Jul 8th, 2010, 12:45 PM
Negotiate/NTLMv2/Kerberos support in Waffle spring-security extension
Forgive me for shameless advertising, people often ask how to do NTLM/Negotiate/Kerberos with spring-security in this forum.
We've added a spring-security extension to Waffle, a free (EPL v1) Windows-only framework that uses JNA and does SSO amongst other things. Unlike JCIFs and other friends, it will do NTLMv2 and Kerberos (Negotiate) single-sign-on. Since it uses JNA/Win32 API it's a zero-configuration, drop-in solution - no AD/Kerberos configuration, no native DLLs.
We've had great success with Tomcat, Jetty and Websphere users with tranditional servlet filters. We now support spring-security. If you're fronting your servers with IIS for authentication or want easy single-sign-on on Windows and are using spring-security, this is for you.
Your feedback is much appreciated, especially if someone who knows spring-security well could look at the code and make some recommendations/comments around proper ways of extending spring-security. Did I also mention we love spring?
Sep 15th, 2010, 10:49 PM
Thanks, it's exciting to have this available. Since it uses JNA I guess this solution works for windows servers only. Assuming domain trust is configured, will it work cross domain? (i.e. the server is in windows subdomain A and the user is a member of subdomain B)
Sep 16th, 2010, 06:10 AM
Yes, it works only on Windows and since it utilizes Win32 API will work for domain trusts.
Feel free to ask questions on the Waffle site. I am happy to report that we've had more source code contributions in the spring area than in any other.
Sep 16th, 2010, 10:26 AM
dblock, very nice... we're definitely considering using this. on one of our apps we currently have IIS out in front doing our authentication. behind it we have JBoss serving up webapps with spring security 3 in it. That works all fine and nice... However, on the front end, in the future we'll be using the very nice IIS extension ARR for dynamic routing/load balancing. The side effect is that ARR doesn't pass along the auth credentials to JBoss like standalone IIS does. So we'll need tomcat/jboss to do negotiate/ntlm/kerb.
Not to get too far ahead, but then we'd like to use the logged in user via impersonation to securely access resources from the webapp into other web services, but still authenticate with the logged in user's creds.
Sep 16th, 2010, 10:40 AM
Impersonation in the filter is this feature request. Actually the methods are already implemented in IWindowsAuthProvider (Impersonate/RevertToSelf), but I have no idea how to put it in a spring filter/authentication manager and how it relates to Java threads (re: win32 threads). Would love someone to contribute!
Tags for this Thread