JAAS with the Tagish SSPI-based login module is the way to go. The Tagish login module is based on the Windows SSPI API, which provides an authentication service for distributed environments using the best available protocol; i.e. it uses Kerberos when that is available and transparently falls back on NTLM when Kerbos is not available. In addition, SSPI returns the group membership information, which is necessary for servlet apps that use security roles and security constraints.Read How to Authenticate a Servlet App with Windows Passwords
The first step in setting this up is to configure the Tagish login module according to the instructions that come with it. In a nutshell, the steps are as follows:
- Put NTSystem.dll somewhere on your path
- Put tagishauth.jar on your classpath
- Copy the tagish.login file to $JAVA_HOME/jre/lib/security
- Add this line:
login.config.url.1=file:${java.home}/lib/security/tagish.login to your java.security file (in $JAVA_HOME/jre/lib/security)
-
How to Authenticate a Servlet App with Windows Passwords (12 messages)
- Posted by: Nate Borg
- Posted on: August 16 2004 17:01 EDT
Chris Maeda looks at an approach for authenticating a servlet app using Windows passwords; he does this using JAAS with the Tagish SSPI-based login module. He walks us through the steps for configuring the Tagish login module and Tomcat.Threaded Messages (12)
- Why bother? by Martin Crawford on August 17 2004 15:35 EDT
- Why bother? by javier castanon on August 17 2004 19:20 EDT
- Why bother? by P Matignon on August 17 2004 19:21 EDT
- Thank You! by Gary Steinmetz on August 17 2004 17:07 EDT
- Simple Method by Stephen Duncan on August 17 2004 19:17 EDT
- Simple Method by Nuno Ferreira on September 05 2005 10:08 EDT
- Wedgetail JCSI by Sean Sullivan on August 17 2004 21:26 EDT
- don't fall back by Mike Stanley on August 18 2004 08:57 EDT
- please server side by Mike Stanley on August 18 2004 08:58 EDT
- Alternative for non-Windows AS: LDAP bind > PDC by Mike Finn on August 19 2004 23:55 EDT
- A simple and portable solution by Thierry Danard on August 26 2004 22:47 EDT
- How to Authenticate a Servlet App with Windows Passwords by jerome petit on February 22 2005 16:57 EST
-
Why bother?[ Go to top ]
- Posted by: Martin Crawford
- Posted on: August 17 2004 15:35 EDT
- in response to Nate Borg
http://jcifs.samba.org/src/docs/ntlmhttpauth.html
DLLs and native libraries suck! There is a pure Java implementation of the NTLM authentication protocol here implemented as a Filter to boot! -
Why bother?[ Go to top ]
- Posted by: javier castanon
- Posted on: August 17 2004 19:20 EDT
- in response to Martin Crawford
DLLs and native libraries suck!
In many cases the main disadvantage of solutions using native libraries is they aren't portable, i.e when you have an app server running on a Linux box. Anyway perhaps this little DLL doesn't cause any problems with other apps in your windows server, but the same can be said about pure Java solutions, that have a vast amount of dependencies and obscure JARs to add to your classpath.
Authentication against a Windows mechanism should have a clear and easy to find example in http://java.sun.com. The example of course exist, but it is buried in the JNDI tutorial (follow it step by step and voilá) But if you need to authenticate against a Windows NT mechanism (NTLM), your good luck is over, which is unfortunate for those that still have to support NT domains. Therefore I agree any information in this regard is welcome. -
Why bother?[ Go to top ]
- Posted by: P Matignon
- Posted on: August 17 2004 19:21 EDT
- in response to Martin Crawford
There is a pure Java implementation of the NTLM authentication protocol here implemented as a Filter to boot!
Samba's jCIFS supports only NTLM (i.e. NT4), and not Kerberos (win2K) unless I am mistaken. -
Thank You![ Go to top ]
- Posted by: Gary Steinmetz
- Posted on: August 17 2004 17:07 EDT
- in response to Nate Borg
This is one of those things (like form uploads), that many need but (suprisingly) isn't standardized. Any help is appreciated. -
Simple Method[ Go to top ]
- Posted by: Stephen Duncan
- Posted on: August 17 2004 19:17 EDT
- in response to Nate Borg
I'll definitely have to try out this method (as well as the Samba NTLM link mentioned in the article).
But here's what I do for now: use the IIS-Tomcat connector, use Integrated Authentication on the directory for the context of the webapp, and route all requests through a default.asp file that forces the authentication to happen, and then use getRemoteUser to get the user data. Everything else is done just through talking LDAP to Active Directory to get user information. I'm not trying to use Group membership information, however. -
Simple Method[ Go to top ]
- Posted by: Nuno Ferreira
- Posted on: September 05 2005 10:08 EDT
- in response to Stephen Duncan
I also use IIS-Tomcat connector in my projects. Could you explain me in more detail how do you do Integrated Authentication with IIS-Tomcat connector? You can email me: nrsimoes at hotpop dot com. Thanks. -
Wedgetail JCSI[ Go to top ]
- Posted by: Sean Sullivan
- Posted on: August 17 2004 21:26 EDT
- in response to Nate Borg
Is anybody using Wedgetail's product?
http://www.wedgetail.com/jcsi/kerberos/index.html
http://www.wedgetail.com/jcsi/sso/index.html -
don't fall back[ Go to top ]
- Posted by: Mike Stanley
- Posted on: August 18 2004 08:57 EDT
- in response to Nate Borg
IMHO, You should *know* definitevly what domain you will be authenticating against. Authentication domains should not fall back transparently. Its cool to provide multiple authentication backends, but this should not be transparent to the applciation. Different idenity/credentials may(should) yeild different levels of authorization and that is something that should be left up to the application.
<br><br>
I apologize if this is addressed in the configuration. I haven't looked at it. This is merely in response to the vocabulary used in the post. -
please server side[ Go to top ]
- Posted by: Mike Stanley
- Posted on: August 18 2004 08:58 EDT
- in response to Mike Stanley
add a preview button :-) -
Alternative for non-Windows AS: LDAP bind > PDC[ Go to top ]
- Posted by: Mike Finn
- Posted on: August 19 2004 23:55 EDT
- in response to Nate Borg
Not exactly single-sign-on with automatic passing of workstation credentials, but we used this approach below to authenticate web and Swing client users (client on any platform; app server on Linux). Users still have to enter login and password for the app, but at least it's the one they use for workstation login.
We wrote a custom JAAS login module that authenticates against a PDC/SDC using a regular old LDAP bind w/ password (to port 389 on the DC). Bind with user@domain. Then, once bound, if need be, you can even query user groups/props/attrs LDAP-style.
The not-insignificant downside is that the password goes cleartext over the LAN/WAN - likely a problem in some shops. Otherwise, it works like a champ. And, not sure if LDAP is open out-of-the-box default on a DC or not.
Mike -
A simple and portable solution[ Go to top ]
- Posted by: Thierry Danard
- Posted on: August 26 2004 22:47 EDT
- in response to Nate Borg
Authentication filters are easy to setup, but the problem is implenting a sign-out.
Implementing a Windows-based authentication in Java is very simple with JCIFS:
import jcifs.UniAddress;
import jcifs.smb.NtlmPasswordAuthentication;
import jcifs.smb.SmbSession;
import java.net.InetAddress;
...
InetAddress ip = InetAddress.getByName("192.168.0.1."); // ip address of your windows controller
UniAddress myDomain = new UniAddress(ip);
NtlmPasswordAuthentication auth = new NtlmPasswordAuthentication("MYDOMAIN", "mylogin", "mypasword");
SmbSession.logon(myDomain, auth);
If an exception is thrown, the controller didnt like the login and the password.
An HTML form will suffice to grab the "login" and "password". However, it is recommended to use HTTPS instead of HTTP between the web browser and the HTTP server. -
How to Authenticate a Servlet App with Windows Passwords[ Go to top ]
- Posted by: jerome petit
- Posted on: February 22 2005 16:57 EST
- in response to Nate Borg
To authenticate users via NTLM using JAAS on any platform,
try this :
http://www.jaaslounge.org/
JaasLounge is an open-source implementation of platform-independent JAAS login modules.
The first release offers JAAS NTLM authentication via JCIFS.