Transparent authentication and a lady under debugger


The last week was full of adventure.

I had to find out a solution to integrate Java EE based corporate web portal with Microsoft Active Directory. The integration had to be done in a transparent manner, so when AD authenticated user opens web portal there should not be any prompt for login credentials.


Sounds simple? Yeah. At the first I also thought that :)


JCIFS Authentication

The first and easy solution was to use the JCIFS library. I created a test application, put everything what needed for JCIFS and deployed code into local linux server. Works perfect! Then deployed this solution into production server which located in our client's corporate network to see how it would perform in the real world. And… my adventures began. I got number of exceptions related to network connections. What's up? Colleagues from our IT Support informed me that production server was located behind of firewall. Okay. Can we ask them to open the ports required? The answer was a strong NO. So, the idea of using JCIFS was dropped.


Authentication by NTLM headers

Next, I was advised to look up for the NTLM headers to check authentication data, and then search the user in the LDAP. Okay. Modified the test application and tested it in local environment. Looks good. Deployed it into production server and asked IT Support to test it. OOPS!!! It worked somewhere and did not work elsewhere. Also, again, it started to throw another kind of exception related to connection problem. After all, I was informed, that in some subnets of the client's corporate network NTLM was disabled. OK. I will not use NTLM. Where to go next?


Kerberos based authentication

The only possible solution left was to use a Kerberos based authentication. I modified test application to use the SPNEGO library and tested app in Windows environment, as its source documentation was written for Windows platform. Works fine! Then uploaded test application into linux server. I got a number of exceptions as a tradition… So, I started to fight against the Kerberos then.


The week was over with the thoughts of analyzing exceptions and finding some working solution.


A lady under debugger

On Saturday, I walked to the insurance office to renew insurance of my car. When I back home, I accidentally bumped into young lady on the sidewalk, face to face. What I can remember so far, she was dressed aggressively in an open manner, almost in a semi naked style. I am not sure what she was really dressed in, but there was only a visual illusion about her dress – presence of something what had to be considered as a normal clothing. In my homeland, in Uzbekistan, the chance of facing with such open temper in the street is very, very low.


As I was extremely busy with the deep thoughts of the KERBEROS and possible causes of the connection related exceptions, I had no chance to take any attention more and easily forgot that accident.


That night, the time was close to early morning, I saw that young lady in my sleep... Suddenly, she began straightly walk to me... She stopped right in front of me staring in my eyes, and started to open her mouth slowly to say something, and... OOPS!!!

An exception was thrown: - "Connection refused. Root case: IllegalStatementException" and blah-blah-blah!!! An environment threw me into debugger, and, I found myself digging deeply in memory dumps and looking for the variables... It was extremely interesting to know what went wrong here and what she really wanted to say me...

But, unexpectedly, in the next moment, this beautiful dream was interrupted and I was woken up with my wife's loud voice – WHY are you LOOKING SO HAPPY (!) and SMILING IN YOUR SLEEP? (!!!)


Baby sleep

P.S. This week, on Monday I totally made the Kerberos based authentication work using SPNEGO library on Linux (Ubuntu). Who knows, may be that sleep helped somehow :))