I'm working on a server written in Java, and a client (a desktop application written in .Net) that runs on Windows machines on the same network. I would like to have some basic authentication so that the server can determine the username of the user running the client, without needing the user to re-enter their Windows password in the client.
Is this possible, and what's the simplest way to accomplish it?
I had a look at some of the available APIs, it looks as though the org.ietf.jgss package in Java, and NegotiateStream class in .Net, should probably be able to talk to one another to achieve this - but I keep hitting frustrating error messages I don't understand. I thought I'd check if this is the right approach, if so I'll post a separate question with more detail about the errors in question :)
The approach is the right one. Notice a number of things, though:
this will have nothing to do with "Basic Authentication" (in http)
.NET will try to use the SPNEGO GSS mechanism. See the Sun documentation for proper support of this mechanism.
your service will need to incarnate a service principal. So you need to create an Active Directory account not only for the user, but also for the service, and you need to put the service's password into the Java keytab.
If you're using Active Directory, I think the Spring LDAP module can offer you a nice way to access credentials.
Not being familiar with the GSS mechanism. I would suggest a shared key mechanism used in passwordless ssh.
This open source library http://spnego.sourceforge.net has exactly what you are looking for. It implements an HTTP Servlet Filter on the server so that your web-app can call request.getRemoteUser() to find out the username.
Related
I'm looking to create a web page that sends an email from the client machine to an uncontrolled server (not from the server, this is mandatory due to an IP check). This email needs to have specific MIME tags, so "mailto:" is not an option.
I want to do this the cleanest way possible. (The user will trust the web page so is ready to click on any security warning, but repeated warnings would be annoying). Assume that we will only have access to self-signing, even if a trusted certificate might be available in the future.
Java applets seem to be strongly deprecated and no longer supported in some browsers, so I looked at Java Web Start. It seems to be a bit better, but still requirements of whitelisting, and chrome support seems dubious.
Is there any way I overlooked? If i choose to use Java Web Start with all-permissions, what kind of problems am i looking at depending on browser?
Your best bet is to send the email from the server hosting the web-page. You would create a form doe the fields or whatever, post the form the web-server, let the web-server construct the email and send the mail through a sendmail type system or through you local mailserver to the server in question.
Look at JavaMail - http://www.oracle.com/technetwork/java/javamail/index.html
If you are using Spring Boot or Spring you could use their mail implementation - http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-email.html
I'm new to java and I'm trying to understand the way we identify users who uses webservices.
The program will be downloaded from my website. It needs to make a connection to my server side web service program.
I think there are 2 options for identifying the user:
Register on website and download web service. A single user id key is then generated when downloading the program. I don't know if this is possible + verification of registration can only be done by email: not 100% sure of user identity.
Download web service and log in into it.
This seems a better way, but I'm not sure this is the way to do it...
Most services use HTTP authentication because the surrounding HTTP protocol already brings all the necessary features. Actually, your web service framework comes with all the plumbing necessary to easily set this up.
Another solution is to have a method which is called login() that takes a user name and a password. All other methods return errors until login() has been called successfully once.
Note that you must use HTTPS as protocol, otherwise passwords will be transmitted either as plain text or with a trivial encryption that is easy to break. Or to put it another way: Without HTTPS anyone willing to invest a couple of minutes of time will be able to use your service.
I'm building a java app that needs to get some data from a web service. I've been provided with a wsdl file and all the info I need, but getting back the 401 code, not authorised. I've been told by the guy who did the web service, that the web service directory in IIS must have anonymous authentication turned off therefore I need to pass windows credentials. I've been googling for a solution for quite a while but not found anything that doesn't pass the username and password directly. What I need to do is to use the credentials the user is logged in to windows, so that entering the username and password is no longer needed. Has anyone an experience with this? I found somethig called SPNEGO, but that also uses username and password directly.
Thanks for any help.
You did not write, which webservice framework you use (I assume you're not creating and sending the soap-request by hand).
I assume that the webservice is secured via http-basic authentication.
If I'd be you, I'd do a quick test with the testing tool soapUI which supports this feature against your webservice and check, if this is the case
(See: http://www.soapui.org/SOAP-and-WSDL/authenticating-soap-requests.html)
If you'll be succesful, you will need to pass the user and password within the http-header area.
(See part "client" here: http://en.wikipedia.org/wiki/Basic_access_authentication for an example value)
Yeah, sorry, forgot to mention that I'm using axis. Nevertheless, finally managed to authenticate to the service, as it turned out it didn't use the basic authentication but NTLM. So now I do something like this:
BAWebServiceLocator locator = new BAWebServiceLocator(getEngineConfiguration());
BAWebServiceSoap baWebServiceSoap = locator.getBAWebServiceSoap(url);
((Stub)baWebServiceSoap).setUsername(props.getProperty("username"));
((Stub)baWebServiceSoap).setPassword(props.getProperty("password"));
So I still have to pass in my username and password. What I'd like to do is to use the credentials that I am logged in to windows. Any ideas?
I need to handle Login functionality to a particular site say www.abc.com. I had already registered to this particular site, hence can I give the username and password hardcoded in my application so that I can have connected to the server directly.
For Plain answer I would say Yes! , going into details there are many things to consider while making a java program for login many site needs HTTPs sessions and cookie handling, some also require JavaScript enabled browsers to handle login procedures. If you are making some kind of Robot App to login to that website and do some pre-assigned jobs. I would recommend you to consider using Embedded browser.
for Using browser in Java see http://djproject.sourceforge.net/ns/
The short answer to your question is yes, but you might not want to do that. Also, why not use a https so that your users can login directly?
Yes you can write Java code to do that. Check http://hc.apache.org/httpcomponents-client-ga/index.html. Check http://hc.apache.org/httpcomponents-client-ga/examples.html for examples. You can see there are examples for authentication as well.
This question is more towards Design and Architecture and I want to know SO Readers think on my scenario.
I have a requirement where in my Application should provide other application interface when the user logs in to my application.
For example, lets say my application is www.gmail.com and other application is www.stackoverflow.com so what am trying to accomplish is that when the user log's in gmail account he should see his home page of stackoverflow and a particular questions.
From technology point of view, we have to use Java and so am not sure of what design and architecture consideration would go in to implement the requirement.
One Approach, am thinking on is that when the user logs in to gmail than I will populate the request object with all the login credential parameters for stackoverflow website and also question_id which would be passed in as parameter and then on Stackoverflow side, I would parse the request object and authenticate the user credentials and depending upon request parameter, I would render the question_id which I received from request.
I want to know what would be best approach and issues encountered in designing such an system.
Edit
After seeing all the answer, I would like to add little update to my question. What I am looking for is to get the feel of issues and challenges what I would have to face while trying to accomplish my task, also I am using Java and am not sure how can I accomplish my goal using Java as we do not have something like OLE which we have in Microsoft Technology stack to achieve the task.
Hope I am making some sense here.
I can think of three ways you could solve this.
Implement single sing-on. You log-in to all enterprise applications, and once logged all of them use the same authentication credentials (I think this is the best option. you don't need a full-fledge SSO, at least for these two application you could use the same credential validation mechanism)
You could also do what your are proposing creating the authentication credential for the user (i.e a cookie) and then do a redirect. Keep in mind that both application will need to be in the same sub-domain in order to work.
As mentioned before, you could also expose through your application the data/services you want to consume from the other application.
In my company we have what we call "Graphical Services", which are managed by a central server which also do credential validation, if the credentials are right it display a user interface for the user (generally in a Pop-up or an iframe).
Hope it helps.
You can't definitely do that at client side or java script as it will lead to cross site scripting issues. Or you can use iframes (which isdeprecated).
The other way of doing it would be to have your own interface/UI for the application and use only the service layer from your back end (java/j2ee in your case) which you may end up duplicating all the front end again (on the positive side, you will get your own branding of the site).
Regarding credentialing all most all the sites now used "OAuth" or similar and it should not be that difficult for authorizing
If both applications are web-based in-house applications, you could write a master login component, independent of either application, that will perform the user authentication, load any useful data it can at login time, and send the user's browser to the correct URL, making sure to pass any relevant information to the target app (as part of the forwarding request or behind the scenes in some distributed shared memory). Just a thought.