e.g., Jetty or Tomcat, it's just a matter of adding a filter into the web.xml of the application, and the use of REMOTE_USER to do SSO with the Windows login context.
Also have a look at OpenID Connect - this is a much more general concept of single-sign-on for applications that may be totally unrelated and run on the Internet.
The first question you have to ask about SSO is always what the security domain is within which you want to use it. Then you can investiate which principles and tools are suitable for that scenario.
Best,--Jürgen
On 07.08.2019 18:44, Daniel D. wrote:
Start here: https://github.com/Waffle/waffle/blob/master/Docs/ServletSingleSignOnSecurityFilter.md
Use this list for questions when you've tried everything and get stuck.
On Tue, Aug 6, 2019 at 2:18 PM Jeremiah Dixon <dixonje...@gmail.com> wrote:
I am a new hire software engineer straight out of college, the company I am working at has given me my first assignment and it is single sign on. I have little knowledge about cyber security or this area in general. How can I use Waffles to create single-on for our application. I have scoured the internet for code examples, tutorials, literally anything to help and can't find a basic tutorial on how to implement Waffle for SSO. Where do I begin with this. I am fresh out of college so bare with me, because I do not know a vast majority I probably need to know for this task.--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/waffle-users/deaa64d0-8265-44ed-a45d-66008de37684%40googlegroups.com.
--
--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages