Waffle SSO authentication for internal users (Intranet users) and external users (Internet users)

[Jitendra Patil]

Hello friends,

I need help/ guidance how should I proceed with my use case. Please read below for more details about my project.

1) I am using Java web based application with Tomcat 7.0. For SSO authentication, I am trying waffle (waffle-tomcat7 - version 1.7). 

2) Now I am having 2 sets of users

   2.a) Intranet users which we call internal users.

   2.b) Internet users which we call external users.

I am facing an authentication issue for internal and external users. I am following all the information available for how to use waffle  like browser settings (Chrome, IE or FireFox) etc.

As per waffle, when a user logins to my application then he will be logged directly without any prompt for username/password (After following IE settings). Now this user will login transparently only if the user is windows User and is configured in ActiveDirectory (AD) of the machine where Tomcat is running. (There is more on this as we are having Tomcat running on server and AD on other server but for this question of mine, let us keep it on same machine). 

Problem statement:

1) So whenever a client machine which is in intranet zone i.e internal user logs into my application, he will be directly authenticated as per waffle. So far good.

2) But when external user (like general public outside intranet zone) logs in, theoretically the waffle filter will throw exception.

So in short to say, I have 2 way of authenticating users. For internal users, waffle will take care with its inbuilt handling. For external users, I will be authenticating it against simple Database (external users will already be stored in db).

I tried using waffle-demo. In that, we have index.jsp for tutorial. When it is case of internal users then "request.getRemoteUser() or request.getUserPrincipal().getName()" prints user name along with domain. But when external user logs in, I think the waffle filters throws some exception (I think login attempt failed but not sure).

I need help on this if there is anyway like if internal users logs in I get value like "MyDomain\UserA" and if external users logs in I get null or empty value. So in my custom authentication component, I could differentiate between internal users and external users.

Any help on this is really appreciated. I am posting on this forum for the first time so I don't know how soon I can get your valuable help or if anything more I need to add to my question.

Thanks and Regards,

Jitendra. P. Patil.

[Daniel Doubrovkine]

You need something like "mixed" authentication, there's a demo in the waffle project. It basically lets the user select how they authenticate. Unfortunately there's no easy way to mix SSO and non-SSO authentication in the same pipeline, so that's the best (and quite elegant) solution we've found.

http://code.dblock.org/2010/05/27/tomcat-single-sign-on-mixed-with-form-authentication-w-waffle.html may be a good place to start.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

[Jitendra Patil]

Hi Daniel,

Thanks a lot for your quick reply. Okie. lets keep Mixed authentication at side for some time (I need to really check how can I handle this :-) ). Right now I am facing some simple (must be routine) issue. Its like below.

I have configured the waffle filter in web.xml. Below is the configuration for the same. For time being (for testing purpose), I have changed the IE settings so I get a prompt for username-password. Now issue is below.

1) When I access my app 'waffletest', I get a prompt and I enter my windows username-pwd and it works. This also works when I change the IE settings to its original/required configuration (case of transparent login). Finally as per the waffle demo in Index.jsp, I get the value printed. So far fine.

2) Issue is when I access my app 'waffletest', I get a prompt. This time I enter some fake/garbage credentials like 'UserABCD'/ 'wrongpassword'. This time I get a stacktrace on screen for it. Can you tell me what changes I need to do so that I don't get exception but get some null or empty value in index.jsp. Ideally no stacktrace should appear in case of invalid user or invalid password or both. Even if I get null or empty value in index.jsp then it will be a good hint for me to differentiate that this is not an internal user but external user. My code is ready for both type of internal users and external users. I just need that crucial 'hint' to know which kind of user is this. Accordingly my code will execute as per flow.

type Exception report

message The logon attempt failed

description The server encountered an internal error that prevented it from fulfilling this request.

exception

com.sun.jna.platform.win32.Win32Exception: The logon attempt failed
	waffle.windows.auth.impl.WindowsAuthProviderImpl.acceptSecurityToken(WindowsAuthProviderImpl.java:134)
	waffle.servlet.spi.NegotiateSecurityFilterProvider.doFilter(NegotiateSecurityFilterProvider.java:103)
	waffle.servlet.spi.SecurityFilterProviderCollection.doFilter(SecurityFilterProviderCollection.java:130)
	org.app.web.sso.filter.NegotiateSecurityFilter.doFilter(NegotiateSecurityFilter.java:101)

note The full stack trace of the root cause is available in the Apache Tomcat/7.0.59 logs.

Web.xml configuration.

         

<filter>
 <filter-name>SecurityFilter</filter-name>
 <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
 <init-param>
  <param-name>principalFormat</param-name>
  <param-value>fqn</param-value>
 </init-param>
 <init-param>
  <param-name>roleFormat</param-name>
  <param-value>both</param-value>
 </init-param>
 <init-param>
  <param-name>allowGuestLogin</param-name>
  <param-value>true</param-value>
 </init-param>
 <init-param>
  <param-name>securityFilterProviders</param-name>
  <param-value>
 waffle.servlet.spi.NegotiateSecurityFilterProvider
 waffle.servlet.spi.BasicSecurityFilterProvider
 </param-value>
 </init-param>
 <init-param>
  <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
  <param-value>
 Negotiate
 NTLM
 </param-value>
 </init-param>
 <init-param>
  <param-name>waffle.servlet.spi.BasicSecurityFilterProvider/realm</param-name>
  <param-value>waffletest</param-value>
 </init-param>
  </filter>
  <filter-mapping>
 <filter-name>SecurityFilter</filter-name>
 <url-pattern>/*</url-pattern>
  </filter-mapping>

Almost same type of question was raised by Mr. Manjunath sometime back and you suggested him to use Filter instead (https://groups.google.com/forum/#!topic/waffle-users/rlh5t-b33-I). It worked for him but I am not sure if I am missing any simple configuration as it is not working at my end. In web,xml I have used "waffletest" as one of the param value. Is it correct or please suggest correct configuration. Need some insight on exact what configuration I should have in web.xml 

Thanks and Regards,

Jitendra. P. Patil.

[Daniel Doubrovkine]

Once you see a prompt, SSO has failed. Follow the regular troubleshooting to start, https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md

[Jitendra Patil]

Hi Daniel,

My question is why I see stack trace on browser if i purpose fully give wrong username and/or password. Shouldn't it be handled properly and return null if authentication fails. Unhandled exception on screen brings down the application.

Please let me know if you need any more information. Your answer seems to be in other direction than the question I raised. Please read my entire scenario in previous question so you may get an idea. I don't see any prompt when SSO fails, but I see big stacktrace on browser.

Thanks and Regards,

Jitendra. P. Patil.

[Daniel Doubrovkine]

Which version are you using.

If you're using >= 1.7.4, this is a new bug and you should open it.

If you're using < 1.7.4, upgrade, 

206: Fix issue #203 ** Tomcat negotiate filters reporting Win32Error 500 status error instead of 401. ** Related to issue#107

[Jitendra Patil]

Hi Daniel,

I am using 1.7 version as I see waffle-jna-1.7.jar. Which version should I use so I don't get this issue. It won't be an issue if I use lower version so far I don't get that issue.

Thanks and Regards,

Jitendra. P. Patil.

[Daniel Doubrovkine]

1.7 is older than 1.7.4, use anything >= 1.7.4

[Daniel Doubrovkine]

You should be using the latest anyway which is 1.8.0.

[Jitendra Patil]

Okie. And after upgrading to version 1.8.0, should I have to manually fix the issue by changing the code or does the 1.8.0 version of waffle already has the fix for the issue which I raised. Just need some clarification on below point which you mentioned in your previous replies.

"If you're using >= 1.7.4, this is a new bug and you should open it".

Thanks and Regards,

Jitendra.

[Daniel Doubrovkine]

The bug is fixed. Can you reproduce this problem with 1.8.0? If not you're all set. If you can, it's a new bug and you should open it as if it were a new thing with all the info.

[Jitendra Patil]

Thanks Daniel for your response. Let me test it on 1.8.0. I see now in source code that Win32 exception is caught and IOException is thrown. Although not tested the 1.8.0 based sample war, looking at the code, I think it will give a prompt to enter username/password again and again till correct credentials are put in. But I have something custom requirement that is if the login fails (case of external users), waffle filter should  return back null instead of prompts. May be this is place which I need to differentiate between my internal users and external users. Let me do some more analysis on this.

Thanks and Regards,

Jitendra. P. Patil.

[Daniel Doubrovkine]

FWIW what you want can't work in all cases unfortunately, half the time authentication fails *on the client* and not on the server, and the browser pops up the same auth dialog.

[Santosh Anantharamaiah]

Hi Jitendra/Daniel,

Could you please help us with the sample web based project to get an overview of how exactly Waffle works. We did get any demo project yet. Your help will be highly appreciated.

Thanks,

Santosh

[Daniel Doubrovkine]

https://github.com/dblock/waffle/tree/master/Source/JNA/waffle-demo