We have an Active Directory integration library that implements the Windows NTLM Security Service Provider including the server-side using the NETLOGON service. Naturally one of the areas we want to expose this to is the web stack. So far we have a Servlet Filter that does SSO authentication and Windows group based authorization.
However, I can see that I'm somewhat out of touch with the current state of using Java for web applications and I'm concerned that I'm not exposing this functionality in an optimal way for developers.
If our Filter overrides HttpServletRequestWrapper methods like getRemoteUser and isUserInRole, is that sufficient for developers to utilize our library?
Is there anything else that can we do to make integrating authentication and authorization easier for Java web developers?
What are some popular "frameworks"? Do they utilize Filters or do they require writing a framework specific module or plugin?
We also have a JAAS LoginModule. Are LMs applicable to the web stack? Can application servers automatically utilize LMs?
Java Active Directory Integration
There is no standard for integrating web app security with a servlet container, so each container does its own thing; e.g., Tomcat uses realms. You may want to make sure that your library works well with one of the existing realms, or provide your own.
Filters are a common approach; SecurityFilter is one library that does it this way.
Ulf Dittmer wrote:
You may also want to check out the various Java SSO solutions, like OpenSSO, JOSSO and CAS
Just being a little pedantic here but the term Single Sign-On (SSO) is highly overloaded so I want to clarify how our SSO solution (http://www.ioplex.com/jespa.html) is completely different from the SSO solutions you cite above.
Many browsers support the WWW-Authenticate: NTLM and WWW-Authenticate: Negotiate authentication mechanisms that transparently authenticate clients using their workstation credentials in an IntrAnet environment. For example, our product specifically targets clients on a Microsoft Active Directory network where workstations are "joined" to a domain and domains have "trusts".
The important part about this type of SSO is that users only enter their password a single time when they log into their workstation a la Ctrl-Alt-Del. Then when they visit a site running our Filter they go right in and it automatically knows who they are (and has their fully expanded list of group SIDs which makes group based access checks extremely fast). And if they do need to enter a password (because they're not joined to the domain or because they want to change their identity), the password is never even transmitted over the network. A nonce that is encrypted by the browser with the password is transmitted in stead. This type of authentication us much more secure. Actually one of the key things about our solution is that it supports NTLMv2 and other features that are required by the security policies of financial institutions and governments.
The solutions you cite use HTTP redirection to direct the client to a central server for authentication and then redirect the client back to the target site. So those solutions are only necessary in an IntErnet environment where the client is not already associated with a central authority. And even on the IntErnet, the WWW-Authenticate: NTLM method is superior for the authentication step.
Java Active Directory Integration