My project is an Android application that communicates with a server. The server is written in Java, deployed in Tomcat, and running on a Windows Server host.
I need to provide authentication against Windows domain accounts. Basically I need to ask the user of the app to type in their username and password; send this data to the Tomcat server; and have the server authenticate it.
I'm having trouble finding a straight answer as to how to do this. Since my app is not a web site, I don't have the option to do browser redirects or anything like that, and obviously the Android device on which the app runs is not a Windows machine and will most likely not even be on the local network.
I don't really need to execute anything as the Windows user, I just need to know that they are who they say they are. Hopefully there is a simple way to do this?
Thanks.
Assuming you want to use Java EE container-based form authentication, on the server you'll have to:
secure your web application
configure Tomcat to use Windows authentication
On the client, you can:
POST application/x-www-form-urlencoded login data with the special keys in the web form (j_password, etc.)
retain the session cookies in the response for subsequent interactions with the server
I haven't tested the specifics with these exact technologies but approach is sound.
Related
Background: I currently have a java web application which is run on localhost on my Mac. Users can login to the web application, and their credentials are validated against an OpenLDAP server which is run on a certain port on my local machine as well (specifically using this docker image). The web application includes code which interacts with the LDAP server to provide the login username and password. Upon successful validation, the users are logged in and can continue to use the features of the app.
Problem: This web application will be deployed to clients who will be using Windows. They are requesting SSO capabilities - I.e. successful login to their windows machines under their domain bypasses the need for logging in to the web application when they run it. The clients cannot have some other Java application running on their machine which will help with SSO - simply logging into their windows machine should bypass the need for logging into the web application, which means Windows needs to be configured a certain way, and the web application needs to be configured a certain way for SSO. For testing purposes, I am using a windows 7 virtual machine which is run on the same machine that I am running and testing the web application on.
I've done research on SPNEGO, Java GSS API (looks like it needs client side code to communicate with server), Kerberos, Windows IIS etc. I know how to enable windows integrated authentication in Windows, but I don't know how to actually use this with my web application to enable SSO. Basically, I am still struggling on how to implement SSO capabilities in my specific case under these circumstances. Here are some specific questions:
Can browsers be configured to send encrypted windows credentials of the machine they are running on to the web application, which can then be decrypted by the web application and authenticated against LDAP? If so, how does this work?
Can the windows login credentials be configured to point to an LDAP server that validates them?
Overall, how can I integrate single sign on for a web application running on a windows machine, where the web application is configured to authenticate credentials through an LDAP server?
Windows SSO is based on Kerberos, not on LDAP. The reason why people usually mix them up is that Microsoft Active Directory acts as both LDAP server and Kerberos server.
If you need transparent authentication (SSO) for your Windows users you have to implement Kerberos authentication.
They way how Kerberos is implemented for web applications is called SPNEGO.
You need to do the following:
Create a service account in Active Directory for your server, say REALM\svc_server
Create an SPN for your server which will bind the domain name of your server to this server account. If your server is running on https://server.acme.com it should be HTTP/server.acme.com
If windows user is logged into domain REALM and goes to https://server.acme.com browser will lookup an SPN based on name HTTP/server.acme.com, request a Kerberos ticket from Active Directory and send it to server in a Authorization header as per SPNEGO specification
Now you just need to validate this ticket using built-in Java Kerberos API or using some third-party library (kerb4j, spring-security-kerberos, e.t.c.)
As you can see LDAP is not involved in this authentication flow (although it can be used for authorization as a next step)
In this scenario. I have a web application, that runs in the browser, and now I want to access the scanner of the local desktop.
As far as i can see, the only option is installing some type of local agent in each computer, through java or an agent app (.exe).
Example: scanner.js
My question is just about the logic, not code.
Ok, I have a website. Now how the website can connect and communicate with the agent? How can i define the communication port?
What is the concept design of this type of process between an agent that have access to hardware and the local browser?
Ok, I have a website. Now how the website can connect and communicate
with the agent? How can i define the communication port?
In common, agents provide Rest or SOAP API, and website script send JSON/XML requests. But don't foget about security and authentication.
List of lib and frameworks:
Rest
framework,
SOAP,
WebServers,
Security and
Authentication
One of the options is indeed a local agent that runs on the PC of the user. That local agent could be a web server with a port open to connect to from browser. Calls to the service should be protected so that others can't abuse the service. The communication could take place via websockets.
Resources that might be interesting to check are:
Tutorial CORS
NanoHTTPd
I recently did a quick mock up of a web service using C# on IIS. All users are using Windows so, in the web service, I was able to get the current user via NTLM.
Now I have to migrate this to a Java web service running on Tomcat or WebSphere.
What authentication options are open to me? I see that Apache HttpComponents has an NTLM feature but I can only find instructions on how to use it on the client side. Can I use it in my web service to determine the current user? (Remember, all users will be Windows users)
Just to clarify: this is for use in a company intranet and all users will be logged in to Windows. This is why NTLM seems to be the right way to go.
Try WAFFLE windows authentication framework.
(http://waffle.codeplex.com/)
It is one of the third party libraries suggested in the tomcat documentation. (https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html)
It comes with zero configurations and all you have to do is to modify your web.xml to you waffle as in this tutorial (http://code.dblock.org/2010/05/20/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffle.html)
I'm deploying a java application built with spring on a windows network. The network uses Active Directory so the users login to their desktops with their active directory user names.
Now, I'm trying to add a feature so that when the user opens the browser to access this application (which is deployed on the same network) the application automagically picks up their username and authenticates them.
During my research I came across this blog post: http://blog.springsource.org/2009/09/28/spring-security-kerberos/ However, I think this approach might not be required in my scenario since I'm deploying the application to the same windows network.
Question
What could be some ways to simply access the user token so that my web app can authenticate the users?
We use NtlmHttpFilter.
You configure it as a filter in your web.xml, tell it where your domain controllers live, and it pretty much just works. Internet Explorer will provide credentials without you taking any action, Firefox (and I suppose Chrome) will prompt you for a login.
I have a Java client that consumes SharePoint 2010 standard web services (sitedata.asmx, permissions.asmx, etc) written with JAX-WS implementation from the JDK 6.
So far, authentication is done with NTLM using a custom Authenticator implementation and Authenticator.setDefault(...) approach.
When running on my test environment which has only one SharePoint server, it works fine. I can see all the NTLM negotiation using WireShark.
But, if running on a costumer which has multiple servers, hardware load balancing and multiple SharePoint alternate access mappings I get Error 401 Unauthorized from the web service calls. I haven't had a chance to use WireShark to debug on that environment.
I run my client from a Windows machine (on the costumer setup), so according to Java documentation it should be fine for NTLM. Also, I used the default URL from SharePoint to access the web services (not the load balanced URLs).
The machine running the client application, is not a SharePoint server. It has Windows Integrated Authentication with NTLM configured.
Also, due SharePoint administration policies, I´m unable to access SharePoint Central Administration or do any change to the configuration (nor IIS).
I want to ask if anyone knows what the issue may be? And hopefully if anyone knows how to fix it?
Thanks in advance.
EDIT:
It´s important to mention, that the same permission levels were granted on both environments.
Well, finally I had a chance to use WireShark on the costumer environment.
First I noticed they have NTLM v2 configured, but that's OK since Java 1.6 supports it.
Then I saw that since Windows Integrated Authentication is enabled, the current logged user credentials are sent instead of the ones configured on the code. Since logged user has no permissions on SharePoint, I received 401 Unauthorized.
According to Java documentation this is the normal behavior
In fact, if you are running on a Windows machine as a domain user, or, you are running on a Linux or Solaris machine that has already issued the kinit command and got the credential cache. The class MyAuthenticator will be completely ignored .....
which shows the username and password are not consulted. This is the so-called Single Sign-On.
I hope someone can answer this question since I think that's exactly what I need.
Finally, I observed that with HTTP first Windows credentials will be tried, and on failure the credentials provided by the code will be used instead. Thus, everything works fine.
When using HTTPS, only Windows credentials will be used, so I always got 401 Unauthorized.
Not sure what the causes the difference between HTTP and HTTPS.
You have to disable the tranparent authentication in java. you can do this either by dropping in a custom rt.jar or using reflection to modify the java classes.
tryTransparentNTLMServer and tryTransparentNTLMProxy are the fields in the HttpURLConnection which you need to set accessible and then to false when using the reflection method. Obviously just change this class if your making your own rt.jar