Chris Maeda looks at an approach for authenticating a servlet app using Windows passwords; he does this using JAAS with the Tagish SSPI-based login module. He walks us through the steps for configuring the Tagish login module and Tomcat.

JAAS with the Tagish SSPI-based login module is the way to go. The Tagish login module is based on the Windows SSPI API, which provides an authentication service for distributed environments using the best available protocol; i.e. it uses Kerberos when that is available and transparently falls back on NTLM when Kerbos is not available. In addition, SSPI returns the group membership information, which is necessary for servlet apps that use security roles and security constraints.

The first step in setting this up is to configure the Tagish login module according to the instructions that come with it. In a nutshell, the steps are as follows:

- Put NTSystem.dll somewhere on your path
- Put tagishauth.jar on your classpath
- Copy the tagish.login file to $JAVA_HOME/jre/lib/security
- Add this line:
login.config.url.1=file:${java.home}/lib/security/tagish.login to your java.security file (in $JAVA_HOME/jre/lib/security)

Read How to Authenticate a Servlet App with Windows Passwords

http://jcifs.samba.org/src/docs/ntlmhttpauth.html

DLLs and native libraries suck! There is a pure Java implementation of the NTLM authentication protocol here implemented as a Filter to boot!

DLLs and native libraries suck!

In many cases the main disadvantage of solutions using native libraries is they aren't portable, i.e when you have an app server running on a Linux box. Anyway perhaps this little DLL doesn't cause any problems with other apps in your windows server, but the same can be said about pure Java solutions, that have a vast amount of dependencies and obscure JARs to add to your classpath.

Authentication against a Windows mechanism should have a clear and easy to find example in http://java.sun.com. The example of course exist, but it is buried in the JNDI tutorial (follow it step by step and voilá) But if you need to authenticate against a Windows NT mechanism (NTLM), your good luck is over, which is unfortunate for those that still have to support NT domains. Therefore I agree any information in this regard is welcome.

There is a pure Java implementation of the NTLM authentication protocol here implemented as a Filter to boot!

Samba's jCIFS supports only NTLM (i.e. NT4), and not Kerberos (win2K) unless I am mistaken.

This is one of those things (like form uploads), that many need but (suprisingly) isn't standardized. Any help is appreciated.

I'll definitely have to try out this method (as well as the Samba NTLM link mentioned in the article).

But here's what I do for now: use the IIS-Tomcat connector, use Integrated Authentication on the directory for the context of the webapp, and route all requests through a default.asp file that forces the authentication to happen, and then use getRemoteUser to get the user data. Everything else is done just through talking LDAP to Active Directory to get user information. I'm not trying to use Group membership information, however.

I also use IIS-Tomcat connector in my projects. Could you explain me in more detail how do you do Integrated Authentication with IIS-Tomcat connector? You can email me: nrsimoes at hotpop dot com. Thanks.

Is anybody using Wedgetail's product?

http://www.wedgetail.com/jcsi/kerberos/index.html

http://www.wedgetail.com/jcsi/sso/index.html

IMHO, You should *know* definitevly what domain you will be authenticating against. Authentication domains should not fall back transparently. Its cool to provide multiple authentication backends, but this should not be transparent to the applciation. Different idenity/credentials may(should) yeild different levels of authorization and that is something that should be left up to the application.

<br><br>
I apologize if this is addressed in the configuration. I haven't looked at it. This is merely in response to the vocabulary used in the post.

add a preview button :-)

Not exactly single-sign-on with automatic passing of workstation credentials, but we used this approach below to authenticate web and Swing client users (client on any platform; app server on Linux). Users still have to enter login and password for the app, but at least it's the one they use for workstation login.

We wrote a custom JAAS login module that authenticates against a PDC/SDC using a regular old LDAP bind w/ password (to port 389 on the DC). Bind with user@domain. Then, once bound, if need be, you can even query user groups/props/attrs LDAP-style.

The not-insignificant downside is that the password goes cleartext over the LAN/WAN - likely a problem in some shops. Otherwise, it works like a champ. And, not sure if LDAP is open out-of-the-box default on a DC or not.

Mike

Authentication filters are easy to setup, but the problem is implenting a sign-out.

Implementing a Windows-based authentication in Java is very simple with JCIFS:


import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import jcifs.smb.SmbSession;
import java.net.InetAddress;

...

InetAddress ip = InetAddress.getByName("192.168.0.1."); // ip address of your windows controller
UniAddress myDomain = new UniAddress(ip);
NtlmPasswordAuthentication auth = new NtlmPasswordAuthentication("MYDOMAIN", "mylogin", "mypasword");
SmbSession.logon(myDomain, auth);

If an exception is thrown, the controller didn’t like the login and the password.

An HTML form will suffice to grab the "login" and "password". However, it is recommended to use HTTPS instead of HTTP between the web browser and the HTTP server.

To authenticate users via NTLM using JAAS on any platform,
try this :
http://www.jaaslounge.org/

JaasLounge is an open-source implementation of platform-independent JAAS login modules.

The first release offers JAAS NTLM authentication via JCIFS.