Recently we started to upgrade our clients from Java 6u31 to 8u121.
Here we see an impact on our internal web application written in Java.
Client(s) connects to a web-server which has the JNLP and JARs locally.
However now with the new Java 8u121 we get a pop-up from java : Authentication required.
We can click on cancel and the Java app will load but this is not acceptable for our users.
Is this a Java problem or a Proxy problem?
We started to do a trace with wire-shark to see what happens when the Java pop-up "authentication required" occurs. Here we could see that our proxy server blocks a global-sign site to validate a certificate. Here we made an exception for that site. Now we have no issue anymore and the pop-up is not occurring anymore.
You can prevent that authentication window by setting the property deployment.security.authenticator value to false in the deployment.properties
Normally Plug-in and Web Start install an Authenticator to handle
communication with Authenticating web pages or Authenticating proxies.
This is the default behavior (true). This option can be used to turn
the normal behavior off if, for example, an application communicates
directly with an authenticating web page and needs to install its own
Authenticator.
Location of the deployment.properties
in Windows - \LocalLow\Sun\Java\Deployment\deployment.properties
in Linux - ${user.home}/.java/deployment/deployment.properties
in OS X - ~/Library/Application Support/Oracle/Java/Deployment/deployment.properties
Related
We have recently needed to change our SSL certificate on our server. Our consuming application has suddenly stopped working. I had presumed this was to do with Java's cacerts, and modified the program to import the new certificate to each client, the problem was not resolved.
When the application attempts to load the remote view (shown below) on the server, it simply loads a white page. I have tried loading the page through http:// and it seems to function, however the rest of the application (including the API) requires https, and subsequent calls to the API fail (images loaded through https are showing as broken within the app).
The website is functional, and when I access URL's being provided to the app, through my desktop browser they load without issue. The app is also functional when I run it in Debug mode, these issues only occur when I use the "Run" build mode.
I have tried creating a blank MAF application, hoping it was some caching issue, however this new app also cannot load the remote URI. I have done a clean build and have tested other remote URI's (they work). I feel as if there is an issue with Java somehow not accepting the new certificate. The first time I tried to load the website within Eclipse's browser, an error displayed along the lines of "certificate revocation information". I didn't pay much attention to this error and it provided the option to install the new certificate, after which the page loaded within eclipse's browser.
In Jdeveloper there is an option of Disabling the Application Transport Security as shown in the image.
Could you try disabling in your eclipse too, Kindly refer this doc https://wiki.eclipse.org/Jetty/Howto/Configure_SSL, this might do a little help :)
The issue seems to be due to the changed SSL certificate on your server.
Short answer:
There was no chain installed, I installed the provided ca-bundle file and updated the httpd.conf file to reflect the chain location and the app now works.
Long answer:
When our server dev installed the new certificate, he neglected to install the ca-bundle (certificate chain) provided by the CA. The site was working in a browser, I can only assume, because it has a more complete list of trusted CA's built in. My best guess is that MAF requires the chain to be installed and was failing some security test, or the chrome webview it uses did not have this CA on the trusted list.
I have been asked to implement seamless SSO authentication against active directory for a weblogic web based application.
After loads of testing and experimentation I have managed to get all the chain working as required.
Users logging in from a windows managed PC and using IE can seamlessly login to the web application.
After that, an apache was configured and installed between the web browser and weblogic in order to perform HTTPS-->HTTP termination. Once this was done the browser stopped performing seamless login - though basic authentication did work;
Investigating further, I noticed that the Authorization header was not forwarded across to weblogic which justifies why the authentication does not take place.
Note that the apache server I am using is 2.2.
Does anybody know if apache explicitly removes the Authorization header? I have also tried increasing the request maximum size to 30KB in case that was the problem
Thank you
We need to install the following package.
apt-get install libapache-mod-auth-kerb
First we have copy the HTTP.keytab (which is generated at "Active Directory") to etc/krb5.keytab like as below.
cp /root/HTTP.keytab /etc/krb5.keytab
Next we will have to give proper permissions.
chown www-data:www-data /etc/krb5.keytab
chmod 400 /etc/krb5.keytab
Next we go to Apache virtual hosts path
vi /etc/apache2/sites-available/default
Add one directory as like below
`<Directory />
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbServiceName HTTP
KrbAuthRealm YOURDOMAIN.LOCAL //It is Domain name of your server
KrbMethodNegotiate on
KrbSaveCredentials on
KrbVerifyKDC on
Require valid-user
</Directory>`
Restart Apache web server
/etc/init.d/apache2 restart
Next go to browser of Active Directory client machine and hit the web server with FQDN of apache server. It will not ask you the password to open that website.
NOTE:
For explorer browser we need set automatic logon with user name and password at security tab
user authentication -> logon -> automatic logon with user name and password
If you found any difficulties please update me.
Im implemeting an SSO login feature for an application. Problem is that tomcat server need to be installed on linux or windows - so i cannt use waffle.
I also dont want to use kerberos because i can't enforce client to generate keytab files and also application runs sometimes on localhost or intranet - SPN name is different for this case. Next problem is that i cant modify Active Directory structure (add new computer user etc.).
Finally i think that i should use NTLM to negotiate access to application. Is it right ?
Is there any library like waffle which can let tomcat to handle negotiate ? Or is there other way to do that ?
Where should we get started setting up single sign on for a single Windows (Active Directory) domain with a Java web application?
What I DON'T mean by single sign on is that the user signs into one Java website explicitly, and then stays signed in for other Websphere sites.
We're looking for something that will effectively "detect" the Windows user that is currently logged in on the client browser's PC (Windows XP, soon to be Windows 7), and supply that user's login name to the Java WebSphere application.
The software is Java/WebSphere, with a Flex front end which we can put in a JSP if needed. (Currently it's just an html page, which is preferrable. GraniteDS is used for remoting.)
The server is NOT a Windows server, so Waffle is not an option. Research so far seems to indicate that we need to use something called SPNEGO, but I've yet to find information about what the Java developer's role is when setting it up.
I'd be interested in both server-side (WebSphere) config & requirements as well as Java application configuration & code required (this seems to be difficult to locate even via Google).
The Java application developer only needs to configure the Web application to rely on authentication from the container (Websphere Application Server).
The rest is all up to the configuration of the container to provide the right credentials, etc. The WAS administrator would do something like this for SPNEGO/Kerboros: http://www.redbooks.ibm.com/abstracts/sg247771.html. Further, browser configuration would need to add the site hosted by Websphere to the domains allowed within the Intranet zone and the security mechanism.
A much better 'hack' might be (not tested) to put Websphere behind IIS as in http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing.
In all cases, you will still need to figure out how to get Flex to get the browser to do Windows NTLM authentiation, or for it to so itself. Best of luck.
How can I retrieve the credentials for the currently logged-in Windows user that accessing my web application in java
From a standalone application, I can access the user id of a logged-in window user using
com.sun.security.auth.module.NTSystem NTSystem = new com.sun.security.auth.module.NTSystem();
System.out.println(NTSystem.getName());
However, this will not work for web app, since it will always print out the id of the user that running Tomcat, not the id of the user who accessing the web application
I see this being done before, that if I access a website via IE, it automatically log me in, but I use other browser, then a log-in box pop out. Any idea how to achieve this, thank you?
My web app is written in JSF with Tomcat 7.
You need to use a library that can receive the Kerberos token that IE will sent (assuming that it is configured with Integrated Windows Authentication).
There are multiple approaches/libraries to doing this, which are well documented on Apache's site for Tomcat. Here you go: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
You have some different options to achieve this. Tomcat has some suggestions on their homepage. I've used both IIS fronting and the spring-security kerberos extension and they work just fine.