11 Replies Latest reply on Jul 3, 2008 5:51 PM by Vinicius Seixas

    Problem with Single Sign on in Seam application

    Robert H Newbie

      I have implemented single sign on as described in:
      Windows SSO with JBoss Seam


      But I use WINS to find the domaincontrollers as:


           <filter>
              <filter-name>NtlmHttpFilter</filter-name>
              <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
              <init-param>
                   <param-name>jcifs.netbios.wins</param-name>
                   <param-value>ip1,ip2</param-value>
              </init-param>
              <init-param>
                  <param-name>jcifs.smb.client.domain</param-name>
                  <param-value>domain</param-value>
              </init-param>
              <init-param>
                  <param-name>jcifs.smb.lmCompatibility</param-name>
                  <param-value>3</param-value>
              </init-param>
              <init-param>
                  <param-name>jcifs.util.loglevel</param-name>
                  <param-value>2</param-value>
              </init-param>
          </filter>
          <filter-mapping>
              <filter-name>NtlmHttpFilter</filter-name>
              <url-pattern>/*</url-pattern>
          </filter-mapping>
      



      I can log in and everything but every now and then a log in box pops up and I this is written to the log:


      NtlmHttpFilter: <DOMAIN>\<USER>: 0xC000006D: jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.



      I thought that authentication through NTLM should only occur when the NotLoggedIn exception is thrown (as implemented in the article linked above).


      And why does the authentication fail all of a sudden and start working again if i reload the page?


      I would be really greatful for some help.


        • 1. Re: Problem with Single Sign on in Seam application
          Guillaume Jeudy Master

          I think the problem you are having is independent of Seam. Clearly it comes from the NtlmHttpFilter. I suggest you check out jcifs doc and see how you can troubleshoot this problem.


          The NtlmFilter stores the NtlmPasswordAuthentication in the session, could it be that this object or the session expires unexpectedly ?


          I am also using NtlmFilter for authentication and I never had the problem you described.


          Here's my config if that can be any help:


          <filter>
          
                          <filter-name>NtlmHttpFilter</filter-name>
          
                          <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
          
                          <init-param>
          
                                  <param-name>jcifs.http.domainController</param-name>
          
                                  <param-value>domaincontrollerhostname</param-value>
          
                          </init-param>
          
                          <init-param>
          
                                  <param-name>jcifs.smb.client.username</param-name>
          
                                  <param-value>user</param-value>
          
                          </init-param>
          
                          <init-param>
          
                                  <param-name>jcifs.smb.client.password</param-name>
          
                                  <param-value>pass</param-value>  
          
                          </init-param>
          
                          <init-param>
          
                                  <param-name>jcifs.smb.client.domain</param-name>
          
                                  <param-value>domainname</param-value>
          
                          </init-param>
          
                          <init-param>
          
                                  <param-name>jcifs.util.loglevel</param-name>
          
                                  <param-value>2</param-value>
          
                          </init-param>             
          
                  </filter>


          • 2. Re: Problem with Single Sign on in Seam application
            Robert H Newbie

            Thank you for your answer.


            I will take a look at that.


            Previously we specified the domainController just as in your example and it worked fine. However we had som problems with the domain controller and we wanted to add a secondary controller in case the first one went down.


            As far as I know you can't specify sveral domain controllers so thats why I changed too WINS.

            • 3. Re: Problem with Single Sign on in Seam application
              Robert H Newbie

              It seems like the problem only occurs when I use a suggestionbox. Could the problem have something to do with ajax requests?

              • 4. Re: Problem with Single Sign on in Seam application
                Guillaume Jeudy Master

                That is pretty strange. Well an AJAX request is just another HTTP request as far as i'm concerned so should not cause problems.


                If you are really out of clues I suggest you get jcifs source code and run in debug mode, you may be able to catch why it fails at some point.


                I don't know JCIFS ntlm auth protocol in details but I would hope it negotiates auth only once when you get a new session. If so you should not later get auth errors while your session is active because the auth object is stashed in the session.

                • 5. Re: Problem with Single Sign on in Seam application
                  Robert H Newbie

                  Yes that is what I would expect aswell but the network login keeps popping up while the seam identity is alive and kicking so I can just press ok and keep on working. But it's quite annoying and after a while my account gets locked.


                  I would have hoped not to have to mess with the source code but I guess there are no other options.

                  • 6. Re: Problem with Single Sign on in Seam application
                    Siarhei Dudzin Apprentice

                    You can also try to extend the filter and authenticate only when the user is not authenticated...

                    • 7. Re: Problem with Single Sign on in Seam application
                      Robert H Newbie

                      I think managed to work around the problem.


                      Since I only want too use ntlm to let the users skip filling in there credentials I simply created a new login page in a new folder (login/login.xhtml) and changed the NtlmHttpFilter url-mapping to

                      /login/*

                      and then some pages.xml programming and then let Seam Security do the rest.


                      Maybe not the prettiest solution but it seems to work.

                      • 8. Re: Problem with Single Sign on in Seam application
                        Vinicius Seixas Newbie

                        I want to do as you did, only filter the login page. Can you post your pages.xml programming? I want to have a login page that is automatically skipped when the user is validated by the filter, but I don't know exactly how...


                        Thanx!

                        • 9. Re: Problem with Single Sign on in Seam application
                          Robert H Newbie

                          I put the login page in a separate folder,

                          /login/login.xhtml 

                          and apply the filter on
                          /login/*



                          I add this to pages.xml


                           <page view-id="/login/login.xhtml">
                                          <action execute="#{identity.login}"/>
                                          <navigation>
                                                  <rule if="#{identity.loggedIn}">
                                                          <redirect view-id="/itemlist.xhtml" />    
                                                  </rule>
                                                  <rule if="#{not identity.loggedIn}">
                                                          <redirect view-id="/login.xhtml" />       
                                                  </rule>
                                          </navigation>
                                  </page> 
                          
                          <exception class="org.jboss.seam.security.NotLoggedInException">
                                  <end-conversation/>
                                          <redirect view-id="/login/login.xhtml" />         
                              </exception> 



                          Hope this helps you.

                          • 10. Re: Problem with Single Sign on in Seam application
                            Ben Catherall Newbie

                            Remember that once IE has authenticated with NTLM it likes to retry the authentication (even if you don't ask it to) whenever you do a POST... hopefully it'll only do that within /login

                            • 11. Re: Problem with Single Sign on in Seam application
                              Vinicius Seixas Newbie

                              That was exactly what I needed! I didn't know how to execute the login action before displaying the login page, the action tag was the missing information to me.


                              Thanx again! It is working very nice now!