I need to store windows username and credentials to later run some process that requires these credentials.
When I am collecting these as inputs from user, I want to validate whether credentials are correct or not. Is there a native api in Java that can help me validate windows system credentials?
I was going through LoginContext class but looks like it can only be used for SSO purpose.
One other suggestion I received was to try and start a process which requires these credentials and see if it works or fails. But this does not look the proper approach.
Please let me know if anyone has done this before or have any idea how to get it done.
Thanks,
Piyush
By credentials, you mean the user's actual password? Then you can use LDAP to try to connect to a Windows Active Directory. See related question: Windows password Authentication with LDAP
A more elaborate way to do this is to use native windows calls, perhaps via the JNA platform: http://jna.java.net/javadoc/platform/com/sun/jna/platform/win32/package-summary.html
There's a project called 'waffle' that wrapped this in a more usefull library, see e.g. the logonUser function in https://github.com/dblock/waffle/blob/master/Source/JNA/waffle-jna/src/waffle/windows/auth/impl/WindowsAuthProviderImpl.java. This talks straight to the win32 advapi32.dll.
This will also allow you to do windows authentication for local users, without a domain.
EDIT: Full working code from OP
import com.sun.jna.platform.win32.Advapi32;
import com.sun.jna.platform.win32.Kernel32;
import com.sun.jna.platform.win32.WinBase;
import com.sun.jna.platform.win32.WinNT.HANDLEByReference;
HANDLEByReference phUser = new HANDLEByReference()
if(! Advapi32.INSTANCE.LogonUser("administrator", InetAddress.getLocalHost().getHostName(),
"password", WinBase.LOGON32_LOGON_NETWORK, WinBase.LOGON32_PROVIDER_DEFAULT, phUser))
{
throw new LastErrorException(Kernel32.INSTANCE.GetLastError());
}
Related
I am trying to connect opc kepware server through a Java program, I want to know what jar files can be used to connect to KepwareserverEx.V5 and what is the code without the use of password and username.
I have referenced http://www.opcconnect.com/uakit.php, and https://github.com/digitalpetri/ua-server-sdk, but it doesn't have anything that doesn't connect without a username and a pawssword. I have a program in vb that connects to kepware using Interop.OPCAutomation.dll file and uses the code:
ConnectedOPCServer = New OPCAutomation.OPCServer
ConnectedOPCServer.Connect("Kepware.KEPServerEX.V5", "")
ConnectedGroup = ConnectedOPCServer.OPCGroups.Add("MPM Group")
ConnectedGroup.UpdateRate = 1000
ConnectedGroup.IsSubscribed = True
ConnectedGroup.IsActive = True
I want to write Java code in a similar way. Searched through the internet to see various examples, but none have the above connection without a username and password not being specified.
First of all, I assume that you have created an "anonymous" and "SecurityPolicy.None" endpoint on KepServerEX.
You refer to digitalpetri's old and server SDK. The new project is called "Milo". I can recommend you take a look at the Milo project's client SDK examples using this link. There is an application of anonymous identity and none security policy.
In terms of jar, you can either build your client-sdk (see example here) or directly download the client-sdk jar from Maven Central.
NB Milo is considered to be in incubation. That is to say, it is not mature yet. Be careful using it in production systems.
Yes that's right. The security policy is none on the KepwareServerEX. I made some permission changes on the server where Kepware exists, so that my localhost computer would be able to talk to the Kepware server host. Provided credentials for my localhost, and able to connect.
I have a server where I work with a database and files using a java app.
When I start my app I give a report regarding file access to the server using:
public static boolean folderExists(String folderPath) {
File folderToCheck = new File(folderPath);
return folderToCheck.exists();
}
Every time I start my app (after a fresh restart of my computer)
I get a false response, even though the server is on.
The reason is because I must give an authentication as another user.
What I do is access the server through Windows
where I am being asked for username/password,
and after that I get a true response regarding file access to the server.
Is there a way to give the authentication username/password through Java,
and not through Windows?
Thank you
On Windows 'native' Java IO (e.g. java.io.File) always inherits the security context of the user running the JVM process. For example, you could run the Java app as a Windows service with the correct credentials.
The JCIFS project implements CIFS (the Windows SMB file server protocol) and allows you to directly specify the username/password.
See the API for examples.
I am pretty sure, that there is no way to grant fileaccess by java, without a Windows-Call.
You can call cacls file.log /e /t /p Everyone:f but this will be language-dependent.
I had a similar problem: How to change the file ACL in windows, if I only know the SID?
With Java7 there may be a way to do this.
I can execute a command using my kerberos ticket on the kerberos server by running
ssh hostname ls
it uses the kerberos ticket I got earlier by running kinit on the client.
I want to do the same thing through a java client. I have a client that can SSH to that machine using the privatekey or the username and password.
I want the java client to use the kerberos ticket.
How can I do that?
Well from what i understand your problem statement is:
Use kinit to generate a kerberos ticket
Use Java Client to send the ticket generated for authentication
I am also assuming you are writing the code for the java client:
Well in that case you to use a jaas.conf
Sample Jaas conf:-
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
isInitiator=true
useTicketCache=true
doNotPrompt=true;
};
Set jaas conf via system property:-
-Djava.security.auth.login.config=jaasconffilepath
This will allow you to pick up whatever is defined in default credential cache(in your case that is populated with kinit)
Once you do this:-
LoginContext lc = new LoginContext();
lc.login()
After this use Subject.doAs to elevate privileges and get your job done:-
Subject.doAs(lc.getSubject(), new YourAction())
Here YourAction is a class you define (which must implement PrivilegedExceptionAction) and in its run method do whatever you want to.
P.S In case you are not "coding" your java client you need to check for jaas documentation of the module in question and see if it is supported or not. Then all you need to do is use your jaas.conf file and you are good to go.
P.S You can avoid kinit all together by putting useTicketCache=false and doNotPrompt=false. Then you can specify password and username in your client and it will get you ticket.
P.S Please ensure you define the system property for krb5.conf for any of this to work: -D java.security.krb5.conf=krb5conffilepath
I want to know what parameters can be automatized out of the 6 used during an NTLM authentication, which are:
"Username" - The one used to login on the Operating System's profile currently in use. -Already automatized, using System.getProperty("user.name")
"Password" - Same as the above. -Probably can't be automated, but i'm never sure till i try and ask...
"ProxyAddress" - Address of the proxy, to which the authentication is "handshaked to" in order to pass. -I already pseudo-automatized, but its fixed code, thus bad.
"ProxyPort" - The listening port on the proxy previously explained. -I already pseudo-automatized, but its fixed code, thus bad.
"Workstation" - My PC's ID in the local network or something...I'm currently using my machine's property ID, and its working, but i have no idea if its the correct value, or if there is a need for a value in the first place. -No idea how to automatize, but i know it's possible. NEED HELP
"Domain" - No idea which domain it refers to, thus no idea what value it should have...leaving it blank seems to be working... -No idea how to automatize, but i know it's possible. NEED HELP
EXTRA INFO: I'm using the HtmlClient library for the process, including authentication.
DefaultCredentialsProvider credentialProvider = (DefaultCredentialsProvider) webClient.getCredentialsProvider();
credentialProvider.addNTLMCredentials(username, password, proxyAddress, proxyPort, workstation, domain);
webClient.setUseInsecureSSL(true);
I'm sort of assuming that you're talking about Apache HTTPClient and HTLMUnit, but I'm basing that assumption off the method signatures in the code you provided, so I apologize if I'm mistaken.
For NTLM, this is the remote username, not necessarily the currently logged in user on the local host. I suspect that these are the same user in your scenario, but I did want to point that out. In that case, yes, using the user.name system property will provide the name of the currently logged in user:
System.getProperty("user.name");
on Windows, you can also use the USERNAME environment variable:
System.getEnv("USERNAME");
or you could use the com.sun.security.auth.module.NTSystem class:
new NTSystem.getName();
You cannot get the user's password. However, you may still be able to perform single signon where the user does not need to provide a password (more on that below.)
The Java mechanism for specifying HTTP proxies is using the http.proxyHost system property:
String proxyHost = System.getProperty("http.proxyHost");
Note that you should also check the http.nonProxyHosts system property.
Some JREs (Mac OS comes to mind immediately) will set these system properties based on the system proxy settings. If this is not set by your JRE, you will probably want to try to determine the proxy from another source. On Unix systems, you may wish to use the HTTP_PROXY environment variable. On Windows systems, you're likely best off using the ProxySelector class, as explained in this stackoverflow post.
Similar to the http.proxyHost system property, the Java mechanism is with the http.proxyPort system property:
int proxyPort = Integer.parseInt(System.getProperty("http.proxyPort"));
To reliably get your hostname on Unix, you should really call gethostname(2) via JNI or exec /usr/bin/hostname, unfortunately. On Windows, you may use the COMPUTERNAME environment variable:
System.getEnv("COMPUTERNAME");
You can get the domain name that the local machine is joined to, however (short of prompting the user), there's no way to automatically get the domain name of the machine you're authenticating to. Of course this is moot if your local workstation and the authentication target are on the same domain. Thus, on Windows, you can either use the USERDOMAIN environment variable:
System.getEnv("USERDOMAIN");
or you can use the NTSystem class:
new NTSystem().getDomain();
Whew.
As for implementing "single signon" (such that the user need not provide a password):
You may be able to perform single signon (without needing a password) by using the Java Kerberos functionality, however I was unsuccessful in this because Java requires explicit Kerberos configuration (and does not use the host's configuration) and it does not implement some ciphers required by Active Directory. (Or that's my understanding.)
You could also perform single signon with NTLM or SPNEGO (Kerberos) by using JNI to call InitializeSecurityContext and pass the resulting tokens in the WWW-Authenticate header.
I have a server where I work with a database and files using a java app.
When I start my app I give a report regarding file access to the server using:
public static boolean folderExists(String folderPath) {
File folderToCheck = new File(folderPath);
return folderToCheck.exists();
}
Every time I start my app (after a fresh restart of my computer)
I get a false response, even though the server is on.
The reason is because I must give an authentication as another user.
What I do is access the server through Windows
where I am being asked for username/password,
and after that I get a true response regarding file access to the server.
Is there a way to give the authentication username/password through Java,
and not through Windows?
Thank you
On Windows 'native' Java IO (e.g. java.io.File) always inherits the security context of the user running the JVM process. For example, you could run the Java app as a Windows service with the correct credentials.
The JCIFS project implements CIFS (the Windows SMB file server protocol) and allows you to directly specify the username/password.
See the API for examples.
I am pretty sure, that there is no way to grant fileaccess by java, without a Windows-Call.
You can call cacls file.log /e /t /p Everyone:f but this will be language-dependent.
I had a similar problem: How to change the file ACL in windows, if I only know the SID?
With Java7 there may be a way to do this.