I apologize if my question is confusing. I was wondering if windows authentication makes it difficult to access a MS SQL Server Database online? I currently have an applet that has a JTable filled with information from a MS SqL Server Database and it works fine in an IDE. However, when put in a browser, only the borders of the applet show up. Could this be because the authentication should be SQL Server Authentication?
You have 2 authentication issues to consider.
1) Making the website authenticate the users, you can use forms auth, or windows auth -- windows auth means users authenticate using their windows login and password for internal website use only, public facing internet site should not be using windows auth.
2) Making the web server authenticate against SQL server. If using Windows auth in part 1, you could impersonate the user and use integrated SQL login, but I've not seen a good use case for this. If your web server is dedicated to a single app, it might make sense to use the security context of the web server to make the Sql connection via an integrated login. But in reality I've never used it because in hosting envirnments it is pretty common for the database server and the web server to be in separate NT domains (esp. if the webservers are outside the firewall).
There are countless possible explanations for the behavior you describe, but I'm guessing you are concerned about the auth. issues.
Related
I'm developing a Java web application using Tomcat 9.In the Login page, I want a tool that can authenticate the user's credentials and sign him in automatically. Is there any simple example that can help, as I'm kind of new to Java development. In addition, I want the User's username and password to be fetched from the Operating system.
Thank you
Use Kerberos via SPNEGO: http://tomcatspnegoad.sourceforge.net/
works perfectly for me and my users
I have a web application which is hosted on apache web server. And i have external java application which runs on tomcat integrated in this web application.
The apache is kerberized and I get the username of the person accessing it in the intranet. I want to use the same username and pass it on tomcat to check against ldap and authorize the user.
I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user.
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password?
PS: Sorry there is no code or configuration that I can post at this point. The only resources i found implemented both username and password. I cannot kerberize the tomcat server because I have other issues in the network.
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have
access to the user's password. But I'm able to get the groups the user belongs to and based
on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. I found a way to make it work. However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! Its very insecure.
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. Then, redirect to the C# service when someone hits the Java site and the username session variable is null. Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created.
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. So basically, its the same thing, except you won't need C#.
I have a couple of Java-based web applications developed. Both the applications have separate Authentication logic based on some ActiveX directory implementation.
Now, I need to change this to Windows authentication so that whenever the user hits the URLs of my web applications, instead of redirecting him to login page I need to check his Windows credentials.
I do not want to store his windows credentials in URL.
Is there any good way to do this ?
Depending on the level of integration you want your web application to have, Spring Security should have you covered in just about all aspects of what you are after.
If redirecting to a login page and authenticating the entered credentials against an Active Directory server via LDAP is acceptable, then the LDAP extension is the way to go.
If you want more of a Single Sign On (SSO) flow and your users are already authenticated against the authoritative Active Directory server in question (eg. they are logged in to the domain), then the Kerberos plugin for Spring Security may be more appealing, since your users will simply have to go to the web application and won't have to go through any other authentication steps. The systems will take care of it behind the scenes.
You can also combine / layer these approaches if you which and try Kerberos-based authentication first and if that falls through, fall back to a login form and LDAP-based authentication.
If you need to go beyond that, Spring Security is flexible enough to allow you to use OpenID or in-app authentication as well if needed.
I'd recommending using Active Directory to expose it's windows authentication layer over LDAP, which can then be hit by something like Spring Security.
This would effectively force anyone using your application to use their windows login.
i want my company website to access from my android phone but that website can only be accessed by registered member
i have login page in that i have to enter registered email and passwrd than directly from the login page only i have to redirect to my company web url ???
Please give suggestion
Thanks in advance
Edited, to be more explicit :
How to secure and restrict access to a website ?
Restrict network access
Maybe the simpliest solution. A web site is not always available on the internet or for everybody. In fact if your website sit in some machine in your company office, make it available on the net require more effort than just let local computers access to it.
What does that mean ? You configure your firewall and your network to allow access of your server for only some IP address/port. To continue on this network only solution, you can create a VPN that include your mobile phone devices.
Include authentification and authorization management directly in the application
The first solution is a first pass. It allow you to forbidd access to most people out of your organisation. But maybe you want more, you want for exemple that only people from marketing do have access to the web site. Or maybe you want depending of the user (or user group), allow them to do differents things.
The best way to do that is to directly manage uses rights into your website. You authenticate users, and when a specific functionnality is requested your firt verify is user has credential.
If you already have an IT department, it is likely that a directory is available with all users, their password and their groups. You can base your check on the directory, avoiding the harsle to create/delete users in your application directly.
Using a proxy to secure or authenticate access
This solution is like a melt of the other ones. First you make sure sure using network restriction that your web site is only accessible using the proxy machine (so only one IP basically). Then you use a web server (like Apache HTTPD server) as a proxy, or a gateway to access the website.
Basically, when a user want to request your website, it doesn't directly ask the application that manage it, but the proxy. Because the application server is isolated in the network, it doesn't have to be secured.
The proxy allow you to fine tune the behaviour of your web site :
you can add encryption using SSL to
all data that transit from the client
to server, so no senssible data is
sent unprotected
you can compress all data that
transit to optimize the bandwidth
usage (really important for mobile
device and their not so good
internet connexion).
you can use HTTP authentification to
check user has the right to access
to the page. This can be just a
login/password check, or a client
certificate to fully secure the
connexion, allowing only device
with the certificate to be granted
access.
You can tune access per group to certain part of the site, but this is not as flexible as retrictions done directly by the web site application.
Didn't catch you very well. Do you mean that you want your company website can just be accessed by android phone for registered member? If so, I think you can check what browser type can be used in android phone, and in your website check it from http request, like "String browserType=(String)request.getHeader("User-Agent");" .
I want to use a Java EE application server (GlassFish 3) as SSO service for both Java applications and PHP applications. If a user gets authenticated by GlassFish he should also be logged into the PHP applications.
Is there a best practise to share the Servlet session (more precise: authentication status) with PHP?
Have a look at PHP / Java Integration. You can either integrate PHP into a servlet environment or have PHP call Java. Now I'm not 100% sure this will specifically solve your problem and the integration is deemed experimental.
What you're probably better off doing is using something else to share session data. Something like memcache. Both Java and PHP can freely talk to memcache. That will be a far more robust solution.
I have no experience with connecting PHP and a Java app server, but on integration in general:
A common way to do a single sign on is reading a session ID (e.g. a cookie set by the Java Server) in the PHP script, passing it to the app server internally (e.g. through the command line, by making a HTTP call or a shared cache instance) and getting back the authentication status.
If this is not possible, e.g. because the services are running on different domains, you would pass your app server's session ID to the PHP application the first time it gets called. The PHP app will then create a session of its own, and store the session ID from the app server in it. The internal verification of the app server's session would work as outlined above.
If you need to exchange more than just a "logged in / not logged in" flag, you could also look into replacing PHP's standard session handling using session_set_save_handler(). Your custom session function would, instead of storing the session data to a file, get its data from your app server, which can pre-fill session data with things like authentication status, user name, and so on. This would allow for some amount of easy inter-application communication as well.
Of course, first check whether the built-in Java/PHP integration functions mentioned by cletus don't already do the trick.
i dont know about best practice... but usually if it works and is not ridiculously expensive and does not compromise security, it can be an acceptable practice.
when the user visits a php page without having a php session, that php page redirect to a specific jsp page. the jsp page will see if the user has an active session. if not the jsp page will allow the user to log in. the jsp page will redirect to a specific php page, passing it things like authentication tokens and so on, as well as the url of the original page. the php page creates the php session and redirects to the original page requested. these pages could be in different domains and running on different servers. this can also be replicated and implemented across different servers running java or php or anything else.
acc.intt/page.php -> sso.intt/cosession.jsp -> acc.intt/cosession.php -> acc.intt/page.php