Supporting Custom Authentication Scheme
So I've read through as many of the authentication-related posts as I can on these forums, but I'm still at a bit of a loss as to how to proceed; I'm hoping one of you can give me a hint so I can move on.
My scenario is this: My organization uses an Echo 3 server-side application I've built. The application server uses Apache which proxies requests for certain URLs to an Apache Tomcat instance on the same server which actually serves the Echo 3 application. Currently, authentication is totally handled by Apache in that one of the built-in HTTP authentication mechanisms (don't recall which--Negotiate?) is used which ties into our Kerberos system. Once authenticated via this mechanism, I retrieve the authenticated user's username through another mechanism (which isn't relevant to this discussion) and pass it on to the Echo 3 application.
Unfortunately, the powers that be are unhappy with this situation because despite the single sign-on value that Kerberos gives you (and thus the single username/password), a user is prompted for their credentials again if they request a page from a different server in the organization, even if that other server also uses the same mechanism and Kerberos backend for authentication. (BTW, if anyone has any thoughts on how or if it's possible to prevent this from happening, please let me know. I don't currently believe there's any solution to this issue.)
As a result of this, another developer here has come up with an authentication scheme which involves a separate authentication server. The idea is that unauthenticated users will be sent to the authentication server to receive a cookie after successful authentication there; the authentication server will then redirect them to their original location. In pseudocode, this is what my Echo 3 application is going to have to do to verify that the user has been authenticated by the authentication server, most likely in an overridden WebContainerServlet.process() method, I believe:
if a username identifying the current user isn't already associated with the current session
{
if the authentication cookie exists
{
send the value of one of the client's cookies to a PHP page on the authentication server
if the PHP page responds that the cookie value is associated with an authenticated user
{
get the current username from another cookie value that should be present and save it with the current session
}
}
else
{
redirect the client to the authentication server
}
}
As I mentioned, I believe this will likely have to be done in an overridden WebContainerServlet.process() method. However, is it really a good idea (or even possible) for me to make a call to a PHP page in that method? What other basic approach am I missing? It seems to me that as long as I prevent an ApplicationInstance from being created or--even better--a session from being created, I should be good to go.
I know this is a long post, but hopefully someone has an idea I can use to look into this further.
I have done what you
I have done what you described in pseudo code in a previous single sign on environment. You may be able to use container authentication if you can configure your container to perform the appropriate redirect, so you keep your application code clean. I was deploying on WebSphere and did not want to have to mess with that beast.
Thanks for the response!
Thanks for the response! I've done some searching on "servlet container authentication" and have some leads there, but just to clarify if you can--I assume this involves doing something to the application's web.xml or something similar to enable authentication in some way?
Anyone else have any ideas?
Yes, container
Yes, container authentication requires only a simple configuration to protect your WebContainerServlet instance.
However, is it really a good
However, is it really a good idea (or even possible) for me to make a call to a PHP page in that method?
It should be possible.
From the "process" method you can redirect the browser to the auth server.
Something along the lines of:
boolean haveAuthCookie = false; for (Cookie cookie: request.getCookies()) { if (cookie.getName().equals("authCookie") && isValidAuthCookie (cookie.getValue())) { haveAuthCookie = true; } } String setCookie = request.getParameter ("setCookie"); if (!haveAuthCookie && setCookie != null && isValidAuthCookie (setCookie)) { response.addCookie (new Cookie ("authCookie", setCookie)); haveAuthCookie = true; } if (!haveAuthCookie) { response.setHeader("Location", authServerURL + "?returnTo=" + request.getRequestURL()); response.setHttpStatus(302); response.flushBuffer(); return; }Thanks for the reply! I have
Thanks for the reply! I have confirmed your answer by implementing something similar.