waffle icon indicating copy to clipboard operation
waffle copied to clipboard
verified publisher icon Waffle

SSPI-backed JAAS LoginModule

Open cebaa opened this issue 6 years ago • 4 comments

The JAAS LoginModue that is currently provided does not use SSPI, only username and password. My impression is that the end goal of majority of the users using Waffle is a complete SSO, without the need to supply username and password. It would be good to have such a module implemented into Waffle.

cebaa avatar Sep 08 '19 13:09 cebaa

Waffle jna module itself can be password less based on configuration. Does that not solve your need?

Get Outlook for Androidhttps://aka.ms/ghei36

From: cebaa [email protected] Sent: Sunday, September 8, 2019 9:14:15 AM To: Waffle/waffle [email protected] Cc: Subscribed [email protected] Subject: [Waffle/waffle] SSPI-backed JAAS LoginModule (#773)

The JAAS LoginModue that is currently provided does not use SSPI, only username and password. My impression is that the end goal of majority of the users using Waffle is a complete SSO, without the need to supply username and password. It would be good to have such a module implemented into Waffle.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/Waffle/waffle/issues/773?email_source=notifications&email_token=AAHODI5EHZQ6PTYPSMBZ5HDQIT3CPA5CNFSM4IUTM4ZKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HKAJOQQ, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AAHODI5HWADHL7SYOAOGNXLQIT3CPANCNFSM4IUTM4ZA.

hazendaz avatar Sep 08 '19 17:09 hazendaz

@hazendaz I might have missed the docs on this - do you have any pointers I can look at?

In case you are talking about WindowsAuthProviderImpl, is there a way to plug that in into WindowsLoginModule somehow?

cebaa avatar Sep 08 '19 22:09 cebaa

I wrote the JAAS module as a demo, mostly because I could and because that's how we originally tried to do Windows auth. We used to have code that checked whether a username/password was valid, then tried to enumerate user groups in Active Directory.

https://code.dblock.org/2010/05/24/windowsactive-directory-authentication-tomcat-jaas-w-waffle.html

This is actually a simple demonstration (as opposed to the Single Sign-On Negotiate/NTLM/Kerberos valve) of Waffle and is how we originally used it.

dblock avatar Sep 09 '19 04:09 dblock

Also I am pretty sure I tried to make a JAAS module that did SSO and failed. I don't remember why, but I suspect this is because it doesn't allow for any 2-step exchange, or a session or something like that, which is required for any successful SSO on Windows.

dblock avatar Sep 09 '19 04:09 dblock