4

How do I configure SSO with the MS Windows logged-on user for a Play Framework web application?

I would like to deploy a Play Framework Java web app in an enterprise environment in which the users expect the authentication to be performed behind the scenes using the MS Windows logged in user. It is important to be able to adapt the java web app behavior depending on who the user is.

I understand this can be configured for JEE apps using Waffle or SPNEGO for example. However, how can I do this for a Play Framework 2.x application? Through packaging as a WAR using play2-war-plugin and deploying on JBOSS Application Server e.g.? If that is good approach, how do I find information on how to fix the configuration?

nize
  • 1,012
  • 1
  • 11
  • 27

1 Answers1

2

I have created a plugin for Play 2.

It's supporting SSO using kerberos, and fallback to html.

Take a look on it, if you still looking for a solution.

https://github.com/SlyngDK/play-module-ad-sso

SlyngDK
  • 21
  • 1
  • 5
  • We found an alternative solution in which a proxy/facade solves the SSO and propagates the original, authenticated username in an HTTP header. Thanks anyway! – nize Apr 29 '14 at 11:48
  • SlyngDK is it possible to adopt this plugin to Play 1.2? – Eazy Apr 23 '15 at 09:35
  • @Yoldar-Zi I have just committed a new version, with some greater changes, that can make your work, with implementing it for 1.2 easier. Look at the classes SecuredAction, SpnegoWorker and SSOContext. In SecuredAction you can see how the negotiation, is implemented using the 2 other classes. – SlyngDK Apr 23 '15 at 16:30
  • @SlyngDK thank you for your reply! I will try. Would you mind if I will ask your help in case I have some questions? – Eazy Apr 24 '15 at 05:42
  • @Yoldar-Zi Just ask if you have some questions. – SlyngDK Apr 25 '15 at 11:16
  • @SlyngDK Hi! Could please help. When server sends WWW-Authenticate: Negotiate. Client browser always shows popup login and pass window. I did all recommendations to configure client site. May be problem that in klist there is no HTTP SPN? Do AD admin have to add HTTP SPN? Thanks! – Eazy Apr 29 '15 at 12:23
  • @Yoldar-Zi You need a SPN matching the server running the sso service, and the way I made this a keytab for this SPN. The login popup open when Kerberos negotiation fail, and failing back to NTLM. A thing to remember is it can make problems testing from the DC and an admin account. Use wireshark to check the negotiation in the header. If using IE, you have to see the ticket for the SPN, in the list from the "klist" command. – SlyngDK Apr 30 '15 at 19:22
  • @SlyngDK Hi! i am stock on this exception: Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC – Eazy May 04 '15 at 10:45