I have an application developed in MS Access, and I'm currently switching it to a web application with Apache Tomcat.
The Access application has our SQL Server database fully linked, so it has entire control of the data.
The application is running a hidden process by passing the ActiveDirectory authentication to the SQL Server, so the users never type their passwords.
But from Tomcat, I tried to connect on the SQL Server using JDBC driver and Windows authentication (jdbc:sqlserver://SERVERADDRESS;integratedSecurity=true;) in just one jsp file to test the database connection.
The problem here is instead of passing the user login which launched the app through his web browser, it passes the Server identifier (Which is DOMAIN\SERVERNAME).
Can I get the username with this way, or do I need to completely change my connection system?
Impossible without credential delegation/S4U services for Kerberos. Especially, if you don't use Java's Kerberos implementation, but the one from Windows SSPI.
Start your users to authenticate via SPNEGO first, then come back.
Related
I want to automatically authenticate, 'active directory users', which are logged in to their windows, in my applications.
in short, i want SSO for my applications using windows credentials.
**Client is React and back-end is Java 8 and Spring 4.1.2 and Spring Security is 3.2.5.
I already authenticate and search 'active directory users' in my applications, using spring LDAP 3.2.5.
but users should submit their username and password when they use browser.
I have read about 'Integrated Windows Authentication' (IWA), 'Kerberos', 'NTLM'.
should I use NTLM instead of LDAP ???
or, should I use Kerberos ???
or, should I use ADFS ???
should I config anything in active directory for that ???
**I cant config anything in active directory
should I get windows credentials programmatically in react and send it to server and from server I should send that credentials to active directory to verify it ???
I don't know but, should I say any thing in my 'HTTP response' to 'HTTP OPTION Request' to force browser to set windows credentials in next request ??
and, thanks for your time.
There are a couple ways to do this:
Windows Authentication
This is best for the user as it is a seamless login. If the website is trusted, then the browser will automatically send the credentials of the currently-logged-on user to the site.
In this case, the web server (Tomcat in this case) handles the authentication and passes the credentials to the application. If you were using IIS and Windows, the setup would be super easy. But with Tomcat on Linux, it's a little harder. You need to setup kerberos, which requires setting up SPN (Service Principal Name) values on the domain so that your server is trusted on your domain to authenticate. The full instructions for setting this up in Tomcat 8 are here: Windows Authentication How-To
Once that is setup, your website needs to be trusted by the browsers. If your site is recognized as an intranet site, then this should already be true. If not, then your site's domain needs to be added to the Trusted Sites in the Internet Options on the client computers. This can also be done via Group Policy. That will work for IE and Chrome. Firefox uses its own network.negotiate-auth.delegation-uris setting.
Forms Authentication
Another way is to use a login page to ask the user for their username and password, then authenticate them via LDAP in your Java application code. I will assume you know how to setup a login page, so you just need to know how to verify the credentials. You can use the answer here for that code. That answer has the code in a console app, but you can pull out the code that takes the username and password and verifies it.
This is arguably easier to setup, but at the cost to the user.
I am trying to authenticate Azure SQL Database using access token, Problem is, the access token(and refresh token) is generated on the different machine and SQL server authentication java code is on another machine. My application on 2nd machine picks the refresh token from the properties file. I am able to get the access token using refresh token but not able to authenticate the Azure SQL DB using that. However, everything works fine if I do the whole process on the same machine.
Are access token generated IP bound or machine bound?
Error: Database connection failed: Error message: Login failed for user ''. ClientConnectionId:321ad51b-77d5-4681-a162-d6c8afd477aa
The issue has been resolved, it was due to wrong (pretty old) version of MSSQL JDBC jar.
Each user has a default database. When you connect to computer that's running Microsoft SQL Server, and you do not specify a login database, the default database is used. However, if the default database is unavailable at the time of the connection, you may not be able to connect
How should I write my connection string in jdbc when I want to connect to a SQL server where windows authentication is needed and I am connecting to a named instance?
So I have my connection string like
jdbc:sqlserver://sqlserver4\Test;datebaseName=TestDB;user=g\John;password=hello123
I have also tried with sqlserver4;namedInstance=Testinstead of sqlserver4\Test
I have tried under
Control Panel -> Administrative Tools -> ODBC Data Source
Shift Right-Click -> Run as different user
login as user=g\John password=hello123 with this test I can connect successfuly, but in my jdbc connection string I get Login failed for user g\John.
Do I have to setup my connection string in a specific way when using Windows User Authentication and named instance in the DB?
According to: https://msdn.microsoft.com/en-us/library/bsz5788z.aspx
If your application runs on a Windows-based intranet, you might be able to use Windows integrated authentication for database access. Integrated security uses the current Windows identity established on the operating system thread to access the SQL Server database. You can then map the Windows identity to a SQL Server database and permissions.
To connect to SQL Server using Windows integrated authentication, you must identify the Windows identity under which your ASP.NET application is running. You must also be sure that the identity has been granted access to the SQL Server database. This topic includes a code example that displays the current Windows identity of the ASP.NET application.
So try maybe adding this:
integratedSecurity=true;
At the end of your connection string and removing username and password
In Production system, all the database servers/hosts will have application specific user ids like report_app_user, dev_app_user,dev_env_user,test_env_user,uat_env_user and the JDBC api will connect it promptly.
Please talk to ITsupport team/db admin to get a application specific user id.
Otherwise, you will not be able to use db user which is tied with windows authentication.
I have tried all that, but it seems that I have to implement some spring security and setup an LDAP server to be able to connect through an AD user, with MuleESB. But thanks anyway :).
I am working on an application which will use pubcookie authentication. My application runs on JBoss server and is front ended by Apache webserver which has the pubcookie setup. I have been able to setup the pubcookie module and the user authentication happens fine whenever a user tries to access a resource from my application. However, I am unable to pass the logged in user's id from apache webserver to my application running on JBoss server. I need this information in my application in order for my application to lookup its datastore and determine the users permissions. How does this information flow happen?
Pubcookie puts the logged-in user into the REMOTE_USER environment variable.
I am building a small Java (servlet) authentication web application that will be running on Tomcat. The application will authenticate a user and then redirect the user to another web application (on a different server). The problem is that after the user authenticates I need to somehow tell Apache that this session is authenticated and that Apache should redirect (using RewriteRules) the http request to the target web application (and not the one for authentication).
According to my research I have 3 options:
1. After authentication success I redirect to a URL that tells Apache that this session is authenticated (using RewriteRules). I can store this information in Cookie (issue: security) or Apache Environment Variables (issue: clearing inactive Environment variables ...).
2. Use a apache mod for storing sessions in to a database. On auth success I update the database with Java app, apache redirects all requests to target URL (issue: DB access load (up to 500 active concurent users)).
3. HTTP tunneling. But this means that every request for target application is going through my authentication application (issue: redundant, slow, ...)
Is there another way to do this?
What would be the best way to do this?
Thanks a bunch.
A few ways of doing this,
If you can afford an enterprise solution, go with Oracle Identity
Management / Oracle Access Management. It will redirect to a login
page, once login is successful and the right cookie has been added,
all future requests will get a header injected in their requests on
the internal side. Your internal app can key in on the header and
confirm that the user has logged in. To do development, you can run
the secure app without OIM/OAM by using Firefox ModifyHeaders
plugin.
If you cannot afford an enterprise solution, go with OpenIAM, it
does the same thing but at a small scale without reporting and high-availability features.
There might be a third of doing this, but I've never tried it, that
would be by using Apache's authentication modules (or a combination
of them), like http://authmemcookie.sourceforge.net/, or
http://httpd.apache.org/docs/trunk/mod/mod_session.html
Good luck!