You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Ravi_116 <ra...@gmail.com> on 2008/06/16 18:50:41 UTC
Wicket NTLM/Single-sign-on integration Question
What is best way to integrate NTLM with Wicket authentication module ?
Currently, we are migrating from Standard Login page implementation to a
JCIF's NTLM (Windows domain credentials).
JCIF's provides a convenient servlet filter to do the NTLM handshake. It
sticks the username in the HttpServlet.getRemoteUser(). The current
implementation of the wicket is to extend AuthenticatedWebSession and
provide a MyAppWebSession authenticate method and a login page.
@Override
protected Class<? extends WebPage> getSignInPageClass()
{
return LoginPage.class;
}
@Override
protected Class<? extends AuthenticatedWebSession> getWebSessionClass()
{
return MyAppWebSession.class;
}
public class MyAppWebSession extends AuthenticatedWebSession
{
public boolean authenticate(String userName, String password)
{
// This is not the NTLM authentication, i need to get the username provided
by NTLM here
myAuthenticator.authenticate(username)
}
}
How does wicket determine to show a login-page in the Wicket Application ?
Seems like it's not using getHttpServletRequest().getRemoteUser()
There seems to be a couple of ways to tackle this issue :
1. Use wicket's IAuthorizationStratergy and plugin NtlmAuthenticator (from
JCIF's) into this and add the additional authentication to it.
2. Use Swarm authentication framework.
3. Propagate the username from getHttpServletRequest().getRemoteUser() to
MyAppWebSession class and not show login page if JCIF's filter authenticates
the user using NTLM.
Any pointers/ideas are appreciated,
Ravi
--
View this message in context: http://www.nabble.com/Wicket-NTLM-Single-sign-on-integration-Question-tp17868669p17868669.html
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket NTLM/Single-sign-on integration Question
Posted by Nino Saturnino Martinez Vazquez Wael <ni...@jayway.dk>.
I have this:
@Override
public boolean authenticate(String username, String password) {
Person person = new Person();
person.setAlias(username);
person.setPassword(password);
return dBDao.authorizePerson(person);
}
public boolean isAuthorized() {
return authorized;
}
public void setAuthorized(boolean authorized) {
this.authorized = authorized;
if (authorized) {
getPerson().setLoggedIn(true);
}
// Call below too!
signIn(getPerson().getAlias(), getPerson().getPassword());
}
@Override
protected Class<? extends WebPage> getSignInPageClass() {
return LoginPage.class;
}
Which means that I use a custom page for loggin in, and sort of can
login how I want to...
Ravi_116 wrote:
> Nino - Thanks for the reply
> The AuthenticatedWebSession has the isSignedIn() method defined "final". So
> cannot extend and override it.
>
> /**
> * @return True if the user is signed in to this session
> */
> public final boolean isSignedIn()
> {
> return signedIn;
> }
>
>
> Ravi
>
>
> Nino.Martinez wrote:
>
>>
>> Ravi_116 wrote:
>>
>>> What is best way to integrate NTLM with Wicket authentication module ?
>>>
>>> Currently, we are migrating from Standard Login page implementation to a
>>> JCIF's NTLM (Windows domain credentials).
>>> JCIF's provides a convenient servlet filter to do the NTLM handshake. It
>>> sticks the username in the HttpServlet.getRemoteUser(). The current
>>> implementation of the wicket is to extend AuthenticatedWebSession and
>>> provide a MyAppWebSession authenticate method and a login page.
>>>
>>>
>>>
>>> @Override
>>> protected Class<? extends WebPage> getSignInPageClass()
>>> {
>>> return LoginPage.class;
>>> }
>>>
>>> @Override
>>> protected Class<? extends AuthenticatedWebSession> getWebSessionClass()
>>> {
>>> return MyAppWebSession.class;
>>> }
>>>
>>> public class MyAppWebSession extends AuthenticatedWebSession
>>> {
>>> public boolean authenticate(String userName, String password)
>>> {
>>> // This is not the NTLM authentication, i need to get the username
>>> provided
>>> by NTLM here
>>> myAuthenticator.authenticate(username)
>>> }
>>> }
>>>
>>> How does wicket determine to show a login-page in the Wicket Application
>>> ?
>>> Seems like it's not using getHttpServletRequest().getRemoteUser()
>>>
>>>
>>>
>> It's just using the information you provide above... So it should be a
>> clean plug, you should just forward username and password in your above
>> code... that's what I do using my own authenticator.
>>
>> I think it sets a simple property if youre signed in or not based on the
>> above authenticate..
>>
>>>
>>> There seems to be a couple of ways to tackle this issue :
>>> 1. Use wicket's IAuthorizationStratergy and plugin NtlmAuthenticator
>>> (from
>>> JCIF's) into this and add the additional authentication to it.
>>> 2. Use Swarm authentication framework.
>>> 3. Propagate the username from getHttpServletRequest().getRemoteUser() to
>>> MyAppWebSession class and not show login page if JCIF's filter
>>> authenticates
>>> the user using NTLM.
>>>
>>> Any pointers/ideas are appreciated,
>>>
>>> Ravi
>>>
>>>
>>>
>> --
>> -Wicket for love
>>
>> Nino Martinez Wael
>> Java Specialist @ Jayway DK
>> http://www.jayway.dk
>> +45 2936 7684
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>>
>
>
--
-Wicket for love
Nino Martinez Wael
Java Specialist @ Jayway DK
http://www.jayway.dk
+45 2936 7684
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket NTLM/Single-sign-on integration Question
Posted by Maurice Marrink <ma...@gmail.com>.
Using swarm, i usually let the default isAuthenticated methods intact
and let the request be redirected to the loginpage where i check if a
known third party has done the authentication for me, if so i
automatically log the user in for wicket and redirect back to where i
came from.
You can override the isAuthenticated methods on the session or
securitychecks but swarm still requires a subject with permissions.
unless you only require an authenticated user and all users have the
same permissions. So you have to translate the httpsession flag at
somepoint to something swarm understands. As you would for any
framework.
Maurice
On Mon, Jun 16, 2008 at 9:29 PM, Ravi_116 <ra...@gmail.com> wrote:
>
> Nino - Thanks for the reply
> The AuthenticatedWebSession has the isSignedIn() method defined "final". So
> cannot extend and override it.
>
> /**
> * @return True if the user is signed in to this session
> */
> public final boolean isSignedIn()
> {
> return signedIn;
> }
>
>
> Ravi
>
>
> Nino.Martinez wrote:
>>
>>
>>
>> Ravi_116 wrote:
>>> What is best way to integrate NTLM with Wicket authentication module ?
>>>
>>> Currently, we are migrating from Standard Login page implementation to a
>>> JCIF's NTLM (Windows domain credentials).
>>> JCIF's provides a convenient servlet filter to do the NTLM handshake. It
>>> sticks the username in the HttpServlet.getRemoteUser(). The current
>>> implementation of the wicket is to extend AuthenticatedWebSession and
>>> provide a MyAppWebSession authenticate method and a login page.
>>>
>>>
>>>
>>> @Override
>>> protected Class<? extends WebPage> getSignInPageClass()
>>> {
>>> return LoginPage.class;
>>> }
>>>
>>> @Override
>>> protected Class<? extends AuthenticatedWebSession> getWebSessionClass()
>>> {
>>> return MyAppWebSession.class;
>>> }
>>>
>>> public class MyAppWebSession extends AuthenticatedWebSession
>>> {
>>> public boolean authenticate(String userName, String password)
>>> {
>>> // This is not the NTLM authentication, i need to get the username
>>> provided
>>> by NTLM here
>>> myAuthenticator.authenticate(username)
>>> }
>>> }
>>>
>>> How does wicket determine to show a login-page in the Wicket Application
>>> ?
>>> Seems like it's not using getHttpServletRequest().getRemoteUser()
>>>
>>>
>> It's just using the information you provide above... So it should be a
>> clean plug, you should just forward username and password in your above
>> code... that's what I do using my own authenticator.
>>
>> I think it sets a simple property if youre signed in or not based on the
>> above authenticate..
>>>
>>> There seems to be a couple of ways to tackle this issue :
>>> 1. Use wicket's IAuthorizationStratergy and plugin NtlmAuthenticator
>>> (from
>>> JCIF's) into this and add the additional authentication to it.
>>> 2. Use Swarm authentication framework.
>>> 3. Propagate the username from getHttpServletRequest().getRemoteUser() to
>>> MyAppWebSession class and not show login page if JCIF's filter
>>> authenticates
>>> the user using NTLM.
>>>
>>> Any pointers/ideas are appreciated,
>>>
>>> Ravi
>>>
>>>
>>
>> --
>> -Wicket for love
>>
>> Nino Martinez Wael
>> Java Specialist @ Jayway DK
>> http://www.jayway.dk
>> +45 2936 7684
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Wicket-NTLM-Single-sign-on-integration-Question-tp17868669p17871702.html
> Sent from the Wicket - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket NTLM/Single-sign-on integration Question
Posted by Ravi_116 <ra...@gmail.com>.
Nino - Thanks for the reply
The AuthenticatedWebSession has the isSignedIn() method defined "final". So
cannot extend and override it.
/**
* @return True if the user is signed in to this session
*/
public final boolean isSignedIn()
{
return signedIn;
}
Ravi
Nino.Martinez wrote:
>
>
>
> Ravi_116 wrote:
>> What is best way to integrate NTLM with Wicket authentication module ?
>>
>> Currently, we are migrating from Standard Login page implementation to a
>> JCIF's NTLM (Windows domain credentials).
>> JCIF's provides a convenient servlet filter to do the NTLM handshake. It
>> sticks the username in the HttpServlet.getRemoteUser(). The current
>> implementation of the wicket is to extend AuthenticatedWebSession and
>> provide a MyAppWebSession authenticate method and a login page.
>>
>>
>>
>> @Override
>> protected Class<? extends WebPage> getSignInPageClass()
>> {
>> return LoginPage.class;
>> }
>>
>> @Override
>> protected Class<? extends AuthenticatedWebSession> getWebSessionClass()
>> {
>> return MyAppWebSession.class;
>> }
>>
>> public class MyAppWebSession extends AuthenticatedWebSession
>> {
>> public boolean authenticate(String userName, String password)
>> {
>> // This is not the NTLM authentication, i need to get the username
>> provided
>> by NTLM here
>> myAuthenticator.authenticate(username)
>> }
>> }
>>
>> How does wicket determine to show a login-page in the Wicket Application
>> ?
>> Seems like it's not using getHttpServletRequest().getRemoteUser()
>>
>>
> It's just using the information you provide above... So it should be a
> clean plug, you should just forward username and password in your above
> code... that's what I do using my own authenticator.
>
> I think it sets a simple property if youre signed in or not based on the
> above authenticate..
>>
>> There seems to be a couple of ways to tackle this issue :
>> 1. Use wicket's IAuthorizationStratergy and plugin NtlmAuthenticator
>> (from
>> JCIF's) into this and add the additional authentication to it.
>> 2. Use Swarm authentication framework.
>> 3. Propagate the username from getHttpServletRequest().getRemoteUser() to
>> MyAppWebSession class and not show login page if JCIF's filter
>> authenticates
>> the user using NTLM.
>>
>> Any pointers/ideas are appreciated,
>>
>> Ravi
>>
>>
>
> --
> -Wicket for love
>
> Nino Martinez Wael
> Java Specialist @ Jayway DK
> http://www.jayway.dk
> +45 2936 7684
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Wicket-NTLM-Single-sign-on-integration-Question-tp17868669p17871702.html
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket NTLM/Single-sign-on integration Question
Posted by Nino Saturnino Martinez Vazquez Wael <ni...@jayway.dk>.
Ravi_116 wrote:
> What is best way to integrate NTLM with Wicket authentication module ?
>
> Currently, we are migrating from Standard Login page implementation to a
> JCIF's NTLM (Windows domain credentials).
> JCIF's provides a convenient servlet filter to do the NTLM handshake. It
> sticks the username in the HttpServlet.getRemoteUser(). The current
> implementation of the wicket is to extend AuthenticatedWebSession and
> provide a MyAppWebSession authenticate method and a login page.
>
>
>
> @Override
> protected Class<? extends WebPage> getSignInPageClass()
> {
> return LoginPage.class;
> }
>
> @Override
> protected Class<? extends AuthenticatedWebSession> getWebSessionClass()
> {
> return MyAppWebSession.class;
> }
>
> public class MyAppWebSession extends AuthenticatedWebSession
> {
> public boolean authenticate(String userName, String password)
> {
> // This is not the NTLM authentication, i need to get the username provided
> by NTLM here
> myAuthenticator.authenticate(username)
> }
> }
>
> How does wicket determine to show a login-page in the Wicket Application ?
> Seems like it's not using getHttpServletRequest().getRemoteUser()
>
>
It's just using the information you provide above... So it should be a
clean plug, you should just forward username and password in your above
code... that's what I do using my own authenticator.
I think it sets a simple property if youre signed in or not based on the
above authenticate..
>
> There seems to be a couple of ways to tackle this issue :
> 1. Use wicket's IAuthorizationStratergy and plugin NtlmAuthenticator (from
> JCIF's) into this and add the additional authentication to it.
> 2. Use Swarm authentication framework.
> 3. Propagate the username from getHttpServletRequest().getRemoteUser() to
> MyAppWebSession class and not show login page if JCIF's filter authenticates
> the user using NTLM.
>
> Any pointers/ideas are appreciated,
>
> Ravi
>
>
--
-Wicket for love
Nino Martinez Wael
Java Specialist @ Jayway DK
http://www.jayway.dk
+45 2936 7684
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org