Real single sign on for web applications
1 / 17

Real Single Sign-on for web applications - PowerPoint PPT Presentation

  • Uploaded on

Real Single Sign-on for web applications. Holger Zobel ([email protected]) JavaZone 2005. Agenda. Background Description of client environment What’s Single sign-on? Java Authentication and Authorization Service (JAAS) The NTLM authentication protocol Implementation

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Real Single Sign-on for web applications' - astin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


  • Background

    • Description of client environment

    • What’s Single sign-on?

    • Java Authentication and Authorization Service (JAAS)

    • The NTLM authentication protocol

  • Implementation

    • Using jCIFS for Single Sign-on

    • Making WebSphere trust our NTLM-implementation

  • Other application servers

  • Questions

The client
The client

  • Large government agency

  • Lots of mainframe application, but is getting more and more web based applications

  • 8000 employees with 450 remote offices

  • Low computer skills

  • Windows NT workstations

  • Project to make a web based child support management system running on WebSphere


  • Java Authentication and Authorization Service

  • JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users.

  • Example JAAS login:

    lc = new LoginContext(“myConfiguration”);


  • Works well for Java Client Applications and username/password web authentication

Jaas authentication
JAAS authentication




new(String name

CallbackHandler callback)




  • NTLM - “Windows NT LAN Manager”

  • The authentication protocol used by Windows NT for file server authentication

  • Also supported by several other protocols including MS-extended HTTP

  • Client support: Internet Explorer, Mozilla/Firefox, Sun Java on Windows

  • Not secure enough for non-SSL on internet, but should be acceptable on intranets

  • Windows 2000 uses Kerberos by default (optionally NTLM) which is more secure

How ntlm over http works
How NTLM over HTTP works

NTLM uses three messages to authenticate:

  • Type 1: Negotiation

  • Type 2: Challenge

  • Type 3: Authentication


  • CIFS – Common Internet File System (Microsoft file sharing protocol)

  • Reimplementation of Samba using Java

  • Open Source (LGPL)

  • Also implements NTLM over HTTP

  • See:

Solution overview
Solution overview


Active Directory

Implementing sso with jcifs
Implementing SSO with jCIFS

public class SSOLogin extends NtlmServlet implements Servlet {

public void init(ServletConfig c) throws ServletException {

jcifs.Config.setProperty("jcifs.smb.client.domain", “<Domain name>");

jcifs.Config.setProperty("jcifs.http.domainController", “<ip adr>");


public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

// Get username from session

String username =(String) req.getSession().getAttribute("ntlmuser");



Integration with websphere
Integration with WebSphere

  • Want to use WebSphere’s access control for access to web pages

  • Need to convince WebSphere that we have logged on a user!

  • Can use WebSphere “TrustInterceptor”. Normally used to let a another web server authenticate our users.

Our trustinterceptor class
Our TrustInterceptor class

package no.clientname.framework.sso;


public class CustomTrustInterceptor extends WebSphereBaseTrustAssociationInterceptor implements TrustAssociationInterceptor {

/** return true if this is the target interceptor, else return false. */

public boolean isTargetInterceptor(HttpServletRequest req) throws WebTrustAssociationException {

String ntlmuser = (String)req.getSession().getAttribute("ntlmuser");

if(ntlmuser != null)

return true;


return false;


/** Get the user name from the request and if the user is entitled to the requested resource return the user*/

public String getAuthenticatedUsername(HttpServletRequest req) throws WebTrustAssociationUserException {

String ntlmuser = (String)req.getSession().getAttribute("ntlmuser");

if(ntlmuser != null) {

return ntlmuser;


throw new WebTrustAssociationUserException();



Websphere configuration
WebSphere configuration

Steps to enable our SSO implementation in WAS:

  • Add wssec.jar and CustomTrustInjector.class to ws.ext.dirs class path

  • Turn on Global Security

  • Select “LTPA (Light weight Third party authentication)” as Active Authentication Mechanism

  • Under Authentication Mechanisms select LTPA, Trust Association, Interceptors and add the CustomTrustInjector class.

Some bugs
Some bugs..

Everything seemed to work fine at first, but...

  • HTTP POST did not work in IE


  • Reply with an error code on the last NTLM response and keep username on session

  • The client is authenticated using NTLM, but IE thinks the server does not support NTLM, and stops trying to re-authenticate on HTTP POST

    Add this code to the authentication servlet:


Using other application servers
Using Other Application Servers

Some untested ideas for using jCIFS on other application servers:

  • TrustInterceptor-like capabilities (For example “AuthFilter” in BEA WebLogic)

  • Custom Security

  • Security-filter

  • JAAS Module


  • No frequently asked questions or tips regarding JAAS on Sun’s pages...