Tomcat ,Windows +LDAP SSO

[Vas]

Hello ,

I just started looking at the Waffle documentation . Can some one point me to implement the below scenario.

We have application running on Tomcat independetnly authenticates against AD LDAP server . Now We wanted to implement SSO with windows authentication. When the user logs into windows and clicks on the application link on the desktop. Application should not ask the credentials again if the user is memberof the group.

Please point me some documentation. I did't find enough documentation.

Thanks

Vas

[Daniel Doubrovkine]

This is the basic scenario:

Get Waffle To Work in Tomcat, Jetty, WebSphere, etc.

https://github.com/dblock/waffle/blob/master/Docs/ServletSingleSignOnSecurityFilter.md

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

[Johnny Wu]

Hi. I have just started learning waffle SSO literally 2 days ago. I got the sample ServletSingleSignOnSecurityFilter working on tomcat 8. When I visited the page (local host:8080/waffle-filter...) I can see my user I'd and all the AD groups I belong to.
Now, the issue I have is that after I added a security-constraint (a role that I belong to) to the web.xml file. I keep getting the popup login and get access denied error.

The reason I am doing this is because I think waffle SSO is doing authentication and I need to have authorization definded in web.xml(not in code). please let me know if there is a different way to accomplish this.

I have tested the same security-constraint on another app without SSO and it works perfectly.

Please note that I have configured tomcat with JNDIRealm to our AD for authentication.

Thanks,
John

[Daniel Doubrovkine]

The security constraint should list a "role" that's a group, but they might just be named differently. They should be something like ROLE_MY_DOMAIN\ROLE_MY_GROUP. Check server side logs to see the list of roles being compared.

It's possible that the docs aren't very clear about that, would appreciate a pull request. 

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Johnny Wu]

Hi,

Bellow are the roles I tested and all have same access denied. I also removed the security constraint and tested the waffle filter test with the same role is correct. Waffle filter has correct role compare.

ROLE_MY_DOMAIN\ROLE_MY_GROUP
ROLE_MY_GROUP
ROLE_MY_DOMAIN/ROLE_MY_GROUP
ROLE_MY_DOMAIN\\ROLE_MY_GROUP

Unfortunately all have same result.

Thanks.

[Daniel Doubrovkine]

What's in the server-side log?

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Johnny Wu]

Hi Daniel,

That's the strange part, I don't see any thing (no error) on the server logs(localhost_access_log.2014-10-19, catalina.2014-10-19, tomcat8-stderr.2014-10-19, localhost.2014-10-19).  Is there any setting I need to configure for Waffle logging?

This is the element I added to waffle-filter web.xml.

  <security-constraint>

     <web-resource-collection>

       <web-resource-name>filter interface</web-resource-name>

       <url-pattern>/waffle/*</url-pattern>

     </web-resource-collection>

     <auth-constraint>

        <role-name>ROLE_AD\ROLE_TreasuryDashboard_Users_DUT</role-name>

     </auth-constraint>

  </security-constraint>

  <login-config>

    <auth-method>BASIC</auth-method>

    <realm-name>Tomcat Manager Application</realm-name>

  </login-config>

  <security-role>

    <description>

      The role that is required to access the HTML Manager pages

    </description>

    <role-name>ROLE_AD\ROLE_TreasuryDashboard_Users_DUT</role-name>

  </security-role>

I also tested with role-name as

AD\TreasuryDashboard_Users_DUT

TreasuryDashboard_Users_DUT

ROLE_AD\TreasuryDashboard_Users_DUT

AD\ROLE_TreasuryDashboard_Users_DUT

ROLE_TreasuryDashboard_Users_DUT

Now, I have made these changes to the Tomcat Manager web.xml and it's working as expected. All I did was replace "manager-gui" with "TreasuryDashboard_Users_DUT".

<security-role>

    <description>

      The role that is required to access the HTML Manager pages

    </description>

    <role-name>TreasuryDashboard_Users_DUT</role-name>

  </security-role>

  <security-constraint>

    <web-resource-collection>

      <web-resource-name>HTML Manager interface (for humans)</web-resource-name>

      <url-pattern>/html/*</url-pattern>

    </web-resource-collection>

    <auth-constraint>

       <role-name>TreasuryDashboard_Users_DUT</role-name>

    </auth-constraint>

  </security-constraint>

[Johnny Wu]

Hi Daniel,

Just added the waffle servlet logging to logging.properties (and restarted Tomcat) but still not seeing anything useful in the server logs.

I did notice that after I login to the Manager app, I see my user id in the log, but don't see the same for the waffle-filter app.

127.0.0.1 - jwu [19/Oct/2014:12:02:05 -0400] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=DE91A6256537192813D73C87B798316A HTTP/1.1" 200 18211

127.0.0.1 - - [19/Oct/2014:12:02:12 -0400] "GET /waffle-filter-1.7/ HTTP/1.1" 200 14098

127.0.0.1 - - [19/Oct/2014:12:02:15 -0400] "GET /waffle-filter-1.7/waffle/index.jsp HTTP/1.1" 403 1100

Thanks,
John

[Daniel Doubrovkine]

There's something about basic auth in your tomcat manager config, that's definitely not going to work with SSO. Leave the manager application alone, you need to be changing the main thing. I suggest you back up, make sure SSO works, check the list of roles in a JSP page or something like that, then put the constraint on top of that.

Maybe you want to start by modifying the demo app? (https://github.com/dblock/waffle/blob/master/Source/JNA/waffle-demo/waffle-filter/src/main/webapp/WEB-INF/web.xml).

[Johnny Wu]

Hi Daniel,

Just have the time to come back and revisit this issue.  I am not sure what it is but there is definitely something different between "BASIC" and "FORM" authentication on Tomcat.

Everything is kept the same except I switched authentication from "BASIC" to "FORM" (in web.xml) and it's working as I have expected it.

Thanks,

John

[Johnny Wu]

Sorry,  I updated too early. It was not working. I still have to do login, so no SSO yet.

[Johnny Wu]

I give up.   

1. Reinstalled Tomcat 8

2. extracted waffle-filter-1.7 (from war) and saved to $tomcat/webapps/waffle-filter-1.7 folder

3. fire up chrome and navigate to url http://localhost:8080/waffle-filter-1.7

4.    I can see my user id and active directory groups I belong to

5.    test if I belong to group "TreasuryDashboard_Users_DUT" - result is I don't belong to this group

6.    test if I belong to group "AD\TreasuryDashboard_Users_DUT" - result is I BELONG to this group

7. add security constraint to waffle-filter-1.7 web.xml

            <security-constraint>

  <web-resource-collection>

  <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>

  <url-pattern>/*</url-pattern>

  </web-resource-collection>

  <auth-constraint>

  <role-name>TreasuryDashboard_Users_DUT</role-name>

  </auth-constraint>

  </security-constraint>

   

  

  

  <login-config>

  <auth-method>FORM</auth-method>

  <form-login-config>

  <form-login-page>/login.html</form-login-page>

  <form-error-page>/login-failed.html</form-error-page>

  </form-login-config>

</login-config>

8. restart tomcat

9. repeat #3.  I am presented with the login.html page

10. change role-name to AD\TreasuryDashboard_Users_DUT.  same result as #9

11. change role-name to ROLE_AD\ROLE_TreasuryDashboard_Users_DUT.  same result as #9

Again, I don't see any debugging logging in catalina server log.  

[Daniel Doubrovkine]

I think you really need to get debug-level logging to a point where you see Waffle log entries in your server-side logs to debug this.

[Johnny Wu]

Can you give me some pointer on how to do that?

You received this message because you are subscribed to a topic in the Google Groups "waffle" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/waffle-users/r2UaSaihfpY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to waffle-users...@googlegroups.com.

[Daniel Doubrovkine]

There's a section at the bottom of https://github.com/dblock/waffle/blob/master/Docs/ServletSingleSignOnSecurityFilter.md.

Enable waffle logging. Add the following to conf\logging.properties in your Tomcat installation.

waffle.servlet.NegotiateSecurityFilter.level = FINE
waffle.servlet.spi.SecurityFilterProviderCollection.level = FINE
waffle.servlet.spi.NegotiateSecurityFilterProvider.level = FINE
waffle.servlet.spi.BasicSecurityFilterProvider.level = FINE

Restart Tomcat and review logs\Catalina*.log.

I suggest you do this with the demo app, not your own, to find out exactly what the group is and try to add a constraint that works on top.

[jlandis]

Just a question. When prompted for logon, if you enter your network logon does it then work? I'm always prompted when running on local host for logon. If you can also try this on a remote machine. I suspect that will work.

[Johnny Wu]

I updated the logging.properties exact (copy & paste) again.   

1. added logging to conf\logging.properties

2. restarted Tomcat 8.

3. Navigate to url localhost:8080/waffle-filter-1.7/index.jsp   (can see all the info for my user id)

4. checked $tomcat/logs/catalina.*.log    <  again I don't see anything about waffle!

I tested the same on Tomcat 7 and had the same result.  After inspection of the filter app lib I see it's using tomcat6 jar and replaced it with tomcat7 jar but still have same result.

INFO: Deploying web application directory C:\Apache\apache-tomcat-7.0.35\webapps\waffle-filter-1.7

Nov 04, 2014 10:05:53 AM org.apache.coyote.AbstractProtocol start

INFO: Starting ProtocolHandler ["http-bio-8080"]

Nov 04, 2014 10:05:53 AM org.apache.coyote.AbstractProtocol start

INFO: Starting ProtocolHandler ["ajp-bio-8009"]

Nov 04, 2014 10:05:53 AM org.apache.catalina.startup.Catalina start

INFO: Server startup in 1181 ms

[Johnny Wu]

finally able to see some kind of logging from waffle.   Instead of just adding the class name to conf/logging.properties, I did the following.

1. add jars to webapp lib

     -slf4j-log4j*.jar

     -log4j-*.jar

2. add log4j.properties to webapp web-inf/classes  with some basic appender

when visit the waffle-filter index.jsp I can see the debug logs in tomcat8-stdout.*.log

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilter:82 - GET /waffle-filter-1.7/, contentlength: -1

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilter:165 - authorization required

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilter:82 - GET /waffle-filter-1.7/, contentlength: -1

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilterProvider:94 - security package: Negotiate, connection id: 127.0.0.1:14623

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilterProvider:102 - token buffer: 123 byte(s)

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilterProvider:109 - continue token: oYH+MIH7oAMKAQGhDAYKKwYBBAGCNwICCqKB5QSB4k5UTE1TU1AAAgA....=

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilterProvider:113 - continue required: true

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilter:82 - GET /waffle-filter-1.7/, contentlength: -1

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilterProvider:94 - security package: Negotiate, connection id: 127.0.0.1:14623

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilterProvider:102 - token buffer: 121 byte(s)

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilterProvider:109 - continue token: oRswGaADCgEAoxIEEAEAAABDh+CIwTbjqQAAAAA=

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilterProvider:113 - continue required: false

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilter:117 - logged in user: AD\u000783 (S-1-5-21-307717389-2084894718-2552290291-5630)

2014-11-04 13:46:18 DEBUG NegotiateSecurityFilter:137 - roles: AD\u000783, Everyone, AD\TreasuryDashboard_Users_DUT

2014-11-04 13:46:18 INFO  NegotiateSecurityFilter:141 - successfully logged in user: AD\u000783

seems like I was authenticated but when I visit a restricted page, I am still redirected to login page.

[Daniel Doubrovkine]

Ok, and the page is restricted to "AD\TreasuryDashboard_Users_DUT" ?

[Johnny Wu]

Yes. I have tried with and without AD\.

[Johnny Wu]

I also notice that when I first visit the initial page (not restricted) I see the waffle debug logs (NegotiateSecurityFilter).

I can see some logging activity even if I just do a refresh of the initial page.  Whenever I want to access restricted page, I don't see anything on the logs.  From this I am assuming that the filter was not invoked when accessing restricted pages.

To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

--
You received this message because you are subscribed to a topic in the Google Groups "waffle" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/waffle-users/r2UaSaihfpY/unsubscribe.

To unsubscribe from this group and all its topics, send an email to waffle-users+unsubscribe@googlegroups.com.

[Daniel Doubrovkine]

This could explain it: http://stackoverflow.com/questions/17654020/precedence-of-security-constraint-over-filters-in-servlets - The container processes the security constraints first. I was wondering why none of the Waffle examples had this for a filter, but always for a Tomcat Valve.

[Johnny Wu]

The info in the link only explain if security constraints comes before filter.  I still doesn't understand why it doesn't work if we follow these steps?

1. visit non-restricted page. This should trigger filter and set user principal.

2. visit restricted page....user should already be authenticated because of #1.

[Daniel Doubrovkine]

I don't think that's true. Aren't those separate zones in Tomcat (or whatever the container is), in which case it believes it needs to re-negotiate.  

[Johnny Wu]

I see. So the waffle filter approach for SSO with security constraint would not work then?

Any pointer for different approach to SSO that takes security constraint?

Thanks.

[Johnny Wu]

Looks like the Tomcat Single-SignOn Authenticator Value works exactly the way I wanted. However, this is not portable I assume?

Also, is there any way to not have to do a qualified role name?

eg: out of the box Tomcat.  we can just use a rolename.

with waffle, we have to qualify it with  AD\rolename in the security-role.

To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

--
You received this message because you are subscribed to a topic in the Google Groups "waffle" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/waffle-users/r2UaSaihfpY/unsubscribe.

To unsubscribe from this group and all its topics, send an email to waffle-users+unsubscribe@googlegroups.com.

[Johnny Wu]

Not sure if this is behaving correctly. It only works when the client (browser) is on the same machine as the Tomcat server.

It always as for login and getting this error when browsing from different computer.

HTTP Status 500 - The token supplied to the function is invalid

ype Exception report

message The token supplied to the function is invalid

description The server encountered an internal error that prevented it from fulfilling this request.

exception

com.sun.jna.platform.win32.Win32Exception: The token supplied to the function is invalid
	waffle.windows.auth.impl.WindowsAuthProviderImpl.acceptSecurityToken(WindowsAuthProviderImpl.java:134)
	waffle.apache.NegotiateAuthenticator.authenticate(NegotiateAuthenticator.java:96)
	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
	org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1081)
	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
	org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:277)
	org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2403)
	org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2392)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	java.lang.Thread.run(Thread.java:745)

<a href="http://code.dblock.org/" style="font-size:11px" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fcode.dblock.org%2F\46sa\75D\46sntz\0751\46usg\75AFQjCNGLfp0Qe8QnrI3ybrObRaYY0LGCRQ';return true;" onclick="this.href='http://www.google.com

...

[Johnny Wu]

Found the root cause to the error.  I was running tomcat from netbean (under my id).  After running tomcat from service (as LocalSystem), browsing from different computer works!!!

For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" onmousedown="this.href='https://groups.google.com/d/optout';return true

...

[Daniel Doubrovkine]

Looks like you found all the answers you wanted ;)

I would really appreciate some help from you on reviewing the history of this conversation and making pull requests into the documentation and/or FAQ or at least opening documentation issues. For example, it's very clear that constraints cannot be used with a filter, but that wasn't obvious at all.

[Johnny Wu]

Sure I can do that. How to do a open documentation update request?

For more options, visit https://groups.google.com/d/optout.

[Daniel Doubrovkine]

Fork the repo, create a branch, make changes in the files, push and make a pull request. You might want to read https://guides.github.com/introduction/flow/index.html

[Johnny Wu]

Which example are you testing?
If you are getting prompt them I can assume setup is not correct.

On Nov 7, 2014 7:14 AM, "jlandis" <jeremy...@hotmail.com> wrote:

Just a question.  When prompted for logon, if you enter your network logon does it then work?  I'm always prompted when running on local host for logon.  If you can also try this on a remote machine.  I suspect that will work.

[jlandis]

When using firefox, it always falls back when running localhost (ntlm) and running the browser on same machine.  That happens with nearly all SSO products (ie vintela for example).  So was just wondering if that was what you were experiencing and if you had tried logging in when prompted.  It appears you have resolved all your issues so mute point now. 

[Johnny Wu]

I am not getting any prompt when browsing from IE and chrome. I have to add localhost or my machine name(where tomcat is running) to the trusted list when using Firefox.

Again, are you using tomcat valve and tomcat service running as LocalSystem?