Browser ask login and password when I connect to service

Question

I use Spring Security with Waffle in my service. When I connect to the service locally (Browser and Tomcat are started up on the same computer), everything works very well (Browser doesn't ask login and password). When I connect to the service from another computer, Browser always asks login and password.

This is my web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee" 
         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         id="WebApp_ID" version="2.5">
    <display-name>Struts 2 Spring Security 4</display-name>

    <!--SPRING SECURITY-->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-security/context.xml
        </param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter> 

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <!--SPRING SECURITY--> 

    <filter>
        <filter-name>SecurityFilter</filter-name>
        <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
        <init-param>
            <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
                <param-value>
                    Negotiate
                    NTLM                    
                </param-value>
        </init-param>
    </filter>

    <filter-mapping>
      <filter-name>SecurityFilter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>  


    <!-- Struts 2-->
    <filter>
        <filter-name>struts2</filter-name>
        <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>struts2</filter-name>
        <url-pattern>/*</url-pattern>       
    </filter-mapping>    
    <!-- Struts 2-->

    <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>

    <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    </listener>

    <!-- Struts Tiles Listener -->
    <listener>
        <listener-class>
            org.apache.struts2.tiles.StrutsTilesListener
        </listener-class>
    </listener>
    <!-- Struts Tiles Listener -->

    <listener>
        <listener-class>
            ru.dpd.vms.pss.scheduler.SchedulerListener
        </listener-class>
    </listener>

    <context-param>
        <param-name>org.apache.tiles.impl.BasicTilesContainer.DEFINITIONS_CONFIG</param-name>
        <param-value>
            /WEB-INF/tiles.xml
        </param-value>
    </context-param>    

    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

    <session-config>
        <session-timeout>120</session-timeout>
    </session-config>

</web-app>

This is Spring Context:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:sec="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <sec:http   auto-config="true"
                use-expressions="true" 
                request-matcher="regex"
                entry-point-ref="negotiateSecurityFilterEntryPoint" >

        <sec:csrf disabled="true"/>

        <sec:custom-filter ref="waffleNegotiateSecurityFilter" before="BASIC_AUTH_FILTER" />
        <sec:custom-filter ref="customFilter" after="BASIC_AUTH_FILTER"/>


Here is some <sec:intercept-url/> 

    </sec:http>


    <bean id="basicSecurityFilterProvider" class="waffle.servlet.spi.BasicSecurityFilterProvider">
        <constructor-arg ref="waffleWindowsAuthProvider" />
    </bean>

    <bean id="waffleSecurityFilterProviderCollection" class="waffle.servlet.spi.SecurityFilterProviderCollection">
    <constructor-arg>
        <list>
            <ref bean="negotiateSecurityFilterProvider" />
            <ref bean="basicSecurityFilterProvider" />               
        </list>
    </constructor-arg>
    </bean>

    <bean id="negotiateSecurityFilterProvider" class="waffle.servlet.spi.NegotiateSecurityFilterProvider">
        <constructor-arg ref="waffleWindowsAuthProvider" />
    </bean>

    <bean id="negotiateSecurityFilterEntryPoint" class="waffle.spring.NegotiateSecurityFilterEntryPoint">
        <property name="Provider" ref="waffleSecurityFilterProviderCollection" />
    </bean>


    <sec:authentication-manager alias="authenticationProvider">
        <sec:authentication-provider ref="waffleSpringAuthenticationProvider" />
    </sec:authentication-manager>


    <bean id="waffleWindowsAuthProvider" class="waffle.windows.auth.impl.WindowsAuthProviderImpl" />


    <bean id="waffleSpringAuthenticationProvider" class="waffle.spring.WindowsAuthenticationProvider">
        <property name="allowGuestLogin" value="false" />
        <property name="principalFormat" value="fqn" />
        <property name="roleFormat" value="both" />
        <property name="authProvider" ref="waffleWindowsAuthProvider" />

    </bean>

    <bean id="waffleNegotiateSecurityFilter" class="waffle.spring.NegotiateSecurityFilter">
        <property name="Provider" ref="waffleSecurityFilterProviderCollection" />
        <property name="AllowGuestLogin" value="false" />

        <property name="PrincipalFormat" value="fqn" />
        <property name="RoleFormat" value="both" />

    </bean>

    <bean id="customFilter" class="ru.yyy.vms.pss.ntlm.CustomFilter"></bean>
</beans>

I will really glad any advices. Thank you.

1) What happens when you cancel the login box (screenshot) 2) What happens if you enter some (probably fake) credentials (screenshot) Site shows up in this case. I wouldn't want to publish it. 3) What shows up in the debugger's Network tab (screenshot + copied plain text)

Request URL: http://yyy/wyyy/welcome.do
Request Method: GET
Status Code: 200 OK
Remote Address: 10.239.254.213:8088
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/html;charset=UTF-8
Date: Wed, 07 Nov 2018 07:07:08 GMT
Expires: 0
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E9CCCF0A98F62D56A43EBC383D759DE8; Path=/wyyy/; HttpOnly
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAvAjAAAADw==
Connection: keep-alive
Cookie: JSESSIONID=AA48EC52FF03298E8217D5A4DF9D3D73
Host: yyy
Upgrade-Insecure-Requests: 1

Request URL: http://yyy/wyyy/welcome.do
Request Method: GET
Status Code: 401 Unauthorized
Remote Address: 10.239.254.213:8088
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: close
Content-Language: en
Content-Length: 994
Content-Type: text/html;charset=utf-8
Date: Wed, 07 Nov 2018 07:15:14 GMT
Expires: 0
Pragma: no-cache
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="BasicSecurityFilterProvider"
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: JSESSIONID=657AC285B9FF43405FADD51026088F4D
Host: yyy
Upgrade-Insecure-Requests: 1

Answer 1

Hi You need to activate windows integrated authentication or add your site to local intranet on each computer,

https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/

https://itkb.csulb.edu/display/help/Adding+Sites+to+Local+Intranet+in+Browser+Settings

or else you can do the below steps,

1) Install Apache Web Server and configure to use NTLM authentication using modntlm

2) Configure mod_jk to your Selvlet container (JBoss or Tomcat) http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html After the successful authentication Apache sends the REMOTE_USER header to the servlet container. The header (according the name) contains a user name of the authenticated user Ensure you configure tomcatAuthentication="false" to allow Apache to allow apache to send the REMOTE_USER header

3) Implement and configure in Spring Security your own PreAuthenticatedProcessingFilter: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167

It should be very similar to the Request-Header Authentication filter: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295

In addition, you should omit a domain name from the user name. The user name is sent in the REMOTE_USER header after NTLM authentication.