real single sign on for web applications
Skip this Video
Download Presentation
Real Single Sign-on for web applications

Loading in 2 Seconds...

play fullscreen
1 / 17

Real Single Sign-on for web applications - PowerPoint PPT Presentation

  • Uploaded on

Real Single Sign-on for web applications. Holger Zobel ([email protected]) JavaZone 2005. Agenda. Background Description of client environment What’s Single sign-on? Java Authentication and Authorization Service (JAAS) The NTLM authentication protocol Implementation

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Real Single Sign-on for web applications' - astin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Background
    • Description of client environment
    • What’s Single sign-on?
    • Java Authentication and Authorization Service (JAAS)
    • The NTLM authentication protocol
  • Implementation
    • Using jCIFS for Single Sign-on
    • Making WebSphere trust our NTLM-implementation
  • Other application servers
  • Questions
the client
The client
  • Large government agency
  • Lots of mainframe application, but is getting more and more web based applications
  • 8000 employees with 450 remote offices
  • Low computer skills
  • Windows NT workstations
  • Project to make a web based child support management system running on WebSphere
  • Java Authentication and Authorization Service
  • JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users.
  • Example JAAS login:

lc = new LoginContext(“myConfiguration”);


  • Works well for Java Client Applications and username/password web authentication
jaas authentication
JAAS authentication




new(String name

CallbackHandler callback)



  • NTLM - “Windows NT LAN Manager”
  • The authentication protocol used by Windows NT for file server authentication
  • Also supported by several other protocols including MS-extended HTTP
  • Client support: Internet Explorer, Mozilla/Firefox, Sun Java on Windows
  • Not secure enough for non-SSL on internet, but should be acceptable on intranets
  • Windows 2000 uses Kerberos by default (optionally NTLM) which is more secure
how ntlm over http works
How NTLM over HTTP works

NTLM uses three messages to authenticate:

  • Type 1: Negotiation
  • Type 2: Challenge
  • Type 3: Authentication
  • CIFS – Common Internet File System (Microsoft file sharing protocol)
  • Reimplementation of Samba using Java
  • Open Source (LGPL)
  • Also implements NTLM over HTTP
  • See:
solution overview
Solution overview


Active Directory

implementing sso with jcifs
Implementing SSO with jCIFS

public class SSOLogin extends NtlmServlet implements Servlet {

public void init(ServletConfig c) throws ServletException {

jcifs.Config.setProperty("jcifs.smb.client.domain", “");

jcifs.Config.setProperty("jcifs.http.domainController", “");


public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

// Get username from session

String username =(String) req.getSession().getAttribute("ntlmuser");



integration with websphere
Integration with WebSphere
  • Want to use WebSphere’s access control for access to web pages
  • Need to convince WebSphere that we have logged on a user!
  • Can use WebSphere “TrustInterceptor”. Normally used to let a another web server authenticate our users.
our trustinterceptor class
Our TrustInterceptor class

package no.clientname.framework.sso;


public class CustomTrustInterceptor extends WebSphereBaseTrustAssociationInterceptor implements TrustAssociationInterceptor {

/** return true if this is the target interceptor, else return false. */

public boolean isTargetInterceptor(HttpServletRequest req) throws WebTrustAssociationException {

String ntlmuser = (String)req.getSession().getAttribute("ntlmuser");

if(ntlmuser != null)

return true;


return false;


/** Get the user name from the request and if the user is entitled to the requested resource return the user*/

public String getAuthenticatedUsername(HttpServletRequest req) throws WebTrustAssociationUserException {

String ntlmuser = (String)req.getSession().getAttribute("ntlmuser");

if(ntlmuser != null) {

return ntlmuser;


throw new WebTrustAssociationUserException();



websphere configuration
WebSphere configuration

Steps to enable our SSO implementation in WAS:

  • Add wssec.jar and CustomTrustInjector.class to ws.ext.dirs class path
  • Turn on Global Security
  • Select “LTPA (Light weight Third party authentication)” as Active Authentication Mechanism
  • Under Authentication Mechanisms select LTPA, Trust Association, Interceptors and add the CustomTrustInjector class.
some bugs
Some bugs..

Everything seemed to work fine at first, but...

  • HTTP POST did not work in IE


  • Reply with an error code on the last NTLM response and keep username on session
  • The client is authenticated using NTLM, but IE thinks the server does not support NTLM, and stops trying to re-authenticate on HTTP POST

Add this code to the authentication servlet:


using other application servers
Using Other Application Servers

Some untested ideas for using jCIFS on other application servers:

  • TrustInterceptor-like capabilities (For example “AuthFilter” in BEA WebLogic)
  • Custom Security
  • Security-filter
  • JAAS Module
  • No frequently asked questions or tips regarding JAAS on Sun’s pages...