I recently did a quick mock up of a web service using C# on IIS. All users are using Windows so, in the web service, I was able to get the current user via NTLM.
Now I have to migrate this to a Java web service running on Tomcat or WebSphere.
What authentication options are open to me? I see that Apache HttpComponents has an NTLM feature but I can only find instructions on how to use it on the client side. Can I use it in my web service to determine the current user? (Remember, all users will be Windows users)
Just to clarify: this is for use in a company intranet and all users will be logged in to Windows. This is why NTLM seems to be the right way to go.
Try WAFFLE windows authentication framework.
(http://waffle.codeplex.com/)
It is one of the third party libraries suggested in the tomcat documentation. (https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html)
It comes with zero configurations and all you have to do is to modify your web.xml to you waffle as in this tutorial (http://code.dblock.org/2010/05/20/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffle.html)
Related
Background: I currently have a java web application which is run on localhost on my Mac. Users can login to the web application, and their credentials are validated against an OpenLDAP server which is run on a certain port on my local machine as well (specifically using this docker image). The web application includes code which interacts with the LDAP server to provide the login username and password. Upon successful validation, the users are logged in and can continue to use the features of the app.
Problem: This web application will be deployed to clients who will be using Windows. They are requesting SSO capabilities - I.e. successful login to their windows machines under their domain bypasses the need for logging in to the web application when they run it. The clients cannot have some other Java application running on their machine which will help with SSO - simply logging into their windows machine should bypass the need for logging into the web application, which means Windows needs to be configured a certain way, and the web application needs to be configured a certain way for SSO. For testing purposes, I am using a windows 7 virtual machine which is run on the same machine that I am running and testing the web application on.
I've done research on SPNEGO, Java GSS API (looks like it needs client side code to communicate with server), Kerberos, Windows IIS etc. I know how to enable windows integrated authentication in Windows, but I don't know how to actually use this with my web application to enable SSO. Basically, I am still struggling on how to implement SSO capabilities in my specific case under these circumstances. Here are some specific questions:
Can browsers be configured to send encrypted windows credentials of the machine they are running on to the web application, which can then be decrypted by the web application and authenticated against LDAP? If so, how does this work?
Can the windows login credentials be configured to point to an LDAP server that validates them?
Overall, how can I integrate single sign on for a web application running on a windows machine, where the web application is configured to authenticate credentials through an LDAP server?
Windows SSO is based on Kerberos, not on LDAP. The reason why people usually mix them up is that Microsoft Active Directory acts as both LDAP server and Kerberos server.
If you need transparent authentication (SSO) for your Windows users you have to implement Kerberos authentication.
They way how Kerberos is implemented for web applications is called SPNEGO.
You need to do the following:
Create a service account in Active Directory for your server, say REALM\svc_server
Create an SPN for your server which will bind the domain name of your server to this server account. If your server is running on https://server.acme.com it should be HTTP/server.acme.com
If windows user is logged into domain REALM and goes to https://server.acme.com browser will lookup an SPN based on name HTTP/server.acme.com, request a Kerberos ticket from Active Directory and send it to server in a Authorization header as per SPNEGO specification
Now you just need to validate this ticket using built-in Java Kerberos API or using some third-party library (kerb4j, spring-security-kerberos, e.t.c.)
As you can see LDAP is not involved in this authentication flow (although it can be used for authorization as a next step)
Our product is a hosted Web application which needs to be accessed by a client X using SSO.
The client credentials are maintained on a Azure Cloud platform, and users are authenticated when they login to their Windows PC.
What is the best way for us to integrate our application on the client's Windows environment, so that all users are authenticated without logging in to our application?
The client has pointed out that we could use ADAL but i'm not sure if that works as we do not have our own AD based or LDAP based user management platform. We currently store all the user management data in the DB.
I'm a newbie to this topic so any guidance is really appreciated.
Based on my understanding, the issue is that the authenticated user from a portal access a url link of Java Web Application working with SSO when the Java webapp and the portal are not identical.
Per my experience, I think you can try to use Azure AD Application Proxy to solve the issue. You can refer to the document https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/#working-with-sso-when-on-premises-and-cloud-identities-are-not-identical to know the application scenario of Application Proxy.
You can try to follow the steps below to implement the needs. And as references, there are some documents explained how to do for each step.
Enable the Azure AD Application Proxy on Azure Portal, and install & register the proxy connector for your application. Please refer to the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-enable/ for more details.
Publish your application using Application Proxy, please follow the wizard steps of the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-publish/.
Enable SSO for your application and the portal, please review the section Working with SSO when on-premises and cloud identities are not identical of https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/#working-with-sso-when-on-premises-and-cloud-identities-are-not-identical.
If some issue encounted in implementing the plan, you can firstly refer to the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-troubleshoot/ to troubleshoot.
Any concern, please feel free to let me know.
Hello stackoverflow'ers
we are currently faced with the task to support Single Sign On in our Java based web service.
The setup is like this: Linux server running Apache as a proxy -> Jetty -> Java web service.
All of this in a Windows Domain with Windows workstations as clients accessing the web service through their browser (mainly IE, some firefox).
The SSO will go through the Windows AD DC utilizing Kerberos through SPNEGO.
From what I have gathered it would be possible to implement the SSO either step of the way, in Apache, in Jetty or in the Java Code itself.
What I haven't been able to figure out so far is which approach makes the most sense in the given environment.
We obviously need to access the REMOTE_USER one way or another later on to perform further authorization in our application, but this is the only real requirement we have.
So what are the actual pro's and con's of implementing the SSO / SPNEGO on the Apache level vs. the Jetty level vs. in our own software - if there are any ?
Any help would be greatly appreciated!
Enjoy your day,
Tom
https://github.com/michael-o/mod_spnego/ for Apache Web Server and you are done.
We have a Java web application (using struts and hibernate) and want the users to automatically log into the Google apps domain accounts.
We have set up the Google apps for Education domain accounts and created the users in it and we have the same users in our java web application also.
The requirement is that when the users log into our application portal, their is a link to go to Google apps, once they click on this link, it should log them in without asking for password.
We are using Tomcat 7 as our server for the web application. Which SSO tool should we use for doing this? Oracle's SSO is paid, Shiboleth doesn't work with Tomcat 7.
Any help highly appreciated? Is SSO the only option or another way to do this.
Thanks
Any SSO solution that supports the SAML2 protocol should work. Apart from the expensive solutions that Oracle, IBM, CA and others provide, you can find the following solutions that definitely work well with Tomcat7 and are open source :
Apereo (ex Jasig) CAS : Used quite a lot in the education community. Simple to setup but specific configurations (like an advanced authentication module) might require some programming effort. It supports Google Apps authentication, but none other SAML2 service. If you really want to only login to Google Apps, that's a great and simple solution.
Forgerock OpenAM : Formerly Sun OpenSSO, this is used in education and industry. Many more features, supports most of the SAML2 service providers out there including Google Apps, but more complex.
Note that if you already have a portal solution, you should check if that portal does not already support SAML2 federation and could act as the SSO server.
Note also that you will need to link the portal authentication and the SSO server authentication, to make sure that your users do not authenticate twice. This can be done in two ways :
Tell the SSO server to delegate the authentication to your portal solution. This might require some light custom coding depending on your portal.
The opposite : tell the portal to use the SSO as an authentication solution. Most portals support some kind of authentication delegation so it should only be configuration?
Lastly, if your authentication is setup on Tomcat itself (that is if your portal already delegates the authentication to the Tomcat container), then you can do the same for the SSO server.
My project is an Android application that communicates with a server. The server is written in Java, deployed in Tomcat, and running on a Windows Server host.
I need to provide authentication against Windows domain accounts. Basically I need to ask the user of the app to type in their username and password; send this data to the Tomcat server; and have the server authenticate it.
I'm having trouble finding a straight answer as to how to do this. Since my app is not a web site, I don't have the option to do browser redirects or anything like that, and obviously the Android device on which the app runs is not a Windows machine and will most likely not even be on the local network.
I don't really need to execute anything as the Windows user, I just need to know that they are who they say they are. Hopefully there is a simple way to do this?
Thanks.
Assuming you want to use Java EE container-based form authentication, on the server you'll have to:
secure your web application
configure Tomcat to use Windows authentication
On the client, you can:
POST application/x-www-form-urlencoded login data with the special keys in the web form (j_password, etc.)
retain the session cookies in the response for subsequent interactions with the server
I haven't tested the specifics with these exact technologies but approach is sound.