David,
How do I accomplish the following from your post below:
....which you then remap with the ISAPI Filter
to SSO_USER: request header and have that resulting request be proxied
by isapi_redirect.dll to Java
Your help would be greatly appreciated. I've been struggling with this as it would appear many have. Thank you for any help/direction.
Regards.
David Wang wrote:
Re: Can IIS perform SSO for Java webapp?
22-Oct-07
On Oct 22, 4:12 pm, Daniel Borlean
wrote:
Your solution works with any standard Authentication protocol
supported by IIS which populates those server variables.
For your situation, Windows Authentication will populate REMOTE_USER
with the Windows username, which you then remap with the ISAPI Filter
to SSO_USER: request header and have that resulting request be proxied
by isapi_redirect.dll to Java.
For Windows Authentication, you will find LOGON_USER more
representative of the actual user that IIS logged on to execute the
request (which is what gets proxied by isapi_redirect.dll).
REMOTE_USER and AUTH_USER are parsed from the HTTP request header and
does not account for ISAPI Filter CustomAuth modifications.
FYI: your scheme works... but is actually very insecure, but that is
the nature of patch-work SSO solutions that cross multiple
authentication protocols. Secure SSO solutions would never allow an
ISAPI Filter to do the man-in-the-middle attack that forms the basis
of your solution.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Previous Posts In This Thread:
On Monday, October 22, 2007 12:55 PM
Daniel Borlea wrote:
Can IIS perform SSO for Java webapp?
Hi,
I've got a Java web application that is running on Tomcat and supports
Single Sign-On (SSO) by detecting a specific HTTP header with the
authenticated user id (e.g., SSO_USER: bsmith). On IIS, I've installed the
ISAPI_Redirect.dll filter to connect IIS to Tomcat so the user can execute
the Java web app through IIS.
I configured IIS V6.0 on Windows Server 2003 to enable "Integrated Windows
authentication" and disable "Anonymous access", and I've configured my IE web
browser with the "Automatic logon with current username and password" setting
in the User Authentication Security Settings section.
The integrated Windows authentication is working well from IE to IIS, but my
Java webapp is not detecting the authenticated user and I don't know how to
configure IIS to pass the user's login id as an HTTP header to the Java
webapp. Can this behavior be configured in IIS natively, or even with a
third-party utility?
One HTTP header I noticed while monitoring the HTTP exchanges between the
browser and Tomcat server was the following:
authorization = Negotiate <long string>
I'm assuming that the <long string> text (which appears to be base64
encoded, e.g., TIRMTVNTUAADAAA.....) would contain the authentication
information of the current user, but may also be encrypted or be in a
specific format that my Java webapp does not understand.
Thanks,
Daniel
PS I've also got a Firefox web browser to be able to authenticate to the
IIS server by configuring it's "network.negotiate-auth.trusted-uris"
preference.
On Monday, October 22, 2007 5:08 PM
Pat [MSFT] wrote:
Integrated Windows Auth is NTLM does not support multi-hop authentication -
Integrated Windows Auth is NTLM does not support multi-hop authentication -
meaning that authenticating with the front-end will not proxy authentication
down stream. Basic Authentication will make the IIS server the
authenticated user (Basic Auth requires a log-in local permission) which can
be handled by a form-based login or a pop-up and passed downstream. This is
why OWA has a login screen.
Pat
"Daniel Borlean" wrote in message
On Monday, October 22, 2007 7:12 PM
DanielBorlea wrote:
Thanks for the info.
Thanks for the info. Actually, after much trial and error, I discovered the
solution:
Use the ISAPI_Rewrite filter with the following httpd.conf configuration:
RewriteEngine on
RewriteCond %{REMOTE_USER} TEST\\(.*)
RewriteHeader SSO_USER: .* %1
This ISAPI filter parses out the userid from the REMOTE_USER server variable
(after the "TEST\" domain portion) and adds the custom SSO_USER HTTP header
to the request to the Java webapp that now knows who the authenticated user
is. This, I'm assuming, only works with Integrated Windows Authentication.
On Monday, October 22, 2007 11:31 PM
David Wang wrote:
Re: Can IIS perform SSO for Java webapp?
On Oct 22, 4:12 pm, Daniel Borlean
wrote:
Your solution works with any standard Authentication protocol
supported by IIS which populates those server variables.
For your situation, Windows Authentication will populate REMOTE_USER
with the Windows username, which you then remap with the ISAPI Filter
to SSO_USER: request header and have that resulting request be proxied
by isapi_redirect.dll to Java.
For Windows Authentication, you will find LOGON_USER more
representative of the actual user that IIS logged on to execute the
request (which is what gets proxied by isapi_redirect.dll).
REMOTE_USER and AUTH_USER are parsed from the HTTP request header and
does not account for ISAPI Filter CustomAuth modifications.
FYI: your scheme works... but is actually very insecure, but that is
the nature of patch-work SSO solutions that cross multiple
authentication protocols. Secure SSO solutions would never allow an
ISAPI Filter to do the man-in-the-middle attack that forms the basis
of your solution.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Saturday, June 06, 2009 11:31 PM
Ashish Gupta wrote:
IT WORKS !!!
You are required to be a member to post replies. After logging in or becoming a member, you will be redirected back to this page.
Submitted via EggHeadCafe - Software Developer Portal of Choice
Parallel Programming in C# 4.0: A Short Synopsis
http://www.eggheadcafe.com/tutorials/aspnet/047afdf6-61ab-4b85-9204-b0...bdc955a >> Stay informed about: Can IIS perform SSO for Java webapp? 
FAQ
Search
Profile
Private Messages
Log in
