I would like to use the existing user accounts on my redhat server for users to login with.
The redhat server uses active directory to authenticate with, but I cannot get access to authenticate with AD directly.
My web app will be using spring security.
Is it possible to use the redhat server's user accounts to authenticate against with spring security?
(note: su does not support passwords given on the command line with my server ("-S")).
I was digging around but could not find a sample code, but you could use PAM.
I found this project in GitHub https://github.com/kohsuke/libpam4j, which is a Java implementation of PAM (I don't know if it is active or if it will provide what you need).
Also, if sudo doesn't support passwords, you could try with expect
spawn "/bin/su" "bob"
expect "Password:"
send "userspassword\r"
expect "^\\$"
send "ls"
expect -re "^\\$"
send "exit\r"
expect eof
Related
I have a web application which is hosted on apache web server. And i have external java application which runs on tomcat integrated in this web application.
The apache is kerberized and I get the username of the person accessing it in the intranet. I want to use the same username and pass it on tomcat to check against ldap and authorize the user.
I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user.
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password?
PS: Sorry there is no code or configuration that I can post at this point. The only resources i found implemented both username and password. I cannot kerberize the tomcat server because I have other issues in the network.
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have
access to the user's password. But I'm able to get the groups the user belongs to and based
on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. I found a way to make it work. However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! Its very insecure.
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. Then, redirect to the C# service when someone hits the Java site and the username session variable is null. Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created.
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. So basically, its the same thing, except you won't need C#.
I need to know if a user entered correct login information to Microsoft Active directory
I want the user to enter username and password on an xpage and it should only return if these values was entered correctly or not.
I know I can use ldap requests and send in credentials but have not seen any working solutions for this.
I need to use java as the code should be able to run on non windows servers
There are a number of approaches you can take:
The easiest would be to link the AD to Domino using DirectoryAssistance and let users login using their AD credentials in the first place.
If IIS is running on the AD server you could send an HTTP request using the Apache HTTPClient (and basic authentication) and see what's coming back
The best working Java libraries are listed in the Apache Directory project. There you would do an LDAP query (e.g. the user herself)
Let us know which one works for you
You can use JNDI to access the Active Directory. There are a lot of ressources on the web on how to do this, for example have a look at http://mhimu.wordpress.com/2009/03/18/active-directory-authentication-using-javajndi/
You have tagged the question as XPage, do you want to do the authentication from inside domino? In that case the domino server could do the authentication.
I've worked through the examples for performing OOB OAuth2 connections and it works fine from my laptop.
The challenge I'm having is that it fires up a browser, asking me to verify if I want to grant access for my app to the documents in question. From then on it stores my credential set in a local file and continues to work just fine.
The use case I have is that I have a number of departments in my company that want to leverage Google Docs spreadsheets for reporting. I then want to be able to run a program on a server (from a cron job) that can scrape this data and build an aggregated report for all departments.
I had intended on creating a "reporting user" that is granted read access to all of the documents in question, then run the report process using that identity.
I tried running it on my laptop, then copying the stored credentials to my server for it to use. But it seems those credentials are tied to the machine and so it forces a new verification flow via browser.
Any suggestions on how to work with the auth flow for Google Drive to allow me to do what I need?
TIA
Rather than needing to grant some user read-only access to all docs, I'd suggest using a service account which has been granted read-only access to all of your Google Apps domain user's docs:
https://developers.google.com/drive/delegation
use:
https://www.googleapis.com/auth/drive.readonly
as the OAuth scope that you grant the service account access to in the Control Panel. That way if the server is compromised you've limited access to read-only.
Create GoogleCredential with p12 file from API console (API Access > Create Another Client ID > Service Account etc):
GoogleCredential.Builder#setServiceAccountPrivateKeyFromP12File(File)
more info on Service Accounts
The other answers are better than this, but you can always get a set of credentials and save them in a file for reuse. Getting the credentials could be done with a web browser, but only once, and then your server could use them forever (as long as you request offline access and get a refresh token).
Can somebody work on jaas login modules. I was going through docs & my understanding is there is ntlogin module, unix login module comes with sun-jdk.
I want to is these login module can
1. Authenticate with OS users
2. Provide groups of that user.
basically I want to authenticate with os. Input is username, password & group name. I want to know if username, password combination is right & user belong to that group.
I want to authenticate with windows & popular linux distros such as RHEL, Suse, CentOS.
I dont want to do LDAP authentication only os authentication.
For windows, there is waffle library available. But I am not able to authenticate when using 64bit machine. On 32bit it runs fine.
For linux, there is jpam, but it doesn't give group. It will just check username, password combinateion.
As far as I remember JAAS is about Java code and vm related authorization: is current running code authorized to do something?
I think it's easier to use some os native wrapping scripts to authenticate user and then just extract user info in your Java code.
I was looking for the same thing. So far I've found that the Unix "login module" actually doesn't do any authentication; it creates Principals for the process' owner's user and group, and adds them to the Subject. This makes it fairly useless for, say, authenticating webapp sessions.
You are going to need native code to authenticate OS credentials, but it should be possible to hook that into JAAS. It makes sense to make that native code into a small and simple external helper program (like one of the many 'checkpasswd' programs that come with similar frameworks to solve the same problem) because it will need elevated privileges to gain access to the stored keys.
I've been mucking around with GlassFish v3 prelude this evening. A couple of things I'm not sure about is how the security works.
It installed like a dream, so the first thing I did was remove the anonymous account and setup an "admin" account with "mysecretpassword" and specified the asadmin group for this user in the admin realm.
At that point the stop-domain command stopped working from the console (and/or start menu shortcut). Fair enough, but the stop-domain command accepts a --user argument but then wants a --passwordfile path supplied which I didn't know where it was.
After some googling I chanced upon asaadmin login -p 4848 which created a password file in my documents and then stop-domain started working!
So the questions:
1) Is it possible to get stop-domain to prompt for a user/password?
2) This whole business of having a file with a (hashed) password doesn't sound great to me - why did they do it this way, and is it transferable, can it be disabled and if it can, how then do I stop the domain?
3) How do security realms work - as in what are they, and how do they differ?
4) What's the best resource (book, website, whatever) on GF v3?
Glassfish relies upon a "master-password" file which is used to control access to the core admin commands (notably asadmin).
This master password is used to encrypt assorted bits within the GF system and configuration. By default, it's store in the file $domain-dir/master-password.
If that file exists, then asadmin will not prompt for a password to make changes. If it does not exist, then it will prompt you. If you ever change the password, the system will automatically recreate this file.
Note, this isn't a role based thing, it's simply a password to the entire system.
So, that's the core password.
Next is the actual admin password.
When you create a domain, it asks you for an admin name and password. This information is stored in ~/.asadminpass file.
So, in the simple case of a local install, you can use asadmin without passwords or user information.
If you delete that file, then you will be prompted for a user and password.
The admin passwords are managed in the "admin-realm" within the app server.
Realms are a Java EE construct used to represent authentication and authorization stores.
Realms provide user name, password, and role information.
By default GF uses file realms for its security information. Out of the box you have a "admin-realm" which is for users of the admin console. There is also an empty "file" realm for use by applications. Out of the box, Glassfish also supports and LDAP realm and a JDBC realm where credentials are stored in an LDAP and RDBMS respectively.
The Glassfish website and forums are currently the best resources available for this. It's a bit of a muddy time as v3 is still being worked on (v3 Prelude is just that, a prelude to the final release later this year), but there is still a lot of overlap with v2.
GlassFish v3 Prelude Domain Start Failed
first think stop any one server which is running in system --
Exam:- suppose you using glass fish server and netbeansIDE both are working on your system so when you want compile your application so that time you can stop your glassfish server then compile and run your application within netbeans IDE it's working