Wiki source code of Single sign-on NTLM

Last modified by Aurelie Bertrand on 2026/01/12 16:46

version	line-number	content
1.1	1	{{ddtoc/}}
	2
	3	----
	4
33.1	5	This document describes how to connect the Waffle valve in DigDash Enterprise to activate Windows Integrated Security (NTLM...).
1.1	6
33.1	7	This add-on is located in the <DDE install>/add-ons/singlesignon/Waffle folder.
1.1	8
33.1	9	The current version of Waffle is 1.8.1.
1.1	10
33.1	11	This document describes each folder and file to be modified to activate this valve.
1.1	12
33.1	13	= Tomcat configuration =
5.1	14
1.1	15	(((
33.1	16	== lib folder ==
26.1	17
33.1	18	The path to this folder is as follows:
26.1	19
33.1	20	* under Linux: /usr/share/tomcat9/lib/
	21	* under Windows: C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib
1.1	22	)))
	23
33.1	24	__Uninstalling the previous version of Waffle :__
1.1	25
33.1	26	If you are updating DigDash, it is possible that an older version of Waffle has been deployed on your Tomcat. You must first remove this version from the lib folder (path indicated above) before installing the new version.
1.1	27
33.1	28	Please refer to the Waffle Deployment Guide for your previous version of DigDash Enterprise for a list of Waffle library files to remove.
1.1	29
33.1	30	Add the Waffle JAR libraries from the <DDE install>/add-ons/singlesignon/Waffle/Tomcat9 folder to the lib folder (path shown above) :
3.1	31
30.1	32	* caffeine-2.8.4.ja
3.1	33	* guava-19.0.jar
	34	* jna-5.6.0.jar
	35	* jna-platform-5.6.0.jar
	36	* slf4j-api-1.7.21.jar
	37	* slf4j-log4j12-1.7.21.jar
	38	* log4j-1.2.15.jar
	39	* waffle-jna-2.3.0.jar
	40	* waffle-tomcat9-2.3.0.jar
	41	* waffle_digdash_extension_tomcat9.jar
	42	* log4j.properties
	43
33.1	44	== Context.xml file ==
1.1	45
33.1	46	This file is located in the following directory :
26.1	47
33.1	48	* under Linux: /etc/tomcat9/
	49	* under Windows : C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf
26.1	50
33.1	51	Uncomment or add the following XML for the security valve:
2.1	52
16.1	53	{{code language="XML" cssClass="notranslate"}}
10.2	54	<Valve className="waffle.apache.SharedNegotiateAuthenticator"
	55	principalFormat="fqn"
	56	roleFormat="both"
	57	sharedPasswd="SecretPwdToChange"
	58	allowAddr="localhost,127.0.0.*">
	59	</Valve>
2.1	60	{{/code}}
1.1	61
7.2	62	(% class="box" %)
	63	(((
33.1	64	To uncomment, remove the <!~-~- and ~-~-> sequences surrounding the xml code.
7.2	65	)))
2.1	66
33.1	67	You need to change the shared password(sharedPasswd). This password must be identical to the one specified when configuring the Dashboard and Studio.
7.2	68
33.1	69	You can also add the addresses of authorised remote hosts(allowAddr) to allow other applications (digdash_dashboard) to connect to the DigDash Enterprise server. In the allowAddr attribute, you should add at least the IP address of your server.
1.1	70
33.1	71	It is also possible to add regular expressions for the paths whose resources are authorised to pass the valve//(excludedPaths)//, thus switching to LDAP authentication mode. For example:"/.*"
32.1	72
1.1	73	(% id="Hapache-tomcat2Fconf2Fweb.xml" %)
33.1	74	== web.xml file ==
1.1	75
33.1	76	This file is located in the following directory
26.1	77
33.1	78	* under Linux: /etc/tomcat9/
	79	* under Windows : C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf
26.1	80
33.1	81	Uncomment or add the following XML for the security constraint:
1.1	82
20.1	83	{{code cssClass="notranslate" language="XML"}}
1.1	84	<security-role>
20.1	85	<role-name>Tout le monde</role-name><!-- Voir ci-dessous pour plus d'informations -->
1.1	86	</security-role>
	87	<security-constraint>
	88	<display-name>Waffle Security Constraint</display-name>
	89	<web-resource-collection>
	90	<web-resource-name>Protected Area</web-resource-name>
23.1	91	<url-pattern>digdash_dashboard*</url-pattern> <!-- Mettre ici l'url de la webapp sur laquelle
22.1	92	va s'appliquer la waffle ou utiliser /* pour tout limiter -->
1.1	93	</web-resource-collection>
	94	<auth-constraint>
	95	<role-name>Tout le monde</role-name>
	96	</auth-constraint>
	97	</security-constraint>
	98	<security-constraint>
	99	<display-name>vjdbc Security Constraint</display-name>
	100	<web-resource-collection>
	101	<web-resource-name>UnProtected Area</web-resource-name>
	102	<url-pattern>/vjdbc/*</url-pattern>
	103	</web-resource-collection>
	104	</security-constraint>
	105
	106	{{/code}}
	107
33.1	108	To find the role to use for the waffle (role-name):
20.1	109
33.1	110	* Open the waffle logs located in the file C:/Temp/dd-waffle.log.
	111	* Find the SharedNegotiateAuthenticator.java:441 line and then where the roles are located.
	112	* Select the role to use from those available (user client choice).
20.1	113
1.1	114	(% class="box warningmessage" %)
	115	(((
33.1	116	The "security role" name (role-name) MUST correspond to the real role you have in your AD (localised). Example: BUILTINUsers
1.1	117	)))
	118
33.1	119	If you are not sure of the role name you can enable debugging information for Waffle using the log4j.properties file supplied with the jar.
1.1	120
33.1	121	Simply place it in the :
1.1	122
33.1	123	* under Linux: /usr/share/tomcat9/lib/
	124	* under Windows: C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib
29.1	125
33.1	126	= Configuring DigDash applications =
4.2	127
5.1	128	(% class="wikigeneratedid" id="Hdigdash.properties" %)
33.1	129	All DigDash Enterprise applications are configured via a single file: digdash.properties
4.2	130
33.1	131	The use of this file is described here: [[Externalization of parameters in a //properties// file>>doc:Digdash.deployment.configuration.advanced_system_guide.WebHome\|\|anchor="externalisation"]]
4.2	132
33.1	133	In all that follows, the default application names will be used. If you have renamed certain war files you will need to modify the digdash.properties file accordingly.
4.2	134
33.1	135	== Server (ddenterpriseapi.war) ==
4.2	136
33.1	137	Look for the definition of the authMethod parameter and change its value to NTUser or NTUserOrLDAP:
6.6	138
16.1	139	{{code language="properties" cssClass="notranslate"}}
6.6	140	ddenterpriseapi.authMethod=NTUser
	141	{{/code}}
	142
	143	//Note ~://
	144
33.1	145	The " NTUserOrLDAP" mode allows authentication on the DigDash server via Integrated Windows Security, with an option to authenticate via DigDash LDAP in case of failure.
6.6	146
33.1	147	For example, an NT domain user will automatically be able to pass the Waffle valve with his Windows authenticator, but if he does not exist in the DigDash LDAP, he will be offered a login screen to authenticate himself with a DigDash login.
6.6	148
33.1	149	In this mode, an additional " loginForm " parameter in certain URLs ensures that the DigDash login screen is always displayed. In this way, the Windows authenticator is only used to pass the Waffle valve. A typical use case is to allow a Windows user to log in as "admin" on DigDash configuration pages.
6.6	150
33.1	151	== Dashboard (digdash_dashboard.war) ==
4.2	152
33.1	153	Find the definition of the digdash_dashboard.sharedPasswd parameter.
	154	Uncomment the line by deleting the # character at the beginning of the line.
4.2	155
33.1	156	Change the password value (all applications using this parameter must use the same value).
6.2	157
16.1	158	{{code language="properties" cssClass="notranslate"}}
4.2	159	digdash_dashboard.sharedPasswd=SecretPwdToChange
1.1	160	{{/code}}
	161
	162	(% class="box warningmessage" %)
	163	(((
33.1	164	The password specified must be identical to the one you put in the <DDE install>/apache-tomcat/conf/context.xml file.
1.1	165	)))
	166
	167
	168	(% class="wikigeneratedid" id="HParamE8tresrecommandE9spourleloginautomatiquedutableaudebord" %)
33.1	169	__Recommended settings for automatic dashboard login__:
1.1	170
33.1	171	It is recommended that you configure the following settings when deploying in Integrated Windows Security (Waffle) mode.
1.1	172
33.1	173	Specify (and force) the DigDash Enterprise domain:
1.1	174
16.1	175	{{code language="properties" cssClass="notranslate"}}
6.3	176	digdash_dashboard.DOMAIN=ddenterpriseapi
	177	digdash_dashboard.FORCEDOMAIN=true
	178
1.1	179	{{/code}}
	180
33.1	181	Specify (and force) the server URL of the DigDash Enterprise domain.
	182	Use the //localhost// address if the ddenterpriseapi web application is installed on the same Tomcat as the digdash_dashboard web application.
	183	Adapt the port if necessary:
1.1	184
16.1	185	{{code language="properties" cssClass="notranslate"}}
6.3	186	digdash_dashboard.SERVERURL=http://localhost:8080
	187	digdash_dashboard.FORCESERVERURL=true
1.1	188	{{/code}}
	189
33.1	190	Specify a logout URL so that the user can log out of DigDash Enterprise and, for example, return to an Intranet page:
1.1	191
16.1	192	{{code language="properties" cssClass="notranslate"}}
6.4	193	digdash_dashboard.urlLogout=/adminconsole
1.1	194	{{/code}}
	195
	196
	197	(% class="box warningmessage" %)
	198	(((
33.1	199	By default, logging out of the dashboard returns to the dashboard login page. This page does not exist in the SSO context.
	200	It is important to specify a return URL in the event of disconnection.
1.1	201	)))
	202
33.1	203	See the documentation [[Advanced system settings>>doc:Digdash.deployment.configuration.advanced_system_guide.WebHome]] for more details on these settings.
1.1	204
19.1	205	== Studio (studio.war) ==
6.3	206
	207
7.3	208
33.1	209	(% id="cke_bm_389S" style="display:none" %)Look for (%%)the definition of the authMethod parameter .
	210	Uncomment the line by deleting the # character at the beginning of the line.
	211
16.1	212	{{code language="properties" cssClass="notranslate"}}
7.3	213	studio.authMethod=NTUserOrLDAP
	214	{{/code}}
	215
33.1	216	Look for the definition of the studio.sharedPasswd parameter.
	217	Uncomment the line by deleting the # character at the beginning of the line.
	218	Change the password value (all applications using this same parameter must use the same value).
6.3	219
16.1	220	{{code language="properties" cssClass="notranslate"}}
6.7	221	studio.sharedPasswd=SecretPwdToChange
1.1	222	{{/code}}
	223
	224	(% class="box warningmessage" %)
	225	(((
33.1	226	The password specified must be identical to the one you put in the <DDE install>/apache-tomcat/conf/context.xml file.
1.1	227	)))
	228
	229
33.1	230	__Recommended settings for automatic Studio login__:
1.1	231
33.1	232	It is recommended that you configure the following settings when deploying in Integrated Windows Security (Waffle) mode.
1.1	233
33.1	234	Specify (and force) the DigDash Enterprise domain:
1.1	235
16.1	236	{{code language="properties" cssClass="notranslate"}}
6.5	237	studio.FORCEDOMAIN=true
	238	studio.DOMAIN=ddenterpriseapi
1.1	239	{{/code}}
	240
33.1	241	Specify (and force) the server URL of the DigDash Enterprise domain.
	242	Use the //localhost// address if the ddenterpriseapi web application is installed on the same Tomcat as the studio application.
	243	Adapt the port if necessary:
1.1	244
16.1	245	{{code language="properties" cssClass="notranslate"}}
6.5	246	studio.FORCESERVERURL=true
	247	studio.SERVERURL=http://localhost:8080
1.1	248	{{/code}}
	249
33.1	250	Specify a logout URL so that the user can log out of DigDash Enterprise and, for example, return to an Intranet page:
1.1	251
16.1	252	{{code language="properties" cssClass="notranslate"}}
6.5	253	studio.urlLogout=/adminconsole
1.1	254	{{/code}}
	255
33.1	256	By default, logging out of the Studio returns to the Studio login page. This page does not exist in the SSO context.
	257	It is important to specify a return URL in the event of disconnection.

Wiki source code of Single sign-on NTLM

Sommaire