Single Sign-On with Waffle
2 likes3,842 views
This document discusses single sign-on authentication for Tomcat using WAFFLE. It provides examples of configuring Tomcat for FORM, BASIC, NTLM, and Negotiate authentication methods. Demos are shown for authenticating with FORM and JAAS realms, using a Negotiate authenticator valve, and mixing FORM and Negotiate authentication. The WAFFLE open source project is introduced for implementing Windows authentication in Java web apps.
![Daniel Doubrovkine (dblock[at]dblock[dot]org)
Single Sign-On
w/ Tomcat & WAFFLE
6/8/2010
Tomcat ->
Waffle ->](https://image.slidesharecdn.com/2010-06-08singlesign-onwithwaffle-150105213122-conversion-gate02/85/Single-Sign-On-with-Waffle-1-320.jpg)
Single Sign-On with Waffle
- 1. Daniel Doubrovkine (dblock[at]dblock[dot]org) Single Sign-On w/ Tomcat & WAFFLE 6/8/2010 Tomcat -> Waffle ->
- 2. 2 www.appsecinc.com FORM Authentication GET /index.jsp 304 Redirect Location: login.jsp ... POST /login.jsp j_username=…;j_passsword=… 200 OK Hello <%# username %>
- 3. 3 www.appsecinc.com HTTP Authentication GET /index.jsp 401 Access Denied WWW-Authenticate: Basic WWW-Authenticate: NTLM ... GET /index.jsp Authorization: Basic JFRFdPUktHUk9VUA== 200 OK Hello <%# username %>
- 4. 4 www.appsecinc.com Authorization Methods ● BASIC: Base64(username:password) ● DIGEST: Md5(HA1(HA2(…))) ● NTLM: LM Challenge/Response ● Kerberos: KB Tickets ● Negotiate: NTLM or Kerberos
- 5. 5 www.appsecinc.com Tomcat, Jetty, etc. ● Servlet Filter catch-all ● Tomcat Authenticator authentication method ● Spi Login Module authentication provider ● Realm authorize users, a database of users and roles ● User Database ● JAAS Realm: Java Authentication and Authorization Service ● …
- 6. 6 www.appsecinc.com Demo: FORM ● How: Login Module + JAAS Realm ● Authentication Method = FORM ● Username, password from FORM ● Windows Logon ● Groups => Roles
- 7. 7 www.appsecinc.com Demo: JAAS ● How: Login Module + JAAS Realm ● Authentication Method = BASIC ● Username, password from browser ● Windows Logon ● Groups => Roles
- 8. 8 www.appsecinc.com Demo: Negotiate ● How: Authenticator Valve ● Authentication Method = Negotiate ● Windows Realm ● Single Sign-On
- 9. 9 www.appsecinc.com Demo: Negotiate + Basic Filter ● How: Security Filter ● Authentication Method = Negotiate or BASIC ● Single Sign-On
- 10. 10 www.appsecinc.com Demo: Mixed-Mode ● How: Authenticator Valve ● Authentication Method = FORM or Negotiate ● Single Sign-On ● URL-based Protocol
- 11. 11 www.appsecinc.com Open Source ● WAFFLE = Windows Authentication Functional Framework Bla Bla Bla ● http://waffle.codeplex.com Questions?