I'm deploying a java application built with spring on a windows network. The network uses Active Directory so the users login to their desktops with their active directory user names.
Now, I'm trying to add a feature so that when the user opens the browser to access this application (which is deployed on the same network) the application automagically picks up their username and authenticates them.
During my research I came across this blog post: http://blog.springsource.org/2009/09/28/spring-security-kerberos/ However, I think this approach might not be required in my scenario since I'm deploying the application to the same windows network.
Question
What could be some ways to simply access the user token so that my web app can authenticate the users?
We use NtlmHttpFilter.
You configure it as a filter in your web.xml, tell it where your domain controllers live, and it pretty much just works. Internet Explorer will provide credentials without you taking any action, Firefox (and I suppose Chrome) will prompt you for a login.
Related
Background: I currently have a java web application which is run on localhost on my Mac. Users can login to the web application, and their credentials are validated against an OpenLDAP server which is run on a certain port on my local machine as well (specifically using this docker image). The web application includes code which interacts with the LDAP server to provide the login username and password. Upon successful validation, the users are logged in and can continue to use the features of the app.
Problem: This web application will be deployed to clients who will be using Windows. They are requesting SSO capabilities - I.e. successful login to their windows machines under their domain bypasses the need for logging in to the web application when they run it. The clients cannot have some other Java application running on their machine which will help with SSO - simply logging into their windows machine should bypass the need for logging into the web application, which means Windows needs to be configured a certain way, and the web application needs to be configured a certain way for SSO. For testing purposes, I am using a windows 7 virtual machine which is run on the same machine that I am running and testing the web application on.
I've done research on SPNEGO, Java GSS API (looks like it needs client side code to communicate with server), Kerberos, Windows IIS etc. I know how to enable windows integrated authentication in Windows, but I don't know how to actually use this with my web application to enable SSO. Basically, I am still struggling on how to implement SSO capabilities in my specific case under these circumstances. Here are some specific questions:
Can browsers be configured to send encrypted windows credentials of the machine they are running on to the web application, which can then be decrypted by the web application and authenticated against LDAP? If so, how does this work?
Can the windows login credentials be configured to point to an LDAP server that validates them?
Overall, how can I integrate single sign on for a web application running on a windows machine, where the web application is configured to authenticate credentials through an LDAP server?
Windows SSO is based on Kerberos, not on LDAP. The reason why people usually mix them up is that Microsoft Active Directory acts as both LDAP server and Kerberos server.
If you need transparent authentication (SSO) for your Windows users you have to implement Kerberos authentication.
They way how Kerberos is implemented for web applications is called SPNEGO.
You need to do the following:
Create a service account in Active Directory for your server, say REALM\svc_server
Create an SPN for your server which will bind the domain name of your server to this server account. If your server is running on https://server.acme.com it should be HTTP/server.acme.com
If windows user is logged into domain REALM and goes to https://server.acme.com browser will lookup an SPN based on name HTTP/server.acme.com, request a Kerberos ticket from Active Directory and send it to server in a Authorization header as per SPNEGO specification
Now you just need to validate this ticket using built-in Java Kerberos API or using some third-party library (kerb4j, spring-security-kerberos, e.t.c.)
As you can see LDAP is not involved in this authentication flow (although it can be used for authorization as a next step)
I have a question about integrating authentication into my web application.
First let me give the relevant technology background of my web application -
Application/Web Server - Tomcat 8.5
Underlying OS - CentOS 7.x 64-bit
Programming technology - Java Servlets 3.1
JDK version - 1.8
UI technology - Browser based; Developed using Angular2/Javascript/HTML/CSS
Web application users - Targeted at enterprise users
As of now, there isn't an authentication system built into the web application. However as I build this web application, I need to include an authentication module.
My main points to consider as I decide on authentication system/technology are -
I preferably do not want my application to deal with the storage and protection (on disk) of the user credentials
I preferably do not want my application to deal with enforcing password complexity, history, expiration policies etc.
My application will have to provide for -
A login page to allow the user to login
A change password page
A create user page
Based on the above, I am currently thinking of deploying a Windows Server 2016 instance as the Active Directory(AD) server that will hold the credentials for the application users. Note that at this point, this Windows server is not planned to be shared with any other application to support a single sign-on experience across applications.
I am planning to configure my Tomcat server with a JNDI realm to authenticate users (against the AD) and then use some kind of Java AD library that will allow me to create an user and change a user's password in AD via my application's create user and change password page.
My application will support its own custom roles and authorization constraints so i am not looking to use AD's group membership for authorization within the web application.
My questions are -
With the above setup, are there any reference authentication systems/libraries/modules that might be better suited (than AD) to integrate within my web application?
If I go with the above Windows AD server approach then are there any Java (inbuilt or community developed) AD libraries that allow for creating an user in AD, changing user password in AD etc. I have used the JNDI realm before so I am sure that it can be used to authenticate the incoming user against AD
I am not an expert in Spring Security and my web application does not currently use Spring Security but I am open to using it if Spring Security includes a solution to my problem described above.
I am also not worried about supporting single sign-on as such and its totally fine in my scenario if the application users have a separate login for my application.
Since my web application is targeted at enterprise users, I don't want to leverage Facebook authentication. As much as possible I want to ensure that the credentials are maintained in a server within the deployment infrastructure rather than the credentials being hosted and maintained by a 3rd party service
Thank you for your help and suggestions
I have the following problem. The customer have a Java EE web application running in EAServer 5.5.0 with a custom loggin. The loggin is very simple, when the application validates the credentials entered by the user through a web page, stores the user name and profile in a session variable. That way the application knows if the session is still alive. Now, the customer have another Java EE web application running in jboss server 7.1 and wants when the user log in the web application running on EAServer, at same time login in the application running in Jboss Server whitout any further steps.
My first idea was send the credentials via ajax call from EAServer to Jboss web application and stored the credentials in session, same way as the EAServer do. That seems to works fine on Internet Explorer, but in chrome or firefox the ajax call is done and the session variables are created in jboss, but when the user tries to see any view on the Jboss Application the session variables just gone.
Can somebody please tell me what is the best way or practice to do this? or what kind of problem I'm facing whit chrome and firefox that doesn't keep the session variables after ajax call?
One way you can do is the single sign-on that Leonardo Luiz suggested in the comment.
But I have another suggestion. Just install Redis and use it as a session store. This is very standard nowadays and it's broadly used in Ruby on Rails, NodeJs and Java as well.
Some libraries that might get you going:
Spring Session
Tomcat Redis Session Manager (I know you are using different servlet server, but still you can take a look to get the idea)
Or you might opt to use memcached. In that case you might use:
memcached-session-manager
The feature you need is called Single sign-on. I believe it's better to integrate an existing solution on your environment than create a custom one.
I already used two solutions for that:
http://picketlink.org/federation/ (Deprecated)
https://www.apereo.org/projects/cas
It will not be a ease task and requires some knowledge of security concerns.
If you really wanna to create a custom solution there is some information here: http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on-solution/
My project is an Android application that communicates with a server. The server is written in Java, deployed in Tomcat, and running on a Windows Server host.
I need to provide authentication against Windows domain accounts. Basically I need to ask the user of the app to type in their username and password; send this data to the Tomcat server; and have the server authenticate it.
I'm having trouble finding a straight answer as to how to do this. Since my app is not a web site, I don't have the option to do browser redirects or anything like that, and obviously the Android device on which the app runs is not a Windows machine and will most likely not even be on the local network.
I don't really need to execute anything as the Windows user, I just need to know that they are who they say they are. Hopefully there is a simple way to do this?
Thanks.
Assuming you want to use Java EE container-based form authentication, on the server you'll have to:
secure your web application
configure Tomcat to use Windows authentication
On the client, you can:
POST application/x-www-form-urlencoded login data with the special keys in the web form (j_password, etc.)
retain the session cookies in the response for subsequent interactions with the server
I haven't tested the specifics with these exact technologies but approach is sound.
I want to invoke a Desktop Application. Before invoking that Desktop App the user should login to the Web Application & the same credentials to be used in Desktop App. The Web Application is ASP.NET & Desktop App is a SWING based Java Application. Is it possible to authenticate in that case ?
If you're saying you want to automatically log the user into your system from the desktop application if they're already logged in to the web application, this is going to be tricky.
If you're just asking for a way to ensure the user that logged into the desktop app used the same details as the web app, I'd consider just using IP address as authentication.
I'm not sure if I have understood your question correctly, but it seems like you want to share the same authentication source between a desktop app and a web app. This should be possible depending on what that authentication source is. For example if the web app does a look up on LDAP or on a database table, then there's nothing stopping you from doing that from the desktop application, assuming that you can get a database connection, or access the directory server.
If the authentication source of the web app is not available to the desktop app then you might want to consider writing an authentication web service and deploying this alongside your web application. This web service should be able to access the same authentication source as the web application and can be called by your desktop application.