Single Sign-On: Spring-Security Negotiate Filter (Kerberos + NTLM) w/Waffle

Back | spring, waffle, security | 7/9/2010 |

springwaffle 

In this post I’ll explain how to configure the Waffle Spring-Security Negotiate filter to do single-sign-on on Windows and touch on how much more elegant the spring-based filter configuration is versus, for example, the generic servlet filter.

Download

Download Waffle 1.3. The zip contains Waffle.chm with the latest version of this tutorial.

Configure Your Application

Configure Spring-Security

We'll assume that Spring-Security is configured via web.xml with a filter chain and a Spring ContextLoaderListener. The Waffle beans configuration will be added to waffle-filter.xml.

  1. <filter>
  2.     <filter-name>springSecurityFilterChain</filter-name>
  3.     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  4. </filter>
  5. <filter-mapping>
  6.     <filter-name>springSecurityFilterChain</filter-name>
  7.     <url-pattern>/*</url-pattern>
  8. </filter-mapping>
  9. <context-param>
  10.     <param-name>contextConfigLocation</param-name>
  11.     <param-value>/WEB-INF/waffle-filter.xml</param-value>
  12. </context-param>
  13. <listener>
  14.     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  15. </listener>

Package Files

You need waffle-jna.jar, jna.jar, platform.jar and commons-logging-1.1.1.jar from the Waffle distribution as well as Spring and Spring-security JARs. Those should be placed in your application’s classpath (eg. packaged in WAR). If you’re using Tomcat, for demo purposes you can put these files in Tomcat’s lib.

Windows Authentication Provider

Declare a Windows Authentication provider. This is the link between Waffle and the operating system.

  1. <bean id="waffleWindowsAuthProvider" class="waffle.windows.auth.impl.WindowsAuthProviderImpl" />

Waffle Security Filter Providers

Declare a collection of Waffle security filter providers that implement various authentication protocols.

  1. <bean id="negotiateSecurityFilterProvider" class="waffle.servlet.spi.NegotiateSecurityFilterProvider">
  2.   <constructor-arg ref="waffleWindowsAuthProvider" />
  3. </bean>
  4.  
  5. <bean id="basicSecurityFilterProvider" class="waffle.servlet.spi.BasicSecurityFilterProvider">
  6.   <constructor-arg ref="waffleWindowsAuthProvider" />
  7. </bean>
  8.  
  9. <bean id="waffleSecurityFilterProviderCollection" class="waffle.servlet.spi.SecurityFilterProviderCollection">
  10.   <constructor-arg>
  11.     <list>
  12.       <ref bean="negotiateSecurityFilterProvider" />
  13.       <ref bean="basicSecurityFilterProvider" />
  14.     </list>
  15.   </constructor-arg>
  16. </bean>

If you’re not very familiar with Spring, you will start loving it right here. We’re adding two providers to a collection in a configuration file. This means that we don’t need to have another configuration mechanism than this one to add or remove one. We don’t need to do this in code either. Each class instance (bean) is also configurable individually – we can, for example, configure the name of the realm for Basic authentication.

  1. <bean id="basicSecurityFilterProvider" class="waffle.servlet.spi.BasicSecurityFilterProvider">
  2.   <constructor-arg ref="waffleWindowsAuthProvider" />
  3.   <property name="Realm" value="DemoRealm" />
  4. </bean>

It’s more verbose, but it’s much more flexible.

Add a Waffle Security Filter

Add the Waffle security filter and entry point to the sec:http configuration section. The filter will be placed before the Basic authentication filter that ships with Spring-Security. The filter uses the collection of authentication filter providers defined above to perform authentication.

  1. <sec:http entry-point-ref="negotiateSecurityFilterEntryPoint">
  2.   <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
  3.   <sec:custom-filter ref="waffleNegotiateSecurityFilter" position="BASIC_AUTH_FILTER" />
  4. </sec:http>
  5.  
  6. <bean id="negotiateSecurityFilterEntryPoint" class="waffle.spring.NegotiateSecurityFilterEntryPoint">
  7.   <property name="Provider" ref="waffleSecurityFilterProviderCollection" />
  8. </bean>

Spring-Security Authentication Manager

Define a required default Spring-Security authentication manager. We’re not going to use it in this setup because the filter takes care of authentication and the user doesn’t have a way to supply, for example, a username and password.

  1. <sec:authentication-manager alias="authenticationProvider" />

Note that Waffle does include a Spring-based authentication manager for form-based authentication or non-web-based scenarios.

The Filter Itself

Finally, define the Spring-Security Waffle filter that uses the collection of security filter providers to perform authentication.

  1. <bean id="waffleNegotiateSecurityFilter" class="waffle.spring.NegotiateSecurityFilter">
  2.   <property name="Provider" ref="waffleSecurityFilterProviderCollection" />
  3. </bean>

Demo Application

A demo application with the complete configuration file can be found in the Waffle distribution in the Samples\waffle-spring-filter directory. Copy the entire directory into Tomcat's webapps directory and navigate to http://localhost:8080/waffle-spring-filter/. You should be automatically logged-in under your current Windows account.

You can also see/browse the configuration source code here.

Links