11 Replies Latest reply on Jul 3, 2008 5:51 PM by vipseixas

Problem with Single Sign on in Seam application

robban Jun 17, 2008 2:05 PM

I have implemented single sign on as described in:
Windows SSO with JBoss Seam

But I use WINS to find the domaincontrollers as:

     <filter>
        <filter-name>NtlmHttpFilter</filter-name>
        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
        <init-param>
             <param-name>jcifs.netbios.wins</param-name>
             <param-value>ip1,ip2</param-value>
        </init-param>
        <init-param>
            <param-name>jcifs.smb.client.domain</param-name>
            <param-value>domain</param-value>
        </init-param>
        <init-param>
            <param-name>jcifs.smb.lmCompatibility</param-name>
            <param-value>3</param-value>
        </init-param>
        <init-param>
            <param-name>jcifs.util.loglevel</param-name>
            <param-value>2</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>NtlmHttpFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

I can log in and everything but every now and then a log in box pops up and I this is written to the log:

NtlmHttpFilter: <DOMAIN>\<USER>: 0xC000006D: jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.

I thought that authentication through NTLM should only occur when the NotLoggedIn exception is thrown (as implemented in the article linked above).

And why does the authentication fail all of a sudden and start working again if i reload the page?

I would be really greatful for some help.

1. Re: Problem with Single Sign on in Seam application

gjeudy Jun 17, 2008 3:55 PM (in response to robban)

I think the problem you are having is independent of Seam. Clearly it comes from the NtlmHttpFilter. I suggest you check out jcifs doc and see how you can troubleshoot this problem.

The NtlmFilter stores the NtlmPasswordAuthentication in the session, could it be that this object or the session expires unexpectedly ?

I am also using NtlmFilter for authentication and I never had the problem you described.

Here's my config if that can be any help:

<filter>

                <filter-name>NtlmHttpFilter</filter-name>

                <filter-class>jcifs.http.NtlmHttpFilter</filter-class>

                <init-param>

                        <param-name>jcifs.http.domainController</param-name>

                        <param-value>domaincontrollerhostname</param-value>

                </init-param>

                <init-param>

                        <param-name>jcifs.smb.client.username</param-name>

                        <param-value>user</param-value>

                </init-param>

                <init-param>

                        <param-name>jcifs.smb.client.password</param-name>

                        <param-value>pass</param-value>  

                </init-param>

                <init-param>

                        <param-name>jcifs.smb.client.domain</param-name>

                        <param-value>domainname</param-value>

                </init-param>

                <init-param>

                        <param-name>jcifs.util.loglevel</param-name>

                        <param-value>2</param-value>

                </init-param>             

        </filter>

2. Re: Problem with Single Sign on in Seam application

robban Jun 17, 2008 4:04 PM (in response to robban)

Thank you for your answer.

I will take a look at that.

Previously we specified the domainController just as in your example and it worked fine. However we had som problems with the domain controller and we wanted to add a secondary controller in case the first one went down.

As far as I know you can't specify sveral domain controllers so thats why I changed too WINS.
Actions
3. Re: Problem with Single Sign on in Seam application

robban Jun 18, 2008 3:16 PM (in response to robban)

It seems like the problem only occurs when I use a suggestionbox. Could the problem have something to do with ajax requests?
Actions
4. Re: Problem with Single Sign on in Seam application

gjeudy Jun 18, 2008 3:26 PM (in response to robban)

That is pretty strange. Well an AJAX request is just another HTTP request as far as i'm concerned so should not cause problems.

If you are really out of clues I suggest you get jcifs source code and run in debug mode, you may be able to catch why it fails at some point.

I don't know JCIFS ntlm auth protocol in details but I would hope it negotiates auth only once when you get a new session. If so you should not later get auth errors while your session is active because the auth object is stashed in the session.
Actions
5. Re: Problem with Single Sign on in Seam application

robban Jun 18, 2008 3:58 PM (in response to robban)

Yes that is what I would expect aswell but the network login keeps popping up while the seam identity is alive and kicking so I can just press ok and keep on working. But it's quite annoying and after a while my account gets locked.

I would have hoped not to have to mess with the source code but I guess there are no other options.
Actions
6. Re: Problem with Single Sign on in Seam application

svadu Jun 18, 2008 10:08 PM (in response to robban)

You can also try to extend the filter and authenticate only when the user is not authenticated...
Actions
7. Re: Problem with Single Sign on in Seam application

robban Jun 19, 2008 9:43 AM (in response to robban)
I think managed to work around the problem.

Since I only want too use ntlm to let the users skip filling in there credentials I simply created a new login page in a new folder (login/login.xhtml) and changed the NtlmHttpFilter url-mapping to
/login/*

and then some pages.xml programming and then let Seam Security do the rest.

Maybe not the prettiest solution but it seems to work.
Actions
8. Re: Problem with Single Sign on in Seam application

vipseixas Jul 2, 2008 11:55 PM (in response to robban)

I want to do as you did, only filter the login page. Can you post your pages.xml programming? I want to have a login page that is automatically skipped when the user is validated by the filter, but I don't know exactly how...

Thanx!
Actions

9. Re: Problem with Single Sign on in Seam application

robban Jul 3, 2008 10:41 AM (in response to robban)

I put the login page in a separate folder,

/login/login.xhtml

and apply the filter on

/login/*

I add this to pages.xml

 <page view-id="/login/login.xhtml">
                <action execute="#{identity.login}"/>
                <navigation>
                        <rule if="#{identity.loggedIn}">
                                <redirect view-id="/itemlist.xhtml" />    
                        </rule>
                        <rule if="#{not identity.loggedIn}">
                                <redirect view-id="/login.xhtml" />       
                        </rule>
                </navigation>
        </page> 

<exception class="org.jboss.seam.security.NotLoggedInException">
        <end-conversation/>
                <redirect view-id="/login/login.xhtml" />         
    </exception>

Hope this helps you.

10. Re: Problem with Single Sign on in Seam application

bravocharlie.seam.signup.benny.me.uk Jul 3, 2008 10:52 AM (in response to robban)

Remember that once IE has authenticated with NTLM it likes to retry the authentication (even if you don't ask it to) whenever you do a POST... hopefully it'll only do that within /login
Actions
11. Re: Problem with Single Sign on in Seam application

vipseixas Jul 3, 2008 5:51 PM (in response to robban)

That was exactly what I needed! I didn't know how to execute the login action before displaying the login page, the action tag was the missing information to me.

Thanx again! It is working very nice now!
Actions

Go to original post