I have a web application which is hosted on apache web server. And i have external java application which runs on tomcat integrated in this web application.
The apache is kerberized and I get the username of the person accessing it in the intranet. I want to use the same username and pass it on tomcat to check against ldap and authorize the user.
I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user.
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password?
PS: Sorry there is no code or configuration that I can post at this point. The only resources i found implemented both username and password. I cannot kerberize the tomcat server because I have other issues in the network.
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have
access to the user's password. But I'm able to get the groups the user belongs to and based
on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. I found a way to make it work. However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! Its very insecure.
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. Then, redirect to the C# service when someone hits the Java site and the username session variable is null. Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created.
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. So basically, its the same thing, except you won't need C#.
Related
I am trying to validate an entered Username and Password in an Active Directory hosted on a Server inside my Network and then retrieving a single value from said user object. The User enters the Credentials on an Device running Android 11. The Device is connected to a Subnet within the Network. The application is coded in Java. I am using Android Studio as my IDE.
I would like to authenticate User credentials using an Active Directory and retrieve a single value.
Assuming you want to connect directly to domain controllers (and not an AD-authenticated web site, for example), you can use NTLMv2 and LDAP.
This question is discussed here:
How to use LDAP authentication in our app in android?
Specifically, here is detail for authenticating with the SDK mentioned above (though the above link includes others):
https://docs.ldap.com/ldap-sdk/docs/getting-started/connections.html
If the user/password combination is valid, you'll get a success for the bindResponse.
I apologize if my question is confusing. I was wondering if windows authentication makes it difficult to access a MS SQL Server Database online? I currently have an applet that has a JTable filled with information from a MS SqL Server Database and it works fine in an IDE. However, when put in a browser, only the borders of the applet show up. Could this be because the authentication should be SQL Server Authentication?
You have 2 authentication issues to consider.
1) Making the website authenticate the users, you can use forms auth, or windows auth -- windows auth means users authenticate using their windows login and password for internal website use only, public facing internet site should not be using windows auth.
2) Making the web server authenticate against SQL server. If using Windows auth in part 1, you could impersonate the user and use integrated SQL login, but I've not seen a good use case for this. If your web server is dedicated to a single app, it might make sense to use the security context of the web server to make the Sql connection via an integrated login. But in reality I've never used it because in hosting envirnments it is pretty common for the database server and the web server to be in separate NT domains (esp. if the webservers are outside the firewall).
There are countless possible explanations for the behavior you describe, but I'm guessing you are concerned about the auth. issues.
I'm building a java app that needs to get some data from a web service. I've been provided with a wsdl file and all the info I need, but getting back the 401 code, not authorised. I've been told by the guy who did the web service, that the web service directory in IIS must have anonymous authentication turned off therefore I need to pass windows credentials. I've been googling for a solution for quite a while but not found anything that doesn't pass the username and password directly. What I need to do is to use the credentials the user is logged in to windows, so that entering the username and password is no longer needed. Has anyone an experience with this? I found somethig called SPNEGO, but that also uses username and password directly.
Thanks for any help.
You did not write, which webservice framework you use (I assume you're not creating and sending the soap-request by hand).
I assume that the webservice is secured via http-basic authentication.
If I'd be you, I'd do a quick test with the testing tool soapUI which supports this feature against your webservice and check, if this is the case
(See: http://www.soapui.org/SOAP-and-WSDL/authenticating-soap-requests.html)
If you'll be succesful, you will need to pass the user and password within the http-header area.
(See part "client" here: http://en.wikipedia.org/wiki/Basic_access_authentication for an example value)
Yeah, sorry, forgot to mention that I'm using axis. Nevertheless, finally managed to authenticate to the service, as it turned out it didn't use the basic authentication but NTLM. So now I do something like this:
BAWebServiceLocator locator = new BAWebServiceLocator(getEngineConfiguration());
BAWebServiceSoap baWebServiceSoap = locator.getBAWebServiceSoap(url);
((Stub)baWebServiceSoap).setUsername(props.getProperty("username"));
((Stub)baWebServiceSoap).setPassword(props.getProperty("password"));
So I still have to pass in my username and password. What I'd like to do is to use the credentials that I am logged in to windows. Any ideas?
I need to know if a user entered correct login information to Microsoft Active directory
I want the user to enter username and password on an xpage and it should only return if these values was entered correctly or not.
I know I can use ldap requests and send in credentials but have not seen any working solutions for this.
I need to use java as the code should be able to run on non windows servers
There are a number of approaches you can take:
The easiest would be to link the AD to Domino using DirectoryAssistance and let users login using their AD credentials in the first place.
If IIS is running on the AD server you could send an HTTP request using the Apache HTTPClient (and basic authentication) and see what's coming back
The best working Java libraries are listed in the Apache Directory project. There you would do an LDAP query (e.g. the user herself)
Let us know which one works for you
You can use JNDI to access the Active Directory. There are a lot of ressources on the web on how to do this, for example have a look at http://mhimu.wordpress.com/2009/03/18/active-directory-authentication-using-javajndi/
You have tagged the question as XPage, do you want to do the authentication from inside domino? In that case the domino server could do the authentication.
i want my company website to access from my android phone but that website can only be accessed by registered member
i have login page in that i have to enter registered email and passwrd than directly from the login page only i have to redirect to my company web url ???
Please give suggestion
Thanks in advance
Edited, to be more explicit :
How to secure and restrict access to a website ?
Restrict network access
Maybe the simpliest solution. A web site is not always available on the internet or for everybody. In fact if your website sit in some machine in your company office, make it available on the net require more effort than just let local computers access to it.
What does that mean ? You configure your firewall and your network to allow access of your server for only some IP address/port. To continue on this network only solution, you can create a VPN that include your mobile phone devices.
Include authentification and authorization management directly in the application
The first solution is a first pass. It allow you to forbidd access to most people out of your organisation. But maybe you want more, you want for exemple that only people from marketing do have access to the web site. Or maybe you want depending of the user (or user group), allow them to do differents things.
The best way to do that is to directly manage uses rights into your website. You authenticate users, and when a specific functionnality is requested your firt verify is user has credential.
If you already have an IT department, it is likely that a directory is available with all users, their password and their groups. You can base your check on the directory, avoiding the harsle to create/delete users in your application directly.
Using a proxy to secure or authenticate access
This solution is like a melt of the other ones. First you make sure sure using network restriction that your web site is only accessible using the proxy machine (so only one IP basically). Then you use a web server (like Apache HTTPD server) as a proxy, or a gateway to access the website.
Basically, when a user want to request your website, it doesn't directly ask the application that manage it, but the proxy. Because the application server is isolated in the network, it doesn't have to be secured.
The proxy allow you to fine tune the behaviour of your web site :
you can add encryption using SSL to
all data that transit from the client
to server, so no senssible data is
sent unprotected
you can compress all data that
transit to optimize the bandwidth
usage (really important for mobile
device and their not so good
internet connexion).
you can use HTTP authentification to
check user has the right to access
to the page. This can be just a
login/password check, or a client
certificate to fully secure the
connexion, allowing only device
with the certificate to be granted
access.
You can tune access per group to certain part of the site, but this is not as flexible as retrictions done directly by the web site application.
Didn't catch you very well. Do you mean that you want your company website can just be accessed by android phone for registered member? If so, I think you can check what browser type can be used in android phone, and in your website check it from http request, like "String browserType=(String)request.getHeader("User-Agent");" .