I'm apologizing in advance on the way the question is asked, i mean the way it is framed.
In our organization we have an internal portal like www.xyz.com and we use SAP web interface.
Basically i'm writing a java code using JCO to fetch the data from SAP table. but i need to authenticate to get into the application. In this web interface we don't enter the username and password.
when I open the webpage it directly takes the USERID and PASSWORD from xyz.com portal and logs in.
Is there a way that in my java code, i can retrieve that data(I don't want to view it, just authenticate directly using that portal) and get the data. Currently my code to retrieve to retrieve data is like below.
JCO.createClient("SAP client", "username","password","language",
"server name","system number");
Here i want to get the username and password directly.
Is there away to get this.
Thanks
It sounds that your portal is using a SSO solution?
In general it is possible by using JAAS.
Configure a JAAS LoginModule, get the username and - maybe - the password and providing that information to the JCO client.
Related
Up to my knowledge, Twitter has stopped using username and password authentication in order to post tweets from a Java app. However, it allows OAuth only (using consumer keys, access tokens etc.).
Is there still any approach or workaround to use username and password based authentication to tweet from a Java app?
No there isn't anymore. If you want to be able to use the API you must follow these steps:
Go to Twitter Apps and login with your regular twitter account
assuming you have one, if not you need to create one.
Once signed in click on Create New App button.
Fill out the application (Name, description, and whatever else it
requires).
Create your key and access tokens. Share those with users that you
trust as they'll be used to access the twitter API to read/write
information.
Give the application you created a "Read and Write" permission based
on what you asked in the question.
Then depending on the software/language you use there's a plenty of existing packages that can help you access and obtain the information from the API.
I'm building a java app that needs to get some data from a web service. I've been provided with a wsdl file and all the info I need, but getting back the 401 code, not authorised. I've been told by the guy who did the web service, that the web service directory in IIS must have anonymous authentication turned off therefore I need to pass windows credentials. I've been googling for a solution for quite a while but not found anything that doesn't pass the username and password directly. What I need to do is to use the credentials the user is logged in to windows, so that entering the username and password is no longer needed. Has anyone an experience with this? I found somethig called SPNEGO, but that also uses username and password directly.
Thanks for any help.
You did not write, which webservice framework you use (I assume you're not creating and sending the soap-request by hand).
I assume that the webservice is secured via http-basic authentication.
If I'd be you, I'd do a quick test with the testing tool soapUI which supports this feature against your webservice and check, if this is the case
(See: http://www.soapui.org/SOAP-and-WSDL/authenticating-soap-requests.html)
If you'll be succesful, you will need to pass the user and password within the http-header area.
(See part "client" here: http://en.wikipedia.org/wiki/Basic_access_authentication for an example value)
Yeah, sorry, forgot to mention that I'm using axis. Nevertheless, finally managed to authenticate to the service, as it turned out it didn't use the basic authentication but NTLM. So now I do something like this:
BAWebServiceLocator locator = new BAWebServiceLocator(getEngineConfiguration());
BAWebServiceSoap baWebServiceSoap = locator.getBAWebServiceSoap(url);
((Stub)baWebServiceSoap).setUsername(props.getProperty("username"));
((Stub)baWebServiceSoap).setPassword(props.getProperty("password"));
So I still have to pass in my username and password. What I'd like to do is to use the credentials that I am logged in to windows. Any ideas?
So, I'm writing a password verification thingy, loading username and passwords from a database, but I can't figure out how to keep the database username and password out of the code.
String user = "username";//database username, not username to verify
String password = "password";//my password, not users password to check
String url = "jdbc:mysql://databaseurl:3306/table";
//i want this hidden somehow
I could load it from a file, but then people could just read the file.
Obviously I don't want people gaining access to the database and reading secret information. How should I go about doing this?
EDIT: What I'm asking, is, how can I secure MY database credentials. Other people should not have access to the database
You could, for instance, decompile the jar and read the above lines, and access my database using my credentials. (using a program such as jd-gui)
Use password encryption.
If you application runs inside J2EE container, use standart tools
Look at sample for Jboss container
If you're going to give the user direct access to the database, why not just make the username/password you're passing to the database the user's actual username/database?
Typically in secure systems the database is not directly exposed to the user. The user passes a query to some system which then performs authentication and then if passes passes the query to the database.
In other words, if you're relying on the obscuring of the database login credentials as the obstruction to accessing the database, you're relying on the client to authenticate itself with respect to actually querying the database, which is a bad, bad idea. As soon as your database's login credentials are compromised, your whole security scheme has now failed.
You can keep database details in a
property file/database
. It is a kind of one layer of abstraction. And in that property file/database, you give some different keys so that at the time of accessing database, take the keys/columns from property file/database and construct url information.
Secure your authentication and authorization services using a PKI exchange with a properly signed certificate (so it can be revoked if something does go wrong, and it certainly may).
One example is ws-security (a SOAP extension), but if you need to use REST you're stuck with transport-level security (securing your connection with HTTPS).
You might want to read up at http://security.stackexchange.com for more insightful commentary, rather than "store it in a property file."
I have a web application which is hosted on apache web server. And i have external java application which runs on tomcat integrated in this web application.
The apache is kerberized and I get the username of the person accessing it in the intranet. I want to use the same username and pass it on tomcat to check against ldap and authorize the user.
I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user.
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password?
PS: Sorry there is no code or configuration that I can post at this point. The only resources i found implemented both username and password. I cannot kerberize the tomcat server because I have other issues in the network.
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have
access to the user's password. But I'm able to get the groups the user belongs to and based
on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. I found a way to make it work. However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! Its very insecure.
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. Then, redirect to the C# service when someone hits the Java site and the username session variable is null. Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created.
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. So basically, its the same thing, except you won't need C#.
I need to know if a user entered correct login information to Microsoft Active directory
I want the user to enter username and password on an xpage and it should only return if these values was entered correctly or not.
I know I can use ldap requests and send in credentials but have not seen any working solutions for this.
I need to use java as the code should be able to run on non windows servers
There are a number of approaches you can take:
The easiest would be to link the AD to Domino using DirectoryAssistance and let users login using their AD credentials in the first place.
If IIS is running on the AD server you could send an HTTP request using the Apache HTTPClient (and basic authentication) and see what's coming back
The best working Java libraries are listed in the Apache Directory project. There you would do an LDAP query (e.g. the user herself)
Let us know which one works for you
You can use JNDI to access the Active Directory. There are a lot of ressources on the web on how to do this, for example have a look at http://mhimu.wordpress.com/2009/03/18/active-directory-authentication-using-javajndi/
You have tagged the question as XPage, do you want to do the authentication from inside domino? In that case the domino server could do the authentication.