Windows/Active Directory Authentication: Tomcat + JAAS w/ Waffle

Back | tomcat, waffle, jna, java, active directory | 5/24/2010 |

waffle We used to have code that checked whether a username/password was valid, then tried to enumerate user groups in Active Directory. That didn’t work for nested groups, domains with trusts and many other scenarios in-between. Then we wrote what eventually became Waffle. This week-end I added a JAAS LoginModule to Waffle 1.3. You can use this with anything that supports JAAS, such as Tomcat for BASIC, DIGEST or FORMS authentication. This is actually a simple demonstration (as opposed to the Single Sign-On Negotiate/NTLM/Kerberos valve) of Waffle and is how we originally used it. Here’s how.

Download

Download Waffle 1.3. The zip contains Waffle.chm that has the latest version of this tutorial.

Configure Tomcat

Copy Files

Copy waffle-jna.jar, jna.jar and platform.jar to Tomcat's lib directory.

JAAS Realm

Add a JAAS realm to the application context. Modify META-INF\context.xml of your application.

  1. <Context>
  2.   <Realm className="org.apache.catalina.realm.JAASRealm"
  3.          appName="Jaas"
  4.          userClassNames="waffle.jaas.UserPrincipal"
  5.          roleClassNames="waffle.jaas.RolePrincipal"
  6.          useContextClassLoader="false"
  7.          debug="true" />
  8. </Context>

Authentication

Modify WEB-INF\web.xml of your application.

Enable BASIC, DIGEST or FORMS authentication for this realm.

  1. <login-config>
  2.   <auth-method>BASIC</auth-method>
  3.   <realm-name>Jaas</realm-name>
  4. </login-config>

Configure security roles. The Waffle login module adds all user's security groups (including nested and domain groups) as roles during authentication.

  1. <security-role>
  2.   <role-name>Everyone</role-name>
  3. </security-role>

Restrict access to website resources. For example, to restrict the entire website to locally authenticated users add the following.

  1. <security-constraint>
  2.   <display-name>Waffle Security Constraint</display-name>
  3.   <web-resource-collection>
  4.     <web-resource-name>Protected Area</web-resource-name>
  5.     <url-pattern>/*</url-pattern>
  6.   </web-resource-collection>
  7.   <auth-constraint>
  8.     <role-name>Everyone</role-name>
  9.   </auth-constraint>
  10. </security-constraint>

Login Configuration

Create a login configuration file, login.conf. This configuration file specifies how to plug the Waffle Windows Login Module.

  1. Jaas {
  2.     waffle.jaas.WindowsLoginModule sufficient;
  3. };

The login.conf configuration file is passed to Java with -Djava.security.auth.login.config=<path-to-file>/login.conf.

JAAS Security Policy

Create JAAS policy configuration file, jaas.policy. This file specifies which identities are granted which permissions.

  1. grant Principal * * {
  2.   permission java.security.AllPermission "/*";
  3. };

The policy file is passed to Java with -Djava.security.auth.policy=<path-to-file>/jaas.policy.

Start Tomcat

You must start Tomcat with Security Manager enabled (-security) and configure it with a login configuration and policy. For example, the following will start Tomcat using the demo login.conf and jaas.policy from the Waffle samples.

  1. @echo off
  2. setlocal
  3. set JAVA_OPTS=-Djava.security.auth.login.config="C:/Program Files/Tomcat/webapps/waffle-jaas/login.conf" -Djava.security.auth.policy="C:/Program Files/Tomcat/webapps/waffle-jaas/jaas.policy"
  4. call bin/catalina.bat run -security
  5. endlocal

Demo Application

A demo application can be found in the Waffle distribution in the Samples\Tomcat\waffle-jaas directory. Copy the entire directory into Tomcat's webapps directory, start Tomcat as explained above, and navigate to http://localhost:8080/waffle-jaas/. You will be prompted for your Windows login, enter your Windows credentials and log-in.

image

Links
When I Browse by http://localhost:8080/waffle-jaas/ i got a window asking for username and password. but I dont know what username and password should be used?
khandakar ahmed @ Monday, 13 December 2010 Reply
Please check out waffle discussions, similar questions have been asked. Then if you still didn't solve it, get detailed logs and HTTP trace and ask the question there.
dB. @ Monday, 13 December 2010 Reply
I succeed in logging with my local account but I don't succeed in logging with AD authentication.



Do i need to configure something to use AD authentication.
Tony @ Thursday, 06 January 2011 Reply
See the previous comment. Bring this to Codeplex. Also there's a new page on initial troubleshooting, start there: http://waffle.codeplex.com/wikipage?title=Troubleshooting%20Negotiate&referringTitle=Home.
dB. @ Thursday, 06 January 2011 Reply