tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aldrin L M Leal <>
Subject Re: Integrated Windows Authentication and OpenEJB
Date Tue, 19 Jul 2011 20:05:18 GMT

-- Aldrin Leal

-----Original Message-----
From: Jonathan Gallimore <>
Sent: Tue, 19 Jul 2011 17:03
Subject: Re: Integrated Windows Authentication and OpenEJB

I wonder if this can be handled by implementing a Login Module for Tomcat.
I've not come across SPNEGO or Waffle - I'll have a search for them and see
if I can help you get something going. If you have any links for SPNEGO or
Waffle that might be useful.


On Tue, Jul 19, 2011 at 12:14 PM, rnieto <> wrote:

> I've been trying (really really) hard figuring out on how to integrate
> Windows Authentication with the OpenEJB exposed web services we have. This
> is my setup:
> - Client is a .net web service client, it interacts with the server with
> typical SOAP messages. The username and password is not typed in, it's
> managed automatically by .NET.
> - Server has exposed web services (through OpenEJB and CXF).
> - On one web service method, it requires to get the user credentials to
> check on the active directory the user and get certain details about the
> current user.
> - We've currently added SPNEGO http servlet filter to manage the single
> sign
> on (we're also working with WAFFLE, we still haven't decided on which one
> to
> really use).
> - When you open a jsp page on the server it correctly sees the current
> logged-in user and displays the current username properly.
> What I'm having problems with is if I get the HTTPRequest object on any of
> the web service methods, it always displays "guest" as the user principal.
> This seems to bypass the whole SSO filter set-up (SPNEGO or Waffle), and
> logs in as guest.
> I've seen the examples for adding security to OpenEJB and it involves
> adding
> a JAAS setup wherein it requires a username and password. Since
> SPNEGO/Waffle is already managing the authentication and it's impossible to
> get the password from the kerberos ticket, this really wouldn't work for my
> setup. (Just to be clear, the password of the user would never-ever be
> provided, Kerberos is doing all the work)
> I need somehow for OpenEJB to use the servlet filter provided by
> Waffle/SPNEGO instead of it doing a "guest" login.
> ---------
> I've tried dummying the Web Service with Axis, the SPNEGO filter setup is
> the same, tomcat server is the same, the client exe application is the
> same.
> For that case it works, it gets the username of the current logged-in user
> automatically. When I switch over the web service to the OpenEJB
> implementation, it always just returns "guest".
> --
> View this message in context:
> Sent from the OpenEJB User mailing list archive at

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message