Real single sign on for web applications
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

Real Single Sign-on for web applications PowerPoint PPT Presentation


  • 117 Views
  • Uploaded on
  • Presentation posted in: General

Real Single Sign-on for web applications. Holger Zobel ([email protected]) JavaZone 2005. Agenda. Background Description of client environment What’s Single sign-on? Java Authentication and Authorization Service (JAAS) The NTLM authentication protocol Implementation

Download Presentation

Real Single Sign-on for web applications

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Real single sign on for web applications

Real Single Sign-on for web applications

Holger Zobel ([email protected])

JavaZone 2005


Agenda

Agenda

  • Background

    • Description of client environment

    • What’s Single sign-on?

    • Java Authentication and Authorization Service (JAAS)

    • The NTLM authentication protocol

  • Implementation

    • Using jCIFS for Single Sign-on

    • Making WebSphere trust our NTLM-implementation

  • Other application servers

  • Questions


The client

The client

  • Large government agency

  • Lots of mainframe application, but is getting more and more web based applications

  • 8000 employees with 450 remote offices

  • Low computer skills

  • Windows NT workstations

  • Project to make a web based child support management system running on WebSphere


What is single sign on

What is Single Sign-on?


Real single sign on for web applications

JAAS

  • Java Authentication and Authorization Service

  • JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users.

  • Example JAAS login:

    lc = new LoginContext(“myConfiguration”);

    lc.login();

  • Works well for Java Client Applications and username/password web authentication


Jaas authentication

JAAS authentication

LoginContext

Configuration

LoginModule

new(String name

CallbackHandler callback)

getConfiguration()

initializeSubject()


Real single sign on for web applications

NTLM

  • NTLM - “Windows NT LAN Manager”

  • The authentication protocol used by Windows NT for file server authentication

  • Also supported by several other protocols including MS-extended HTTP

  • Client support: Internet Explorer, Mozilla/Firefox, Sun Java on Windows

  • Not secure enough for non-SSL on internet, but should be acceptable on intranets

  • Windows 2000 uses Kerberos by default (optionally NTLM) which is more secure


How ntlm over http works

How NTLM over HTTP works

NTLM uses three messages to authenticate:

  • Type 1: Negotiation

  • Type 2: Challenge

  • Type 3: Authentication


Jcifs

jCIFS

  • CIFS – Common Internet File System (Microsoft file sharing protocol)

  • Reimplementation of Samba using Java

  • Open Source (LGPL)

  • Also implements NTLM over HTTP

  • See: jcifs.samba.org


Solution overview

Solution overview

WebSphere

Active Directory


Implementing sso with jcifs

Implementing SSO with jCIFS

public class SSOLogin extends NtlmServlet implements Servlet {

public void init(ServletConfig c) throws ServletException {

jcifs.Config.setProperty("jcifs.smb.client.domain", “<Domain name>");

jcifs.Config.setProperty("jcifs.http.domainController", “<ip adr>");

}

public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

// Get username from session

String username =(String) req.getSession().getAttribute("ntlmuser");

}

}


Integration with websphere

Integration with WebSphere

  • Want to use WebSphere’s access control for access to web pages

  • Need to convince WebSphere that we have logged on a user!

  • Can use WebSphere “TrustInterceptor”. Normally used to let a another web server authenticate our users.


Our trustinterceptor class

Our TrustInterceptor class

package no.clientname.framework.sso;

import com.ibm.websphere.security.*;

public class CustomTrustInterceptor extends WebSphereBaseTrustAssociationInterceptor implements TrustAssociationInterceptor {

/** return true if this is the target interceptor, else return false. */

public boolean isTargetInterceptor(HttpServletRequest req) throws WebTrustAssociationException {

String ntlmuser = (String)req.getSession().getAttribute("ntlmuser");

if(ntlmuser != null)

return true;

else

return false;

}

/** Get the user name from the request and if the user is entitled to the requested resource return the user*/

public String getAuthenticatedUsername(HttpServletRequest req) throws WebTrustAssociationUserException {

String ntlmuser = (String)req.getSession().getAttribute("ntlmuser");

if(ntlmuser != null) {

return ntlmuser;

}

throw new WebTrustAssociationUserException();

}

}


Websphere configuration

WebSphere configuration

Steps to enable our SSO implementation in WAS:

  • Add wssec.jar and CustomTrustInjector.class to ws.ext.dirs class path

  • Turn on Global Security

  • Select “LTPA (Light weight Third party authentication)” as Active Authentication Mechanism

  • Under Authentication Mechanisms select LTPA, Trust Association, Interceptors and add the CustomTrustInjector class.


Some bugs

Some bugs..

Everything seemed to work fine at first, but...

  • HTTP POST did not work in IE

    Solution

  • Reply with an error code on the last NTLM response and keep username on session

  • The client is authenticated using NTLM, but IE thinks the server does not support NTLM, and stops trying to re-authenticate on HTTP POST

    Add this code to the authentication servlet:

    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);


Using other application servers

Using Other Application Servers

Some untested ideas for using jCIFS on other application servers:

  • TrustInterceptor-like capabilities(For example “AuthFilter” in BEA WebLogic)

  • Custom Security

  • Security-filter

  • JAAS Module


Questions

Questions?

  • No frequently asked questions or tips regarding JAAS on Sun’s pages...


  • Login