I'm writing a Java Tomcat intranet app that uses NTLM to lookup a user's name. This is in a Win7 Active Directory environment.
Is it better to use Waffle or Spnego for this? (Or something better?)
Waffle has a huge following now, and will do the job well. But I am bias :)
Turns out the answer was simple LDAP lookups using the Java libraries javax.naming.directory.*.
Related
I am using Wildfly 10.1.0.Final on the Ubuntu 16.04.02 LTS Server, I put the SSL from letsencrypt.org running with the H2 (HTTP 2) protocol and Spring Security 4.2.2.RELEASE in Production.
The server is working fine with a very good performance and is not slow but I'm getting many bug reports in the wildfly log of java.net.URISyntaxException (Error 500), from user agents like "Mozilla / 5.0 Jorgee".
I would like to know how I can block these type of bad user agents (malware, bots, etc) and(or) prevent this from happening.
Thanks in advance for all the help.
I had the same problem multiple times recently and the requests origin were random (Brazil, Germany, Argentine, US, Ireland...). I'm not sure if there is a way to blacklist these request within WildFly configuration however, you may want to consider to create a custom Java EE Filter.
The solution to my problem was to get a WAF in front of the CDN but if you don't have one you may want to add Nginx in front of your Web App and blacklist the user agent "Jorgee" as well as paths such as:
/2phpmyadmin/
/admin/phpMyAdmin/
...
You can find more info in this blog post by Kurtis Rader.
I recently did a quick mock up of a web service using C# on IIS. All users are using Windows so, in the web service, I was able to get the current user via NTLM.
Now I have to migrate this to a Java web service running on Tomcat or WebSphere.
What authentication options are open to me? I see that Apache HttpComponents has an NTLM feature but I can only find instructions on how to use it on the client side. Can I use it in my web service to determine the current user? (Remember, all users will be Windows users)
Just to clarify: this is for use in a company intranet and all users will be logged in to Windows. This is why NTLM seems to be the right way to go.
Try WAFFLE windows authentication framework.
(http://waffle.codeplex.com/)
It is one of the third party libraries suggested in the tomcat documentation. (https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html)
It comes with zero configurations and all you have to do is to modify your web.xml to you waffle as in this tutorial (http://code.dblock.org/2010/05/20/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffle.html)
Hello stackoverflow'ers
we are currently faced with the task to support Single Sign On in our Java based web service.
The setup is like this: Linux server running Apache as a proxy -> Jetty -> Java web service.
All of this in a Windows Domain with Windows workstations as clients accessing the web service through their browser (mainly IE, some firefox).
The SSO will go through the Windows AD DC utilizing Kerberos through SPNEGO.
From what I have gathered it would be possible to implement the SSO either step of the way, in Apache, in Jetty or in the Java Code itself.
What I haven't been able to figure out so far is which approach makes the most sense in the given environment.
We obviously need to access the REMOTE_USER one way or another later on to perform further authorization in our application, but this is the only real requirement we have.
So what are the actual pro's and con's of implementing the SSO / SPNEGO on the Apache level vs. the Jetty level vs. in our own software - if there are any ?
Any help would be greatly appreciated!
Enjoy your day,
Tom
https://github.com/michael-o/mod_spnego/ for Apache Web Server and you are done.
I have a Java client that consumes SharePoint 2010 standard web services (sitedata.asmx, permissions.asmx, etc) written with JAX-WS implementation from the JDK 6.
So far, authentication is done with NTLM using a custom Authenticator implementation and Authenticator.setDefault(...) approach.
When running on my test environment which has only one SharePoint server, it works fine. I can see all the NTLM negotiation using WireShark.
But, if running on a costumer which has multiple servers, hardware load balancing and multiple SharePoint alternate access mappings I get Error 401 Unauthorized from the web service calls. I haven't had a chance to use WireShark to debug on that environment.
I run my client from a Windows machine (on the costumer setup), so according to Java documentation it should be fine for NTLM. Also, I used the default URL from SharePoint to access the web services (not the load balanced URLs).
The machine running the client application, is not a SharePoint server. It has Windows Integrated Authentication with NTLM configured.
Also, due SharePoint administration policies, I´m unable to access SharePoint Central Administration or do any change to the configuration (nor IIS).
I want to ask if anyone knows what the issue may be? And hopefully if anyone knows how to fix it?
Thanks in advance.
EDIT:
It´s important to mention, that the same permission levels were granted on both environments.
Well, finally I had a chance to use WireShark on the costumer environment.
First I noticed they have NTLM v2 configured, but that's OK since Java 1.6 supports it.
Then I saw that since Windows Integrated Authentication is enabled, the current logged user credentials are sent instead of the ones configured on the code. Since logged user has no permissions on SharePoint, I received 401 Unauthorized.
According to Java documentation this is the normal behavior
In fact, if you are running on a Windows machine as a domain user, or, you are running on a Linux or Solaris machine that has already issued the kinit command and got the credential cache. The class MyAuthenticator will be completely ignored .....
which shows the username and password are not consulted. This is the so-called Single Sign-On.
I hope someone can answer this question since I think that's exactly what I need.
Finally, I observed that with HTTP first Windows credentials will be tried, and on failure the credentials provided by the code will be used instead. Thus, everything works fine.
When using HTTPS, only Windows credentials will be used, so I always got 401 Unauthorized.
Not sure what the causes the difference between HTTP and HTTPS.
You have to disable the tranparent authentication in java. you can do this either by dropping in a custom rt.jar or using reflection to modify the java classes.
tryTransparentNTLMServer and tryTransparentNTLMProxy are the fields in the HttpURLConnection which you need to set accessible and then to false when using the reflection method. Obviously just change this class if your making your own rt.jar
For windows there is integrated windows authentication.
We can configure active directory and join the cleint to the domain.
Then all the services on the client that communicates with the iis on the server can use the integrated authentication transparently.
Is there something similar for java, linux and some application server ?
Regards
I recommend you to use LDAP and PAM.
There is a similar question, where you can find info.
Hope that helps,
You may want to look at the steps for Moodle, to get NTLM working in Apache, on Linux, as that may be what you are looking for, since you already have active directory.
http://docs.moodle.org/en/NTLM_authentication#APACHE_Configuration
This will be between apache and the browser, so, if you want it to work with Tomcat, then you may need to have to use JK (http://tomcat.apache.org/connectors-doc/) to have connections come in to apache then be forwarded to tomcat, after authentication takes place.