I was searching a lot about this topic but can't find a solution.
Short description of the requirements:
- SSO on a WebApp under Wildfly 8.2
- Authenticate the Windows User to the Active Directory
- Fallback to Login Form, when SSO fails
- Running in a Domain Configuration of Wildfly
Environment:
- Microsoft AD Windows Server 2012 R2 (1. Machine)
- Microsoft Server 2012 R2 with Wildfly 8.2 (2. Machine)
- The 2.Machine yas joined the Domain
What I tried so far, is bound the AD and the Wildfly Server via ktpass, kinit, ... it works!
Tried following:
github.com/dstraub/spnego-wildfly
Is NOT working in fact, that there is no fallback (form based) and a Problem with the Java Version 1.8.0_45
sourceforge.net/p/spnego/discussion/1003769/thread/700b6941/#cb84.
Tried next:
github.com/kwart/spnego-demo
Also not working, it seems the Wildfly 8.2 has a different behavior.
WAFFLE Library:
Cannot bring that to work under Wildfly, good support for Tomcat but not more.
Has someone made experience with this configuration an has a solution for that?
Here is the explanation:
I've created a webapp with following libraries included:
- guava-18.0.jar
- jna-4.1.0.jar
- jna-platform-4.1.0.jar
- slf4j-api-1.7.12.jar
- waffle-jna-1.7.4.jar
I've declared the Webfilter in the web.xml:
<filter>
<filter-name>SecurityFilter</filter-name>
<filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- After that you can read the user from the HttpServletRequest
public String getUserName() {
Enumeration<String> headerNames = servletRequest.getHeaderNames();
while (headerNames.hasMoreElements()) {
String headerName = headerNames.nextElement();
String headerValue = servletRequest.getHeader(headerName);
System.out.println("Header Name:" + headerName + " " + headerValue);
}
return servletRequest.getUserPrincipal().getName();
}
- Configuring your Browser for Single-SignOn:
https://github.com/dblock/waffle/blob/master/Docs/ConfiguringBrowsers.md
I will explained the technologies, Arkin talk about NTLM..., SPNEGO dstraub is a SPNEGO oriented kerberos, if you read the sources it is written does not support NTLM
But if you use JSF and have a PhaseListener you will be redirect directly on the login form before going to filter, with AS JBOSS you can use valve to authenticate in jbossweb... but not with wildfly
as you can not in web.xml put 2 auth-form method you have to make it with a new mechanism authentication based on SPNEGO if you want kerberos (like a chain in filter), based on waffle if you want NTLM
becareful on the waffle website it is written valve works for wildfly but it is a mistake, now widlfy use undertow webserver with no more tomcat valve into, furthermore widlfy 9 and i think 8 too delete all authentication mechanism , only FORM, BASIC, EXTERNAL and CERT-DIGEST exist, widlfy 10 add kerberos authentication
Now NTLM even version 2 is deprecated and not secured from several years, it is more secure to use kerberos validation (only few configuration on active directory)...
