Daniel Doubrovkine bio photo

Daniel Doubrovkine

aka dB., @awscloud, former CTO @artsy, +@vestris, NYC

Email Twitter LinkedIn Github Strava
Creative Commons License

A user has recently tried to integrate Tomcat’s manager application with Waffle and got puzzling results. It took me a while to figure it out, revealing some creative thinking in Tomcat’s demo apps.

Configure Tomcat SSO

Let’s configure Tomcat to use waffle for SSO. First, copy waffle-jna.jar, jna.jar, platform.jar, commons-logging-1.1.1.jar and guava-r07.jar (we’re using Waffle 1.4 beta) to tomcat’s lib folder.

conf/context.xml

Add the Waffle valve.

<Valve className="waffle.apache.NegotiateAuthenticator" />

conf/server.xml

Replace UserDatabaseRealm with the Waffle dummy realm.

<Realm className="waffle.apache.WindowsRealm" />

conf/web.xml

Protect all pages from unauthenticated users.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>
      Tomcat Server
    </web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>BUILTIN\Users</role-name>
  </auth-constraint>
</security-constraint>

You may declare the group as a role.

<security-role>
  <description>
    The role that is required to log in.
  </description>
  <role-name>BUILTIN\Users</role-name>
</security-role>

You can now navigate to https://localhost:8080/ and perform single sign-on. In the logs you’ll see something like this.

Nov 30, 2010 10:17:02 AM waffle.apache.NegotiateAuthenticator authenticate
INFO: successfully logged in user: server\username

Configure Tomcat Manager

webapps/manager/WEB-INF/web.xml

Replace the authentication constraint to the users that should be able to access the manager application. For my example I’ll allow all authenticated users. You may also declare the group as a role (see above).

<auth-constraint>
  <role-name>BUILTIN\Users</role-name>
</auth-constraint>

Remove the entire login-config block.

webapps/manager/401.jsp

Remove the following line of code.

<%
    response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Manager Application\"");
%>

It’s an interesting way to force a basic authentication popup. If you fail authentication, you get this popup every time, even if you changed BASIC authentication for something else. I believe it’s part of some clever evil plot to cause users many hours of frustration.