1 / 17

Real Single Sign-on for web applications

Real Single Sign-on for web applications. Holger Zobel (holger.zobel@accenture.com) JavaZone 2005. Agenda. Background Description of client environment What’s Single sign-on? Java Authentication and Authorization Service (JAAS) The NTLM authentication protocol Implementation

astin
Download Presentation

Real Single Sign-on for web applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real Single Sign-on for web applications Holger Zobel (holger.zobel@accenture.com) JavaZone 2005

  2. Agenda • Background • Description of client environment • What’s Single sign-on? • Java Authentication and Authorization Service (JAAS) • The NTLM authentication protocol • Implementation • Using jCIFS for Single Sign-on • Making WebSphere trust our NTLM-implementation • Other application servers • Questions

  3. The client • Large government agency • Lots of mainframe application, but is getting more and more web based applications • 8000 employees with 450 remote offices • Low computer skills • Windows NT workstations • Project to make a web based child support management system running on WebSphere

  4. What is Single Sign-on?

  5. JAAS • Java Authentication and Authorization Service • JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users. • Example JAAS login: lc = new LoginContext(“myConfiguration”); lc.login(); • Works well for Java Client Applications and username/password web authentication

  6. JAAS authentication LoginContext Configuration LoginModule new(String name CallbackHandler callback) getConfiguration() initializeSubject()

  7. NTLM • NTLM - “Windows NT LAN Manager” • The authentication protocol used by Windows NT for file server authentication • Also supported by several other protocols including MS-extended HTTP • Client support: Internet Explorer, Mozilla/Firefox, Sun Java on Windows • Not secure enough for non-SSL on internet, but should be acceptable on intranets • Windows 2000 uses Kerberos by default (optionally NTLM) which is more secure

  8. How NTLM over HTTP works NTLM uses three messages to authenticate: • Type 1: Negotiation • Type 2: Challenge • Type 3: Authentication

  9. jCIFS • CIFS – Common Internet File System (Microsoft file sharing protocol) • Reimplementation of Samba using Java • Open Source (LGPL) • Also implements NTLM over HTTP • See: jcifs.samba.org

  10. Solution overview WebSphere Active Directory

  11. Implementing SSO with jCIFS public class SSOLogin extends NtlmServlet implements Servlet { public void init(ServletConfig c) throws ServletException { jcifs.Config.setProperty("jcifs.smb.client.domain", “<Domain name>"); jcifs.Config.setProperty("jcifs.http.domainController", “<ip adr>"); } public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { // Get username from session String username =(String) req.getSession().getAttribute("ntlmuser"); } }

  12. Integration with WebSphere • Want to use WebSphere’s access control for access to web pages • Need to convince WebSphere that we have logged on a user! • Can use WebSphere “TrustInterceptor”. Normally used to let a another web server authenticate our users.

  13. Our TrustInterceptor class package no.clientname.framework.sso; import com.ibm.websphere.security.*; public class CustomTrustInterceptor extends WebSphereBaseTrustAssociationInterceptor implements TrustAssociationInterceptor { /** return true if this is the target interceptor, else return false. */ public boolean isTargetInterceptor(HttpServletRequest req) throws WebTrustAssociationException { String ntlmuser = (String)req.getSession().getAttribute("ntlmuser"); if(ntlmuser != null) return true; else return false; } /** Get the user name from the request and if the user is entitled to the requested resource return the user*/ public String getAuthenticatedUsername(HttpServletRequest req) throws WebTrustAssociationUserException { String ntlmuser = (String)req.getSession().getAttribute("ntlmuser"); if(ntlmuser != null) { return ntlmuser; } throw new WebTrustAssociationUserException(); } }

  14. WebSphere configuration Steps to enable our SSO implementation in WAS: • Add wssec.jar and CustomTrustInjector.class to ws.ext.dirs class path • Turn on Global Security • Select “LTPA (Light weight Third party authentication)” as Active Authentication Mechanism • Under Authentication Mechanisms select LTPA, Trust Association, Interceptors and add the CustomTrustInjector class.

  15. Some bugs.. Everything seemed to work fine at first, but... • HTTP POST did not work in IE Solution • Reply with an error code on the last NTLM response and keep username on session • The client is authenticated using NTLM, but IE thinks the server does not support NTLM, and stops trying to re-authenticate on HTTP POST Add this code to the authentication servlet: response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

  16. Using Other Application Servers Some untested ideas for using jCIFS on other application servers: • TrustInterceptor-like capabilities (For example “AuthFilter” in BEA WebLogic) • Custom Security • Security-filter • JAAS Module

  17. Questions? • No frequently asked questions or tips regarding JAAS on Sun’s pages...

More Related