Can IIS perform SSO for Java webapp?

Hi,

I've got a Java web application that is running on Tomcat and supports
Single Sign-On (SSO) by detecting a specific HTTP header with the
authenticated user id (e.g., SSO_USER: bsmith). On IIS, I've installed the
ISAPI_Redirect.dll filter to connect IIS to Tomcat so the user can execute
the Java web app through IIS.

I configured IIS V6.0 on Windows Server 2003 to enable "Integrated Windows
authentication" and disable "Anonymous access", and I've configured my IE web
browser with the "Automatic logon with current username and password" setting
in the User Authentication Security Settings section.

The integrated Windows authentication is working well from IE to IIS, but my
Java webapp is not detecting the authenticated user and I don't know how to
configure IIS to pass the user's login id as an HTTP header to the Java
webapp. Can this behavior be configured in IIS natively, or even with a
third-party utility?

One HTTP header I noticed while monitoring the HTTP exchanges between the
browser and Tomcat server was the following:
authorization = Negotiate

I'm assuming that the text (which appears to be base64
encoded, e.g., TIRMTVNTUAADAAA.....) would contain the authentication
information of the current user, but may also be encrypted or be in a
specific format that my Java webapp does not understand.

Thanks,
Daniel

PS I've also got a Firefox web browser to be able to authenticate to the
IIS server by configuring it's "network.negotiate-auth.trusted-uris"
preference.

Re: Can IIS perform SSO for Java webapp?

Integrated Windows Auth is NTLM does not support multi-hop authentication -
meaning that authenticating with the front-end will not proxy authentication
down stream. Basic Authentication will make the IIS server the
authenticated user (Basic Auth requires a log-in local permission) which can
be handled by a form-based login or a pop-up and passed downstream. This is
why OWA has a login screen.


Pat


"Daniel Borlean" wrote in message
news:0C4BD7AE-4657-4F75-B6EF-2DABB32641B8@microsoft.com...
> Hi,
>
> I've got a Java web application that is running on Tomcat and supports
> Single Sign-On (SSO) by detecting a specific HTTP header with the
> authenticated user id (e.g., SSO_USER: bsmith). On IIS, I've installed
> the
> ISAPI_Redirect.dll filter to connect IIS to Tomcat so the user can execute
> the Java web app through IIS.
>
> I configured IIS V6.0 on Windows Server 2003 to enable "Integrated Windows
> authentication" and disable "Anonymous access", and I've configured my IE
> web
> browser with the "Automatic logon with current username and password"
> setting
> in the User Authentication Security Settings section.
>
> The integrated Windows authentication is working well from IE to IIS, but
> my
> Java webapp is not detecting the authenticated user and I don't know how
> to
> configure IIS to pass the user's login id as an HTTP header to the Java
> webapp. Can this behavior be configured in IIS natively, or even with a
> third-party utility?
>
> One HTTP header I noticed while monitoring the HTTP exchanges between the
> browser and Tomcat server was the following:
> authorization = Negotiate
>
> I'm assuming that the text (which appears to be base64
> encoded, e.g., TIRMTVNTUAADAAA.....) would contain the authentication
> information of the current user, but may also be encrypted or be in a
> specific format that my Java webapp does not understand.
>
> Thanks,
> Daniel
>
> PS I've also got a Firefox web browser to be able to authenticate to the
> IIS server by configuring it's "network.negotiate-auth.trusted-uris"
> preference.

Re: Can IIS perform SSO for Java webapp?

Thanks for the info. Actually, after much trial and error, I discovered the
solution:

Use the ISAPI_Rewrite filter with the following httpd.conf configuration:
RewriteEngine on
RewriteCond %{REMOTE_USER} TEST\\(.*)
RewriteHeader SSO_USER: .* %1

This ISAPI filter parses out the userid from the REMOTE_USER server variable
(after the "TEST\" domain portion) and adds the custom SSO_USER HTTP header
to the request to the Java webapp that now knows who the authenticated user
is. This, I'm assuming, only works with Integrated Windows Authentication.

Re: Can IIS perform SSO for Java webapp?

On Oct 22, 4:12 pm, Daniel Borlean
wrote:
> Thanks for the info. Actually, after much trial and error, I discovered the
> solution:
>
> Use the ISAPI_Rewrite filter with the following httpd.conf configuration:
> RewriteEngine on
> RewriteCond %{REMOTE_USER} TEST\\(.*)
> RewriteHeader SSO_USER: .* %1
>
> This ISAPI filter parses out the userid from the REMOTE_USER server variable
> (after the "TEST\" domain portion) and adds the custom SSO_USER HTTP header
> to the request to the Java webapp that now knows who the authenticated user
> is. This, I'm assuming, only works with Integrated Windows Authentication.


Your solution works with any standard Authentication protocol
supported by IIS which populates those server variables.

For your situation, Windows Authentication will populate REMOTE_USER
with the Windows username, which you then remap with the ISAPI Filter
to SSO_USER: request header and have that resulting request be proxied
by isapi_redirect.dll to Java.

For Windows Authentication, you will find LOGON_USER more
representative of the actual user that IIS logged on to execute the
request (which is what gets proxied by isapi_redirect.dll).
REMOTE_USER and AUTH_USER are parsed from the HTTP request header and
does not account for ISAPI Filter CustomAuth modifications.

FYI: your scheme works... but is actually very insecure, but that is
the nature of patch-work SSO solutions that cross multiple
authentication protocols. Secure SSO solutions would never allow an
ISAPI Filter to do the man-in-the-middle attack that forms the basis
of your solution.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//