tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnieto <>
Subject Integrated Windows Authentication and OpenEJB
Date Tue, 19 Jul 2011 11:14:45 GMT
I've been trying (really really) hard figuring out on how to integrate
Windows Authentication with the OpenEJB exposed web services we have. This
is my setup:

- Client is a .net web service client, it interacts with the server with
typical SOAP messages. The username and password is not typed in, it's
managed automatically by .NET.
- Server has exposed web services (through OpenEJB and CXF).
- On one web service method, it requires to get the user credentials to
check on the active directory the user and get certain details about the
current user.
- We've currently added SPNEGO http servlet filter to manage the single sign
on (we're also working with WAFFLE, we still haven't decided on which one to
really use).
- When you open a jsp page on the server it correctly sees the current
logged-in user and displays the current username properly.

What I'm having problems with is if I get the HTTPRequest object on any of
the web service methods, it always displays "guest" as the user principal.
This seems to bypass the whole SSO filter set-up (SPNEGO or Waffle), and
logs in as guest.

I've seen the examples for adding security to OpenEJB and it involves adding
a JAAS setup wherein it requires a username and password. Since
SPNEGO/Waffle is already managing the authentication and it's impossible to
get the password from the kerberos ticket, this really wouldn't work for my
setup. (Just to be clear, the password of the user would never-ever be
provided, Kerberos is doing all the work)

I need somehow for OpenEJB to use the servlet filter provided by
Waffle/SPNEGO instead of it doing a "guest" login.

I've tried dummying the Web Service with Axis, the SPNEGO filter setup is
the same, tomcat server is the same, the client exe application is the same.
For that case it works, it gets the username of the current logged-in user
automatically. When I switch over the web service to the OpenEJB
implementation, it always just returns "guest".

View this message in context:
Sent from the OpenEJB User mailing list archive at

View raw message