Transparent authentication, exceptions and a beauty under debugger


The last week was full of adventure.

I was tasked with integrating of Java EE based corporate web portal and Microsoft Windows Active Directory domain. The integration had to be done in a transparent manner. This means that when domain authenticated user opens browser and starts to use web portal, browser should not prompt for login credentials, as user already has been authenticated by Winlogon and authorized in domain.


Sounds simple? Yeah. At first I also thought that )


JCIFS Authentication

The first and easy solution was using JCIFS library. So, I created test web application, put everything what needed for JCIFS and deployed it into local linux server. Works perfect! Then deployed this solution into client's production server to see how it would behave in real world. And… the adventures began. I got number of exceptions related to connection problems. What's up? Colleagues from our IT Support team informed me that client's production server is behind of firewall. Okay. Can we ask them to open ports we need? The answer was a strong NO. And, the idea of using JCIFS was dropped.


Authentication by NTLM headers

Next, I was advised to look-up for NTLM headers and check for authentication information, and then look up for the user in LDAP. Okay. Modified test application and tested in local environment. Looks good. Deployed it again into production server and asked people to test. OOPS!!! It worked somewhere and did not work elsewhere. And again, it started to throw another kind of exceptions related to connection problems. After all, I was informed, that in some subnets of the client's corporate network NTLM was disabled. OK. Will not use NTLM. Where to go next?


Kerberos based authentication

The only solution left was to use Kerberos based authentication. I modified test application to use SPNEGO library and tested in Windows environment, as its source documentation was written for Windows platform. Worked fine! Then moved test application into linux server. And, as a tradition, it continued to throw exceptions… I started to fight against Kerberos then.


With the thoughts of analyzing exceptions and thinking about possible solutions the week ended.


A beauty under debugger

On Saturday, I went to insurance office to renew my car insurance. When I back home, on the sidewalk, I accidentally bumped straightly into a young lady, face-to-face. What can I remember so far, she was dressed aggressively in open style, seems almost a semi naked. I'm not sure if she was dressed in something or not, it was only a visual illusion with her dress – presence of something which had to be interpreted as a dress. And, in my home land, in Uzbekistan, catching such open behavior in the street is a very unusual.


As I was extremely busy with the deep thoughts of KERBEROS and possible causes for connection exceptions, I had no chance to take any attention more and easily forgot this accident.


That night, the time was already early morning, I saw that semi-naked beauty in my sleep... Surprisingly, she began to approach me... Then stopped straightly facing me... Then, just started to open her mouth to ask something and... OOPS!!!

Quite unexpectedly, it threw an exception: - "Connection refused. Root case: IllegalStatementException" and blah-blah-blah!!! The environment threw me into debugger, and, in the next moment I found myself looking deeply for variables and dumping memory... It was extremely interesting to know what went wrong here and what this beauty really wanted to say...

Then, just in the next moment, I was woken up with my wife's loud voice – WHY you are LOOKING SO HAPPY (!) and SMILING IN YOUR SLEEP? (!!!)


Baby sleep

P.S. This week, on Monday I totally made the Kerberos based authentication work using SPNEGO library on Linux (Ubuntu). Who knows, may be that dream somehow helped ))