Transparent authentication and a lady under debugger


The last week was full of adventure.

I had to find out a solution to integrate Java EE based corporate web portal with the Microsoft Active Directory. The integration had to be done in a transparent manner, so when AD authenticated user opens web portal there should not be any prompt for login credentials.


Sounds simple? Yeah. At first I also thought that :)


JCIFS Authentication

The first and easy solution was using JCIFS library. I created test application, put everything what needed for JCIFS and deployed code into local linux server. Works perfect! Then deployed this solution into production server located in our client's corporate network to see how it would work in real world. And… my adventures began. I got number of exceptions related to network connections. What's up? Colleagues from our IT Support informed me that production server is behind of firewall. Okay. Can we ask them to open the ports required? Answer was a strong NO. And, the idea of using JCIFS was dropped.


Authentication by NTLM headers

Next, I was advised to look up for the NTLM headers and check authentication information, and then search for the user in LDAP. Okay. Modified test application and tested in local environment. Looks good. Deployed into production server and asked IT Support to test. OOPS!!! It worked somewhere and did not work elsewhere. And again, it started to throw another kind of exceptions related to connection problems. After all, I was informed, that in some subnets of the client's corporate network NTLM was disabled. OK. Will not use NTLM. Where to go next?


Kerberos based authentication

The only solution left to check was to use Kerberos based authentication. I modified test application to use SPNEGO library and tested in Windows environment, as its source documentation was written for Windows platform. Works fine! Then uploaded test application into linux server. And, as a tradition, I got a number of exceptions… I started to fight against Kerberos then.


With the thoughts of analyzing exceptions and finding possible solutions the week was over.


A lady under debugger

On Saturday, I walked to the insurance office to renew insurance of my car. When I back home, I accidentally bumped into young lady on the sidewalk, face to face. What I can remember so far, she was dressed aggressively in a open manner, almost in a semi naked style. I'm not sure what she really was dressed in, but there was only a visual illusion about her dress – presence of something what should be taken as a normal clothing. In my homeland, in Uzbekistan, the chance of facing with a such open temper in the street is very, very low.


As I was extremely busy with the deep thoughts of KERBEROS and possible causes of the connection exceptions, I had no chance to take any more attention and easily forgot that accident.


That night, the time was close to early morning, I saw that young lady in my sleep... Suddenly, she began straightly walk to me and stopped right in front of me, face to face... Then, she began opening her mouth slowly to say something to me, and... OOPS!!!

An exception was thrown: - "Connection refused. Root case: IllegalStatementException" and blah-blah-blah!!! Environment threw me into debugger, and, I found myself digging deeply in the memory dumps and looking for the variables... It was extremely interesting to know what went wrong here and what she really wanted to say...

But, unexpectedly, in the next moment, this beautiful dream has been interrupted and I was woken up with my wife's loud voice – WHY are you LOOKING SO HAPPY (!) and SMILING IN YOUR SLEEP? (!!!)


Baby sleep

P.S. This week, on Monday I totally made the Kerberos based authentication work using SPNEGO library on Linux (Ubuntu). Who knows, may be that sleep helped, somehow :))