Background
On the project I work on we have GUI applications running on several different servers. Due to their user interface similarities I am investigating combining their OMIs into a single unified interface. Currently these applications are all remotely viewable via VNC. I plan to take advantage of this by having the master display run several VNC viewers under the covers and wrap an interface around these VNC sessions to make them appear like native applications.
Problem
I am looking for pointers for architecting a single sign-on solution. I want to eliminate each application's individual login and instead have users login to the unified display only. When they do that they would then be automatically logged in to each of the individual apps.
Constraints
The applications are all Swing-based Java apps running on Linux.
Authentication is performed by a Windows 2003 Server machine with Active Directory.
I'd strongly prefer an off-the-shelf solution to a custom-built one.
Ideas
My investigation has pointed me towards Kerberos and GSSAPI. Kerberos's ticket-based mechanism seems well-suited to the task.
One tricky bit is that these applications are always running. I need the unified display to somehow "tell" them when the user has logged in. It's not like normal Kerberized programs where they will perform a Kerberos login at startup.
If I use Kerberos I'm not sure how to transfer tickets to the various application servers. Is there a standard way to transfer them? Do I just use "scp" or something? Or do I develop my own socket-based network protocol and have the Java programs connect to each other and transfer tickets that way?
I don't want to get too bogged down in the details, though. I'd appreciate even general ideas like "have you considered Technology X?" or "try XYZ instead of VNC, it does this for you."
Updates
I'll edit in answers and clarifications here...
Have you considered that some authentication must take place anyway and that VNC only exports the view to a running program, so a VNC session cannot transport tickets?
Yes, indeed. Java + VNC is what we have right now. I could change out VNC for something else if there's a better way to remotely view the apps. Without rewriting them, that is. The ideal solution would be to separate them into distinct client and server pieces and put all the GUI code into the client, but that's 5-star difficulty and I need 1- or 2-star.
Have you considered the case when two users log in the same time? Will they see the same app? Or will this be forbidden?
Yeah, I've considered that. They will either see the same app or it will be forbidden. Either solution is okay as far as this particular system goes, so this isn't a big deal.
Have you considered just using an X Server on your local host and export the clients applications windows?
Yeah, this would be great. Can this be done with already-running apps? I have to connect to these apps after they've already started. I can't start them on demand when somebody fires up the central viewer.
RealVNC Enterprise Edition supports AD authentication (~$50 per exported desktop). Perhaps you can simply let people auth into the apps that way. FreeNX supports PAM authentication so you could perhaps hack something together with winbind, especially if your linux dist makes AD setup easy.
One last thing is running your apps in VirtualBox which can run in a headless mode via RDP. You can authenticate against PAM and thus winbind. This also has the advantage of being windows friendly on the client side via Remote Desktop which is pre-installed or readily available for windows.
Okey, I will try and start this list. Have you considered...
JAAS? Should include the GSS API, but was very cumbersome the last time I tried it.
that some authentication must take place anyway and that VNC only exports the view to a running program, so a VNC session cannot transport tickets?
a browser based solution with an embedded Java VNC client? At least the IE is able to carry out kerberos authentication, I don't know about the other browsers, or HOW the IE does that.
the case when two users log in the same time? Will they see the same app? Or will this be forbidden?
just using an X Server on your local host and export the clients applications windows?
EDIT: More considerations:
When using the X Server variant, use Xmove to move the programs to the X Server.
You can use SSH authentication with private/secret keys and let the user enter one passphrase to connect all your servers. SSH agent is the keyword.
With the existing SSH connections, start XMove on all the machines, collect all GUIs and send them to the client. You could even write a little MainWindow, with Buttons for each app, and when clicked, export only one of the apps, so it seems like they have been started from the main GUI.
Related
For a JavaFX application which connects to a rest web service to function, are there any obvious strategies for building a single version of your application which knows which server environment (QA/Prod) to connect to? How is this type of thing "typically" done? Are separate QA and Production builds recommended?
Obviously, you'd want to make it easy for users to hit production without hassles, but also prevent your testers from accidentally interacting with production instead of QA.
This would be for a web-start JavaFX application, so while ideally the binaries would be identical, the main difference is the server the application came from (which web-start page they logged into initially to initiate their server side session).
If you are using JNLP-files, you might wan't to add some start-parameter on-the-fly, which controlls the targeted system. You could implement some download-page, where you adjust the parameters inside the JNLP-file, but this does not prohibit users from using the wrong downloaded JNLP-file.
Why not making it possible to select the server inside some settings, locked behind some "I want to be part of BETA-testing"-flag?
This question is not really JavaFX-related, more a general thing i guess ;)
I am Java developer, and I never worked with server applications.
Now I plan to write some distributed server with workflow like this:
Client(desktop application) logins to core(auth) server.
Core server chooses one of the work servers. And redirect client to this server.
Work server is a specific application that can be hosted on another machine.
Work server can redirect client to core server, and we can repeat step 2.
So, if I'd like to implement this for myself there will be some demon-application on every real host-server, that will communicate with core server, and run another demons as every work server.) It's real to write this by hand, but I'm worried about security and performance of such solution.
But I'm pretty sure, there must be something, much more better for such workflow. Or, better workflow, for achieve similar results.
I ask you give me right direction for my investigation. I looked to JavaEE and Spring Framework, but there aree too big, and I don't sure, they contain exactly what I need.
Many thanks for any useful information!
currently we are developing a JAVA APP that runs on TOMCAT and uses POSTGREE SQL
And we have an introducting website (JOOMLA 2.5 based) that explains the app, and also have a register module, that runs on APACHE PHP, on a different server.
Our goal is that the clients enter direct to our website JOOMLA, register there and then they can go directly to the web-app.
Very like to www.tiendanube.com or shopify.
The java-app has a login as well as the joomla website.. We need to unify those process, we cannot find a form to achieve this.
The problem is also that Joomla cannot run in the same server as the web-app.
Is there any way to interconnect both the web-page and the app (which runs in differents server) to make then look as one ?
So we thinked that when the user register in the joomla it also has to be saved in the same POSTGREE SQL of the java app. Since the java app is running in a different server we cannot access postgree SQL of the java app
That can be a solution, still we are pretty sure it has to be a easy solution or a more powerful and better solution for this.
Also been the 2 services in differents servers, it seems that we are not able to mantain the same domain for both.
We will really appreciate some help
Thanks very much
Facundo
You have at least two ways to do it.
Use a LDAP, GMail authentication or equivalent. Easy, Joomla already have it
Do in a manual way with "Single Sign On across multiple domains". Will have to undestand how session cookies works and avoid avoid some problens.
Please read my recent answer on implementing SSO across subdomains in joomla
We are planning to develop remote desktop sharing feature in out web application (written in Java) where one user will be able to connect other users desktop with full access.
I don't want to use applications like team-viewer. It has to be some kind of web browser plug-in or feature.
I found following couple of solutions like Adobe Connect & Java.awt.Robot class.
Can anyone please let me know best option available?
It will be great if there is any open source project which can satisfy these requirements.
Try RealVNC out of the box, it has a built in Java web-client that allows full control. Most of the standard flavors of Linux run it, this, of course, totally depends on your user base and what you're trying to do but for an internal tool it is perfect.
http://www.realvnc.com/products/free/4.1/man/vncserver.html
The above link is the documentation for VNC server. It can be configured to one-session per port, it is just a matter of making sure the ports are correct. It sounds like you're reinventing the wheel on this one. There's a horde of good free products out there to handle this. For an infinite user-base this probably wouldn't be the best solution. For an internal tool it works wonders.
So far, I've been searching far and wide on the internet for the best practice when it comes to writing a Java server with a GUI (for stopping and starting it). I know that I have to run the server in a separate thread as the GUI but I was also thinking that it my be a little less complicated if I made each piece, the server and the GUI, in its own Java program or process. If I go with the latter, how do I interact with the server from the GUI if they aren't the same application. Would I just kill the process from Java. I really need some help (or maybe a tutorial).
P.S. I'm going to write the client for other PC's and android phones in the house so I could create a simple messaging system in the network for easy copy and paste between devices so I was considering building the GUI and server in with the client so I could distribute that and it would be two way but I'm not sure if thats the right approach or not.
Thanks!
You sir, are looking for an Application Server, like JBoss. Interact with it using web pages as the GUI. Use HTTP as your messaging protocol (POST and GET). Use Eclipse for Java EE
and read some tutorial / guide. It might be some to learn now, but you'll benefit from it later.
For your requested functionality, create a web application with a servlet for receieving HTTP requests first.
I don't think there is a 'right' way to do this. If as you say, you want to have more than one client (an app running on PCs and an app running on android phones), then you are better off going for a client-server architecture, where your server and your client are two (or more in the case of the different GUIs you want to create) different programs.
The way they can communicate is also open for you to choose. You can go low level and connect through sockets, or you could use HTTP and create web clients.
If you give us a bit more context about what you want to create (server and client are way too generic words) then we could give more tailored questions.