real single sign-on for web applications holger zobel ([email protected]) javazone 2005
TRANSCRIPT
Agenda
1. Background – Description of client environment– What’s Single sign-on?– Java Authentication and Authorization Service (JAAS)– The NTLM authentication protocol
2. Implementation– Using jCIFS for Single Sign-on– Making WebSphere trust our NTLM-implementation
3. Other application servers4. Questions
The client
• Large government agency• Lots of mainframe application, but is getting
more and more web based applications• 8000 employees with 450 remote offices• Low computer skills• Windows NT workstations• Project to make a web based child support
management system running on WebSphere
What is Single Sign-on?
Konsept Beskrivelse Leverandør
Ticket-basert Bruker autentiseres av en sentral server, som utsteder adgangsbilletter til alle tjenester som er en del av det aktuelle sikkerhetsdomene
IBM Microsoft CA Sun BMC Novell
Passordsynkronisering Bruker benytter samme passord mot hver server, applikasjon og nettverksressurs. Synkronisering skjer mha. av synkroniseringsserver til deltakende systemer. Passord lagres lokalt på klienten
IBM Microsoft CA Sun BMC Novell
Proxy-basertAgent-basert
Bruker kan ha forskjellige passord for hver server, applikasjon og nettverksressurs. Passord lagres sentralt (eller lokalt via agent). Ved autentisering mot SSO-klienten gjøres databasen tilgjengelig
IBM Microsoft CA Sun BMC Novell
Passordserver Passordserver er et derivat av proxy-basert; forskjellen ligger i at passordet blir sendt tilbake til bruker, og derfra videre til aktuelt system (i motsetning til proxy, som sender direkte til systemet på vegne av systemet)
IBM Microsoft CA Sun BMC Novell
JAAS
• Java Authentication and Authorization Service • JAAS is a set of APIs that enable services to
authenticate and enforce access controls upon users.
• Example JAAS login:lc = new LoginContext(“myConfiguration”);lc.login();
• Works well for Java Client Applications and username/password web authentication
JAAS authentication
LoginContext Configuration LoginModule
new(String nameCallbackHandler callback)
getConfiguration()
initializeSubject()
NTLM• NTLM - “Windows NT LAN Manager” • The authentication protocol used by Windows NT for
file server authentication• Also supported by several other protocols including
MS-extended HTTP• Client support: Internet Explorer, Mozilla/Firefox, Sun
Java on Windows• Not secure enough for non-SSL on internet, but should
be acceptable on intranets• Windows 2000 uses Kerberos by default (optionally
NTLM) which is more secure
How NTLM over HTTP works
HTTP Request HTTP ResponseGET /index.html HTTP/1.1 HTTP/1.1
401 Unauthorized
WWW-Authenticate: NTLM
Connection: close
GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTU....
HTTP/1.1
401 Unauthorized
WWW-Authenticate: NTLM TlRMTVNTU....
GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUA... HTTP/1.1 200 OK
NTLM uses three messages to authenticate:
• Type 1: Negotiation
• Type 2: Challenge
• Type 3: Authentication
jCIFS
• CIFS – Common Internet File System (Microsoft file sharing protocol)
• Reimplementation of Samba using Java• Open Source (LGPL)• Also implements NTLM over HTTP• See: jcifs.samba.org
Solution overview
WebSphere
Active Directory
Implementing SSO with jCIFS
public class SSOLogin extends NtlmServlet implements Servlet {
public void init(ServletConfig c) throws ServletException { jcifs.Config.setProperty("jcifs.smb.client.domain", “<Domain name>"); jcifs.Config.setProperty("jcifs.http.domainController", “<ip adr>"); }
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
// Get username from session String username =(String) req.getSession().getAttribute("ntlmuser"); }}
Integration with WebSphere
• Want to use WebSphere’s access control for access to web pages
• Need to convince WebSphere that we have logged on a user!
• Can use WebSphere “TrustInterceptor”. Normally used to let a another web server authenticate our users.
Our TrustInterceptor class
package no.clientname.framework.sso;import com.ibm.websphere.security.*;
public class CustomTrustInterceptor extends WebSphereBaseTrustAssociationInterceptor implements TrustAssociationInterceptor {
/** return true if this is the target interceptor, else return false. */ public boolean isTargetInterceptor(HttpServletRequest req) throws
WebTrustAssociationException { String ntlmuser = (String)req.getSession().getAttribute("ntlmuser"); if(ntlmuser != null) return true; else return false; }
/** Get the user name from the request and if the user is entitled to the requested resource return the user*/
public String getAuthenticatedUsername(HttpServletRequest req) throws WebTrustAssociationUserException {
String ntlmuser = (String)req.getSession().getAttribute("ntlmuser"); if(ntlmuser != null) { return ntlmuser; }
throw new WebTrustAssociationUserException(); }}
WebSphere configuration
Steps to enable our SSO implementation in WAS:
1. Add wssec.jar and CustomTrustInjector.class to ws.ext.dirs class path
2. Turn on Global Security
3. Select “LTPA (Light weight Third party authentication)” as Active Authentication Mechanism
4. Under Authentication Mechanisms select LTPA, Trust Association, Interceptors and add the CustomTrustInjector class.
Some bugs..Everything seemed to work fine at first, but...• HTTP POST did not work in IE
Solution• Reply with an error code on the last NTLM response
and keep username on session• The client is authenticated using NTLM, but IE thinks
the server does not support NTLM, and stops trying to re-authenticate on HTTP POST
Add this code to the authentication servlet:response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
Using Other Application Servers
Some untested ideas for using jCIFS on other application servers:
- TrustInterceptor-like capabilities (For example “AuthFilter” in BEA WebLogic)
- Custom Security- Security-filter- JAAS Module
Questions?
• No frequently asked questions or tips regarding JAAS on Sun’s pages...