Presentation about Waffle SSO.

1. Daniel Doubrovkine (dblock[at]dblock[dot]org)
Single Sign-On
w/ Tomcat & WAFFLE
6/8/2010
Tomcat ->
Waffle ->

2. 2 www.appsecinc.com
FORM Authentication
GET /index.jsp
304 Redirect
Location: login.jsp
...
POST /login.jsp
j_username=…;j_passsword=…
200 OK
Hello <%# username %>

3. 3 www.appsecinc.com
HTTP Authentication
GET /index.jsp
401 Access Denied
WWW-Authenticate: Basic
WWW-Authenticate: NTLM
...
GET /index.jsp
Authorization: Basic JFRFdPUktHUk9VUA==
200 OK
Hello <%# username %>

4. 4 www.appsecinc.com
Authorization Methods
● BASIC: Base64(username:password)
● DIGEST: Md5(HA1(HA2(…)))
● NTLM: LM Challenge/Response
● Kerberos: KB Tickets
● Negotiate: NTLM or Kerberos

5. 5 www.appsecinc.com
Tomcat, Jetty, etc.
● Servlet Filter
catch-all
● Tomcat Authenticator
authentication method
● Spi Login Module
authentication provider
● Realm
authorize users, a database of users and roles
● User Database
● JAAS Realm: Java Authentication and Authorization Service
● …

6. 6 www.appsecinc.com
Demo: FORM
● How: Login Module + JAAS Realm
● Authentication Method = FORM
● Username, password from FORM
● Windows Logon
● Groups => Roles

7. 7 www.appsecinc.com
Demo: JAAS
● How: Login Module + JAAS Realm
● Authentication Method = BASIC
● Username, password from browser
● Windows Logon
● Groups => Roles

8. 8 www.appsecinc.com
Demo: Negotiate
● How: Authenticator Valve
● Authentication Method = Negotiate
● Windows Realm
● Single Sign-On

9. 9 www.appsecinc.com
Demo: Negotiate + Basic Filter
● How: Security Filter
● Authentication Method = Negotiate or BASIC
● Single Sign-On

10. 10 www.appsecinc.com
Demo: Mixed-Mode
● How: Authenticator Valve
● Authentication Method = FORM or Negotiate
● Single Sign-On
● URL-based Protocol

11. 11 www.appsecinc.com
Open Source
● WAFFLE = Windows Authentication Functional Framework Bla Bla Bla
● http://waffle.codeplex.com
Questions?