Transparent authentication and a lady under debugger


The last week was full of adventure.

I had to find out a solution to integrate Java EE based corporate web portal with Microsoft Active Directory. The integration had to be done in a transparent manner, so when AD authenticated user opens web portal there should not be any prompt for login credentials.


Sounds simple? Yeah. At first, I also thought that :)


JCIFS based authentication

The first and easy solution was to use JCIFS library. I created a test application, put everything that needed for JCIFS and deployed code into a local Linux server. Worked perfectly! Then deployed this solution into production server located in our client's corporate network to see how it would perform in the real world. And… my adventures began. I got a number of exceptions related to the network connection. What's up? Colleagues from our IT Support informed me that production server is located behind of firewall. Okay. Can we ask them to open the ports required? The answer was NO. So, the idea of using JCIFS was dropped.


Authentication by NTLM headers

Next, I was advised to look up for the NTLM headers to check authentication data, and then search the user in LDAP. Okay. Modified the test application and tested it in a local environment. Looks good. Deployed it into production server and asked IT Support to test it. OOPS!!! It worked somewhere and did not work elsewhere. Also, again, it started to throw another kind of exception related to a connection problem. After all, I was informed, that in some sub-nets of the client's corporate network NTLM was disabled. Okay. I will not use NTLM. Where to go next?


Kerberos authentication

The only possible solution left was to use a Kerberos based authentication. I modified the test application to use SPNEGO library and tested the app in the Windows environment, as its source documentation was written for the Windows platform. Works fine! Then uploaded test application into Linux server. I got a number of exceptions as a tradition… So, I started to fight against the Kerberos then.


The week was over with the thoughts of analyzing exceptions and looking for a working solution.


A lady under debugger

On Saturday, I went to the insurance office to renew my car's insurance. When I back home, I accidentally bumped into a young lady on the sidewalk, face to face. What I can remember so far, she had been dressed in a very open, almost in a semi-naked and aggressive style. I am not sure about the way she was dressed, but there was only a visual illusion – the presence of something that had to be considered as clothing. In my homeland, in Uzbekistan, a chance of facing with а such provocative outfit in the street is very low.


I was extremely busy with the thoughts of the KERBEROS and possible causes of the connection-related exceptions, so, I had no chance to take any attention more, and easily forgotten that accident.


That night, the time was close to early morning, I saw that young lady in my sleep... Suddenly, she began straightly walk to me... and stopped right in front of me staring in my eyes... and started to open her mouth slowly to say something, and... OOPS!!!

An exception was thrown: - "Connection refused. Root cause: IllegalStatementException" and blah-blah-blah!!! Environment threw me into a debugger, and, I found myself digging deeply in memory dumps and looking for the variables... It was extremely interesting to know what went wrong here and what she really was going to say...

But, unexpectedly, just in the next moment, this beautiful dream was interrupted and I was woken up with my wife's loud voice – Why you are LOOKING SO HAPPY (!) and SMILING IN YOUR SLEEP? (!!)


Baby sleep

P.S. This week, on Monday I totally made the Kerberos based authentication work using SPNEGO library on Linux (Ubuntu). Who knows, maybe that sleep helped somehow :))