Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real Single Sign-on for web applications Holger Zobel JavaZone 2005.

Published byAbdiel Javens Modified over 10 years ago

Similar presentations

Presentation on theme: "Real Single Sign-on for web applications Holger Zobel JavaZone 2005."— Presentation transcript:

1 Real Single Sign-on for web applications Holger Zobel (holger.zobel@accenture.com) JavaZone 2005

2 Agenda 1.Background –Description of client environment –What’s Single sign-on? –Java Authentication and Authorization Service (JAAS) –The NTLM authentication protocol 2.Implementation –Using jCIFS for Single Sign-on –Making WebSphere trust our NTLM-implementation 3.Other application servers 4.Questions

3 The client Large government agency Lots of mainframe application, but is getting more and more web based applications 8000 employees with 450 remote offices Low computer skills Windows NT workstations Project to make a web based child support management system running on WebSphere

4 What is Single Sign- on? KonseptBeskrivelseLeverandør Ticket-basertBruker autentiseres av en sentral server, som utsteder adgangsbilletter til alle tjenester som er en del av det aktuelle sikkerhetsdomene  IBM  Microsoft  CA  Sun  BMC  Novell PassordsynkroniseringBruker benytter samme passord mot hver server, applikasjon og nettverksressurs. Synkronisering skjer mha. av synkroniseringsserver til deltakende systemer. Passord lagres lokalt på klienten  IBM  Microsoft  CA  Sun  BMC  Novell Proxy-basert Agent-basert Bruker kan ha forskjellige passord for hver server, applikasjon og nettverksressurs. Passord lagres sentralt (eller lokalt via agent). Ved autentisering mot SSO-klienten gjøres databasen tilgjengelig  IBM  Microsoft  CA  Sun  BMC  Novell PassordserverPassordserver er et derivat av proxy-basert; forskjellen ligger i at passordet blir sendt tilbake til bruker, og derfra videre til aktuelt system (i motsetning til proxy, som sender direkte til systemet på vegne av systemet)  IBM  Microsoft  CA  Sun  BMC  Novell

5 JAAS Java Authentication and Authorization Service JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users. Example JAAS login: lc = new LoginContext(“myConfiguration”); lc.login(); Works well for Java Client Applications and username/password web authentication

6 JAAS authentication LoginContext ConfigurationLoginModule new(String name CallbackHandler callback) getConfiguration() initializeSubject()

7 NTLM NTLM - “Windows NT LAN Manager” The authentication protocol used by Windows NT for file server authentication Also supported by several other protocols including MS-extended HTTP Client support: Internet Explorer, Mozilla/Firefox, Sun Java on Windows Not secure enough for non-SSL on internet, but should be acceptable on intranets Windows 2000 uses Kerberos by default (optionally NTLM) which is more secure

8 How NTLM over HTTP works HTTP RequestHTTP Response GET /index.html HTTP/1.1HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM Connection: close GET /index.html HTTP/1.1 Authorization: NTLM TlRMTVNTU.... HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM TlRMTVNTU.... GET /index.html HTTP/1.1 Authorization: NTLM TlRMTVNTUA... HTTP/1.1 200 OK NTLM uses three messages to authenticate: Type 1: Negotiation Type 2: Challenge Type 3: Authentication

9 jCIFS CIFS – Common Internet File System (Microsoft file sharing protocol) Reimplementation of Samba using Java Open Source (LGPL) Also implements NTLM over HTTP See: jcifs.samba.org

10 Solution overview WebSphere Active Directory

11 Implementing SSO with jCIFS public class SSOLogin extends NtlmServlet implements Servlet { public void init(ServletConfig c) throws ServletException { jcifs.Config.setProperty("jcifs.smb.client.domain", “ "); jcifs.Config.setProperty("jcifs.http.domainController", “ "); } public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { // Get username from session String username =(String) req.getSession().getAttribute("ntlmuser"); }

12 Integration with WebSphere Want to use WebSphere’s access control for access to web pages Need to convince WebSphere that we have logged on a user! Can use WebSphere “TrustInterceptor”. Normally used to let a another web server authenticate our users.

13 Our TrustInterceptor class package no.clientname.framework.sso; import com.ibm.websphere.security.*; public class CustomTrustInterceptor extends WebSphereBaseTrustAssociationInterceptor implements TrustAssociationInterceptor { /** return true if this is the target interceptor, else return false. */ public boolean isTargetInterceptor(HttpServletRequest req) throws WebTrustAssociationException { String ntlmuser = (String)req.getSession().getAttribute("ntlmuser"); if(ntlmuser != null) return true; else return false; } /** Get the user name from the request and if the user is entitled to the requested resource return the user*/ public String getAuthenticatedUsername(HttpServletRequest req) throws WebTrustAssociationUserException { String ntlmuser = (String)req.getSession().getAttribute("ntlmuser"); if(ntlmuser != null) { return ntlmuser; } throw new WebTrustAssociationUserException(); }

14 WebSphere configuration Steps to enable our SSO implementation in WAS: 1.Add wssec.jar and CustomTrustInjector.class to ws.ext.dirs class path 2.Turn on Global Security 3.Select “LTPA (Light weight Third party authentication)” as Active Authentication Mechanism 4.Under Authentication Mechanisms select LTPA, Trust Association, Interceptors and add the CustomTrustInjector class.

15 Some bugs.. Everything seemed to work fine at first, but... HTTP POST did not work in IE Solution Reply with an error code on the last NTLM response and keep username on session The client is authenticated using NTLM, but IE thinks the server does not support NTLM, and stops trying to re-authenticate on HTTP POST Add this code to the authentication servlet: response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

16 Using Other Application Servers Some untested ideas for using jCIFS on other application servers: -TrustInterceptor-like capabilities(For example “AuthFilter” in BEA WebLogic) -Custom Security -Security-filter -JAAS Module

17 Questions? No frequently asked questions or tips regarding JAAS on Sun’s pages...

Download ppt "Real Single Sign-on for web applications Holger Zobel JavaZone 2005."

Similar presentations

4 Copyright © 2005, Oracle. All rights reserved. Creating the Web Tier: Servlets.

4 Copyright © 2005, Oracle. All rights reserved. Creating the Web Tier: Servlets.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
Servlets, JSP and JavaBeans Joshua Scotton.  Getting Started  Servlets  JSP  JavaBeans  MVC  Conclusion.

Servlets, JSP and JavaBeans Joshua Scotton.  Getting Started  Servlets  JSP  JavaBeans  MVC  Conclusion.
JLab Lattice Portal – Data Grid Web Service Ying Chen, Chip Watson Thomas Jefferson National Accelerator Facility.

JLab Lattice Portal – Data Grid Web Service Ying Chen, Chip Watson Thomas Jefferson National Accelerator Facility.
Cookie in a servlet. Cookies are small bits of textual information that a Web server sends to a browser and that the browser returns unchanged when visiting.

Cookie in a servlet. Cookies are small bits of textual information that a Web server sends to a browser and that the browser returns unchanged when visiting.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Servlets Based on Notes by Dave Hollinger & Ethan Cerami Also, the Online Java Tutorial by Sun.

1 Servlets Based on Notes by Dave Hollinger & Ethan Cerami Also, the Online Java Tutorial by Sun.
Java Server Pages (JSP)

Java Server Pages (JSP)
 2002 Prentice Hall. All rights reserved. Chapter 9: Servlets Outline 9.1 Introduction 9.2 Servlet Overview and Architecture 9.2.1 Interface Servlet and.

 2002 Prentice Hall. All rights reserved. Chapter 9: Servlets Outline 9.1 Introduction 9.2 Servlet Overview and Architecture Interface Servlet and.
Liang, Introduction to Java Programming, Sixth Edition, (c) 2005 Pearson Education, Inc. All rights reserved. 0-13-148952-6 1 Chapter 34 Servlets.

Liang, Introduction to Java Programming, Sixth Edition, (c) 2005 Pearson Education, Inc. All rights reserved Chapter 34 Servlets.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.
Introduction to Servlet & JSP

Introduction to Servlet & JSP
Chapter 4 Servlets Concept of Servlets (What, Why, and How) Servlet API Third-party tools to run servlets Examples of Using Servlets HTML tag with GET.

Chapter 4 Servlets Concept of Servlets (What, Why, and How) Servlet API Third-party tools to run servlets Examples of Using Servlets HTML tag with GET.
Servlets Compiled by Dr. Billy B. L. Lim. Servlets Servlets are Java programs which are invoked to service client requests on a Web server. Servlets extend.

Servlets Compiled by Dr. Billy B. L. Lim. Servlets Servlets are Java programs which are invoked to service client requests on a Web server. Servlets extend.
Gayle J Yaverbaum, PhD Professor of Information Systems Penn State Harrisburg.

Gayle J Yaverbaum, PhD Professor of Information Systems Penn State Harrisburg.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Similar presentations

Ads by Google