Java SSO with Wildfly 8, Java 1.8.0_45 and Active Directory

4
votes

I was searching a lot about this topic but can't find a solution.

Short description of the requirements:

  • SSO on a WebApp under Wildfly 8.2
  • Authenticate the Windows User to the Active Directory
  • Fallback to Login Form, when SSO fails
  • Running in a Domain Configuration of Wildfly

Environment:

  • Microsoft AD Windows Server 2012 R2 (1. Machine)
  • Microsoft Server 2012 R2 with Wildfly 8.2 (2. Machine)
  • The 2.Machine yas joined the Domain

What I tried so far, is bound the AD and the Wildfly Server via ktpass, kinit, ... it works!

  1. Tried following: github.com/dstraub/spnego-wildfly Is NOT working in fact, that there is no fallback (form based) and a Problem with the Java Version 1.8.0_45 sourceforge.net/p/spnego/discussion/1003769/thread/700b6941/#cb84.

  2. Tried next: github.com/kwart/spnego-demo Also not working, it seems the Wildfly 8.2 has a different behavior.

  3. WAFFLE Library: Cannot bring that to work under Wildfly, good support for Tomcat but not more.

Has someone made experience with this configuration an has a solution for that?

2
javasingle-sign-onwildfly
I finally got it working with WAFFLE.Arkin Günyar
How? Please share that information!bebbo

2 Answers

3
votes

Here is the explanation:

  1. I've created a webapp with following libraries included:

    • guava-18.0.jar
    • jna-4.1.0.jar
    • jna-platform-4.1.0.jar
    • slf4j-api-1.7.12.jar
    • waffle-jna-1.7.4.jar

  2. I've declared the Webfilter in the web.xml:

<filter>
    <filter-name>SecurityFilter</filter-name>
    <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>SecurityFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
  1. After that you can read the user from the HttpServletRequest
public String getUserName() {
    Enumeration<String> headerNames = servletRequest.getHeaderNames();
    while (headerNames.hasMoreElements()) {
        String headerName = headerNames.nextElement();
        String headerValue = servletRequest.getHeader(headerName);
        System.out.println("Header Name:" + headerName + " " + headerValue);
    }       
    return servletRequest.getUserPrincipal().getName();
}
  1. Configuring your Browser for Single-SignOn:

https://github.com/dblock/waffle/blob/master/Docs/ConfiguringBrowsers.md

0
votes

I will explain the technologies. Arkin talks about NTLM..., SPNEGO dstraub is a SPNEGO oriented kerberos. If you read the sources, it does not support NTLM.

But if you use JSF and have a PhaseListener, you will be redirect directly on the login form before going to filter. With AS JBOSS you can use valve to authenticate in jbossweb..., but not with wildfly.

Because you can not in web.xml put 2 auth-form method, you have to make it with a new mechanism authentication based on SPNEGO if you want kerberos (like a chain in filter), based on waffle if you want NTLM

Be careful on the waffle website. It is written that valve works for wildfly but it is a mistake. Now wildlfy uses the undertow webserver with no more tomcat valve into. Furthermore wildlfy 9 and I think 8 too delete all authentication mechanism, only FORM, BASIC, EXTERNAL and CERT-DIGEST exist. Wildlfy 10 adds kerberos authentication.

Now NTLM even version 2 is deprecated and not secured from several years. It is more secure to use kerberos validation (only few configuration on active directory)...