Our organisation currently uses Tomcat and Spring/Java for it’s internal web apps. Tomcat via Waffle allows the NTLM(SSPI) authenticated user details to be accessible in the Spring/Java app so users do not have to log in.
The plan is that all new apps will be developed in next.js/express.js but we are currently struggling to figure out how to pass the authenticated user details from the reverse proxy web server to the next.js/express.js apps.
I am aware of iisnode but this is not viable since it no longer appears to be actively maintained, plus we would like to run the next.js/express.js instances separately from the frontend web server if possible.
So the questions is how can we do this and with which technologies?
We have tried with IIS but can’t seem to figure out a way to pass the user details down the pipe
2
Answers
I figured it out, hurray hurray...
What I did was create an IIS c# module that injects the LOGON_USER into the header after authentication. This module runs for each request and could also be used for all sorts of other things via the HttpApplication event handler.
In node.js you get to the header values via the request/req object -
console.log(req.headers["x-proxy-user"]);
Have a look at SSO using IIS and AD Authentication for the actual c# module and Asp.Net – Creating a new custom HTTP Module for the http request flow
You can forward requests to your application server by installing the URL rewrite module and creating rewrite rules. The HTTP Authorization request header can be used to provide credentials to authenticate the user agent with the server, allowing access to protected resources.
Configure IIS to forward NTLM authentication headers to the backend servers by adding the following code to the web.config file:
In your Express.js and Next.js applications, access the user’s NTLM authentication details by reading the Authorization header from the incoming request. But decoding NTLM tokens is not trivial, you may need to write your own decoding function to extract the user’s details from the token.