|
Sponsored Links
Resources
Enterprise Java
Research Library
Get Java white papers, product information, case studies and webcasts
|
News
News
News
|
Messages: 12
Messages: 12
Messages: 12
Printer friendly
Printer friendly
Printer friendly
Post reply
Post reply
Post reply
XML
XML
XML
|
 |
How to Authenticate a Servlet App with Windows Passwords
Chris Maeda looks at an approach for authenticating a servlet app using Windows passwords; he does this using JAAS with the Tagish SSPI-based login module. He walks us through the steps for configuring the Tagish login module and Tomcat.JAAS with the Tagish SSPI-based login module is the way to go. The Tagish login module is based on the Windows SSPI API, which provides an authentication service for distributed environments using the best available protocol; i.e. it uses Kerberos when that is available and transparently falls back on NTLM when Kerbos is not available. In addition, SSPI returns the group membership information, which is necessary for servlet apps that use security roles and security constraints.
The first step in setting this up is to configure the Tagish login module according to the instructions that come with it. In a nutshell, the steps are as follows:
- Put NTSystem.dll somewhere on your path
- Put tagishauth.jar on your classpath
- Copy the tagish.login file to $JAVA_HOME/jre/lib/security
- Add this line:
login.config.url.1=file:${java.home}/lib/security/tagish.login to your java.security file (in $JAVA_HOME/jre/lib/security) Read How to Authenticate a Servlet App with Windows Passwords
|
|
|
Message #134514
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Thank You!
This is one of those things (like form uploads), that many need but (suprisingly) isn't standardized. Any help is appreciated.
|
|
|
Message #134524
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Simple Method
I'll definitely have to try out this method (as well as the Samba NTLM link mentioned in the article).
But here's what I do for now: use the IIS-Tomcat connector, use Integrated Authentication on the directory for the context of the webapp, and route all requests through a default.asp file that forces the authentication to happen, and then use getRemoteUser to get the user data. Everything else is done just through talking LDAP to Active Directory to get user information. I'm not trying to use Group membership information, however.
|
|
|
Message #134525
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Why bother?
DLLs and native libraries suck! In many cases the main disadvantage of solutions using native libraries is they aren't portable, i.e when you have an app server running on a Linux box. Anyway perhaps this little DLL doesn't cause any problems with other apps in your windows server, but the same can be said about pure Java solutions, that have a vast amount of dependencies and obscure JARs to add to your classpath.
Authentication against a Windows mechanism should have a clear and easy to find example in http://java.sun.com. The example of course exist, but it is buried in the JNDI tutorial (follow it step by step and voilá) But if you need to authenticate against a Windows NT mechanism (NTLM), your good luck is over, which is unfortunate for those that still have to support NT domains. Therefore I agree any information in this regard is welcome.
|
|
|
Message #134527
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Why bother?
There is a pure Java implementation of the NTLM authentication protocol here implemented as a Filter to boot! Samba's jCIFS supports only NTLM (i.e. NT4), and not Kerberos (win2K) unless I am mistaken.
|
|
|
Message #134589
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
don't fall back
IMHO, You should *know* definitevly what domain you will be authenticating against. Authentication domains should not fall back transparently. Its cool to provide multiple authentication backends, but this should not be transparent to the applciation. Different idenity/credentials may(should) yeild different levels of authorization and that is something that should be left up to the application.
<br><br>
I apologize if this is addressed in the configuration. I haven't looked at it. This is merely in response to the vocabulary used in the post.
|
|
|
Message #134961
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Alternative for non-Windows AS: LDAP bind > PDC
Not exactly single-sign-on with automatic passing of workstation credentials, but we used this approach below to authenticate web and Swing client users (client on any platform; app server on Linux). Users still have to enter login and password for the app, but at least it's the one they use for workstation login.
We wrote a custom JAAS login module that authenticates against a PDC/SDC using a regular old LDAP bind w/ password (to port 389 on the DC). Bind with user@domain. Then, once bound, if need be, you can even query user groups/props/attrs LDAP-style.
The not-insignificant downside is that the password goes cleartext over the LAN/WAN - likely a problem in some shops. Otherwise, it works like a champ. And, not sure if LDAP is open out-of-the-box default on a DC or not.
Mike
|
|
|
Message #135870
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
A simple and portable solution
Authentication filters are easy to setup, but the problem is implenting a sign-out.
Implementing a Windows-based authentication in Java is very simple with JCIFS:
import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import jcifs.smb.SmbSession;
import java.net.InetAddress;
...
InetAddress ip = InetAddress.getByName("192.168.0.1."); // ip address of your windows controller
UniAddress myDomain = new UniAddress(ip);
NtlmPasswordAuthentication auth = new NtlmPasswordAuthentication("MYDOMAIN", "mylogin", "mypasword");
SmbSession.logon(myDomain, auth);
If an exception is thrown, the controller didn’t like the login and the password.
An HTML form will suffice to grab the "login" and "password". However, it is recommended to use HTTPS instead of HTTP between the web browser and the HTTP server.
|
|
|
Message #158033
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
How to Authenticate a Servlet App with Windows Passwords
To authenticate users via NTLM using JAAS on any platform,
try this :
http://www.jaaslounge.org/
JaasLounge is an open-source implementation of platform-independent JAAS login modules.
The first release offers JAAS NTLM authentication via JCIFS.
|
|
|
Message #183566
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Simple Method
I also use IIS-Tomcat connector in my projects. Could you explain me in more detail how do you do Integrated Authentication with IIS-Tomcat connector? You can email me: nrsimoes@hotpop.com. Thanks.
|
|
|
| New content on TheServerSide.comNew content on TheServerSide.comNew content on TheServerSide.com |
|
|
Reza Rahman continues to explore the features of the proposed JSR 299, Contexts and Dependency Injection for Java EE (CDI). When approved, it promises to be a key feature of Java EE 6.
(January 21, Article)
Ted Neward is an independent consultant specializing in high-scale enterprise systems, and an authority in Java and .NET technologies. He is the author and co-author of several books, including Effective Enterprise Java. At TheServerSide Java Symposium in March, he will be presenting sessions on pragmatic architecture, ECMAScript and Scala.
(January 15, Article)
Now that Oracle is absorbing Sun Microsystems, there mixed views on what should come of the Java Community Process (JCP). While some say Oracle should become the new steward of Java and keep the JCP much as it was, others argue that it may be time to open-source this widespread language.
(November 24, Article)
Reza Rahman explores the features of the proposed JSR 299, Contexts and Dependency Injection for Java EE (CDI). When approved, it promises to be a key feature of Java EE 6.
(November 2, Article)
SAML is an XML-based standard for exchanging authentication and authorization data between security domains. The single most important problem that SAML was created to solve is the Web browser Single Sign-On problem. Many organizations are debating whether to stay with version 1.1 or move to 2.0. This article makes observations about both options.
(September 28, Article)
Joe Ottinger takes a look at how people learn, and applies it to the practice of programming. He notes that understanding how people learn is an essential part of working in a programming team.
(September 22, Article)
Stephen Maryka gave us an article about the Asynchronous Web and posed a number of questions that get examined like an approach to delivering Asynchronous Web capabilities through extensions to existing Java EE technologies.
(July 14, Article)
JavaServer Faces Flex goal is to provide users capability in creating standard Flex components, part of flexSDK which is open sourced through MPL license, as normal JSF components. This article by Ji Hoon Kim will provide an overview of creating a simple multilingual JSF page consisting of JSF Flex tags.
(June 29, Article)
In this session Jeff explores the key characteristics of successful SOA projects. He covers some of the patterns, and anti-patterns, tool sets, and strategies that he himself learned the hard way. Last, he provides a strategy and blueprint for achieving a high likelihood of success in your SOA project.
(June 23, Tech Talk)
Ari Zilka, CTO of Terracotta, Inc., talks about the new features in Terracotta 3.1, announced during JavaOne and available now.
(June 15, Tech Talk)
In this Tech Talk, Josh Long explores an integration challenge using Spring Integration and walks through the implementation, employing and expanding on the basic patterns of Enterprise Application Integration to tie together components into a function integration solution, and then demonstrates how Spring Integration helps address the integration requirements.
(June 15, Tech Talk)
In this Tech Talk, David Geary teaches you: The basics of Google Web Toolkit; How to implement Ajax-enabled applications in Java; Internationalization; Hooking into the browser history mechanism; Remote procedure calls.
(June 4, Tech Talk)
Jon Kern discusses the best architecture/technical solutions and ensure that they are repeated by all developers. By tackling the architecture up-front in a serial manner, subsequent parallel development will be much more manageable and predictable.
(May 28, Tech Talk)
This keynote describes the frustrations of modern knowledge workers in their quest to actually get some work done, and solutions for how to guard yourself against all those distractions. Neal Ford talks about environments, coding, acceleration, automation, and avoiding repetition as ways to defeat the misguided attempts to sap your ability to produce good work.
(May 26, Tech Talk)
Gil demonstrates how new, aggressive uses of already abundant compute capacity by common applications offer competitive value for application designers.
(May 21, Tech Talk)
Chris Keene introduces WaveMaker as a new way to automate the ability to generate Hibernate classes in order to more quickly bring OR mapping into an application.
(May 19, Article)
Mastering EJB was one of the original and most influential EJB books in the industry. Mastering EJB III now returns with two new expert co-authors, updated for EJB 2.1 and 30% new chapters including security, integration, best practices, open source, and more.
(Book PDF Download)
The Application Server Matrix is a detailed listing of J2EE vendors and their application server products, with information on latest version numbers, J2EE spec support and licensing, pricing, platform support, and links to product downloads and reviews.
(Application Server Comparison Matrix)
|
|
