Real Single Sign-on for web applications Holger Zobel JavaZone 2005

Agenda 1.Background –Description of client environment –What’s Single sign-on? –Java Authentication and Authorization Service (JAAS) –The NTLM authentication protocol 2.Implementation –Using jCIFS for Single Sign-on –Making WebSphere trust our NTLM-implementation 3.Other application servers 4.Questions

The client Large government agency Lots of mainframe application, but is getting more and more web based applications 8000 employees with 450 remote offices Low computer skills Windows NT workstations Project to make a web based child support management system running on WebSphere

What is Single Sign- on? KonseptBeskrivelseLeverandør Ticket-basertBruker autentiseres av en sentral server, som utsteder adgangsbilletter til alle tjenester som er en del av det aktuelle sikkerhetsdomene  IBM  Microsoft  CA  Sun  BMC  Novell PassordsynkroniseringBruker benytter samme passord mot hver server, applikasjon og nettverksressurs. Synkronisering skjer mha. av synkroniseringsserver til deltakende systemer. Passord lagres lokalt på klienten  IBM  Microsoft  CA  Sun  BMC  Novell Proxy-basert Agent-basert Bruker kan ha forskjellige passord for hver server, applikasjon og nettverksressurs. Passord lagres sentralt (eller lokalt via agent). Ved autentisering mot SSO-klienten gjøres databasen tilgjengelig  IBM  Microsoft  CA  Sun  BMC  Novell PassordserverPassordserver er et derivat av proxy-basert; forskjellen ligger i at passordet blir sendt tilbake til bruker, og derfra videre til aktuelt system (i motsetning til proxy, som sender direkte til systemet på vegne av systemet)  IBM  Microsoft  CA  Sun  BMC  Novell

JAAS Java Authentication and Authorization Service JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users. Example JAAS login: lc = new LoginContext(“myConfiguration”); lc.login(); Works well for Java Client Applications and username/password web authentication

JAAS authentication LoginContext ConfigurationLoginModule new(String name CallbackHandler callback) getConfiguration() initializeSubject()

NTLM NTLM - “Windows NT LAN Manager” The authentication protocol used by Windows NT for file server authentication Also supported by several other protocols including MS-extended HTTP Client support: Internet Explorer, Mozilla/Firefox, Sun Java on Windows Not secure enough for non-SSL on internet, but should be acceptable on intranets Windows 2000 uses Kerberos by default (optionally NTLM) which is more secure

How NTLM over HTTP works HTTP RequestHTTP Response GET /index.html HTTP/1.1HTTP/ Unauthorized WWW-Authenticate: NTLM Connection: close GET /index.html HTTP/1.1 Authorization: NTLM TlRMTVNTU.... HTTP/ Unauthorized WWW-Authenticate: NTLM TlRMTVNTU.... GET /index.html HTTP/1.1 Authorization: NTLM TlRMTVNTUA... HTTP/ OK NTLM uses three messages to authenticate: Type 1: Negotiation Type 2: Challenge Type 3: Authentication

jCIFS CIFS – Common Internet File System (Microsoft file sharing protocol) Reimplementation of Samba using Java Open Source (LGPL) Also implements NTLM over HTTP See: jcifs.samba.org

Solution overview WebSphere Active Directory

Implementing SSO with jCIFS public class SSOLogin extends NtlmServlet implements Servlet { public void init(ServletConfig c) throws ServletException { jcifs.Config.setProperty("jcifs.smb.client.domain", “ "); jcifs.Config.setProperty("jcifs.http.domainController", “ "); } public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { // Get username from session String username =(String) req.getSession().getAttribute("ntlmuser"); }

Integration with WebSphere Want to use WebSphere’s access control for access to web pages Need to convince WebSphere that we have logged on a user! Can use WebSphere “TrustInterceptor”. Normally used to let a another web server authenticate our users.

Our TrustInterceptor class package no.clientname.framework.sso; import com.ibm.websphere.security.*; public class CustomTrustInterceptor extends WebSphereBaseTrustAssociationInterceptor implements TrustAssociationInterceptor { /** return true if this is the target interceptor, else return false. */ public boolean isTargetInterceptor(HttpServletRequest req) throws WebTrustAssociationException { String ntlmuser = (String)req.getSession().getAttribute("ntlmuser"); if(ntlmuser != null) return true; else return false; } /** Get the user name from the request and if the user is entitled to the requested resource return the user*/ public String getAuthenticatedUsername(HttpServletRequest req) throws WebTrustAssociationUserException { String ntlmuser = (String)req.getSession().getAttribute("ntlmuser"); if(ntlmuser != null) { return ntlmuser; } throw new WebTrustAssociationUserException(); }

WebSphere configuration Steps to enable our SSO implementation in WAS: 1.Add wssec.jar and CustomTrustInjector.class to ws.ext.dirs class path 2.Turn on Global Security 3.Select “LTPA (Light weight Third party authentication)” as Active Authentication Mechanism 4.Under Authentication Mechanisms select LTPA, Trust Association, Interceptors and add the CustomTrustInjector class.

Some bugs.. Everything seemed to work fine at first, but... HTTP POST did not work in IE Solution Reply with an error code on the last NTLM response and keep username on session The client is authenticated using NTLM, but IE thinks the server does not support NTLM, and stops trying to re-authenticate on HTTP POST Add this code to the authentication servlet: response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

Using Other Application Servers Some untested ideas for using jCIFS on other application servers: -TrustInterceptor-like capabilities(For example “AuthFilter” in BEA WebLogic) -Custom Security -Security-filter -JAAS Module

Questions? No frequently asked questions or tips regarding JAAS on Sun’s pages...