1. Daniel Doubrovkine (dblock[at]dblock[dot]org) Single Sign-On w/ Tomcat & WAFFLE 6/8/2010 Tomcat -> Waffle ->

2. FORM Authentication 2www.appsecinc.com GET /index.jsp 304 Redirect Location: login.jsp... POST /login.jsp j_username=…;j_passsword=… 200 OK Hello

3. HTTP Authentication 3www.appsecinc.com GET /index.jsp 401 Access Denied WWW-Authenticate: Basic WWW-Authenticate: NTLM... GET /index.jsp Authorization: Basic JFRFdPUktHUk9VUA== 200 OK Hello

4. Authorization Methods 4www.appsecinc.com BASIC: Base64(username:password) DIGEST: Md5(HA1(HA2(…))) NTLM: LM Challenge/Response Kerberos: KB Tickets Negotiate: NTLM or Kerberos

5. Tomcat, Jetty, etc. 5www.appsecinc.com Servlet Filter catch-all Tomcat Authenticator authentication method Spi Login Module authentication provider Realm authorize users, a database of users and roles User Database JAAS Realm: Java Authentication and Authorization Service …

6. Demo: FORM 6www.appsecinc.com How: Login Module + JAAS Realm Authentication Method = FORM Username, password from FORM Windows Logon Groups => Roles

7. Demo: JAAS 7www.appsecinc.com How: Login Module + JAAS Realm Authentication Method = BASIC Username, password from browser Windows Logon Groups => Roles

8. Demo: Negotiate 8www.appsecinc.com How: Authenticator Valve Authentication Method = Negotiate Windows Realm Single Sign-On

9. Demo: Negotiate + Basic Filter 9www.appsecinc.com How: Security Filter Authentication Method = Negotiate or BASIC Single Sign-On

10. Demo: Mixed-Mode 10www.appsecinc.com How: Authenticator Valve Authentication Method = FORM or Negotiate Single Sign-On URL-based Protocol

11. Open Source 11www.appsecinc.com WAFFLE = Windows Authentication Functional Framework Bla Bla Bla http://waffle.codeplex.com Questions?