Kerberos WAS 7 fallback to application authentication(LDAP) - java

We have implemented kerberos based SSO for my application, it is integrated with domain1.com users and it is working fine. But there are few accounts which are not in domain1.com domain, they are in domain2.com so we wanted to provide our custom login screen for entering user credentials and then we wanted to authenticate it with ldap with our own java code. So the scenario is, if user is trying to access my application then sso should happen automatically if he falls in domain1.com otherwise showing the customised login screen where in he enters user credentials then application will authenticate it and grants the application resources.
How to achieve this?

Websphere 7+ has support for fall back to application authentication mechanism.
In admin console: Do the following steps.
Goto Security > Global security > SPNEGO web authentication
Select Allow fall back to application authentication mechanism
You can find more information here

Related

How automatically log in with Windows credentials in java?

I want to automatically authenticate, 'active directory users', which are logged in to their windows, in my applications.
in short, i want SSO for my applications using windows credentials.
**Client is React and back-end is Java 8 and Spring 4.1.2 and Spring Security is 3.2.5.
I already authenticate and search 'active directory users' in my applications, using spring LDAP 3.2.5.
but users should submit their username and password when they use browser.
I have read about 'Integrated Windows Authentication' (IWA), 'Kerberos', 'NTLM'.
should I use NTLM instead of LDAP ???
or, should I use Kerberos ???
or, should I use ADFS ???
should I config anything in active directory for that ???
**I cant config anything in active directory
should I get windows credentials programmatically in react and send it to server and from server I should send that credentials to active directory to verify it ???
I don't know but, should I say any thing in my 'HTTP response' to 'HTTP OPTION Request' to force browser to set windows credentials in next request ??
and, thanks for your time.
There are a couple ways to do this:
Windows Authentication
This is best for the user as it is a seamless login. If the website is trusted, then the browser will automatically send the credentials of the currently-logged-on user to the site.
In this case, the web server (Tomcat in this case) handles the authentication and passes the credentials to the application. If you were using IIS and Windows, the setup would be super easy. But with Tomcat on Linux, it's a little harder. You need to setup kerberos, which requires setting up SPN (Service Principal Name) values on the domain so that your server is trusted on your domain to authenticate. The full instructions for setting this up in Tomcat 8 are here: Windows Authentication How-To
Once that is setup, your website needs to be trusted by the browsers. If your site is recognized as an intranet site, then this should already be true. If not, then your site's domain needs to be added to the Trusted Sites in the Internet Options on the client computers. This can also be done via Group Policy. That will work for IE and Chrome. Firefox uses its own network.negotiate-auth.delegation-uris setting.
Forms Authentication
Another way is to use a login page to ask the user for their username and password, then authenticate them via LDAP in your Java application code. I will assume you know how to setup a login page, so you just need to know how to verify the credentials. You can use the answer here for that code. That answer has the code in a console app, but you can pull out the code that takes the username and password and verifies it.
This is arguably easier to setup, but at the cost to the user.

ADFS/SAML authentication for Java desktop app

I have a Java desktop app. I found a lot of online resources that talk about SSO authentication for web apps. I need the same thing for an old school desktop app. Basically, I need the app to open a browser window, have the user authenticate against ADFS and then get a token back.
How can I add SSO authentication with ADFS/SAML?
I found the answer.
First, the desktop app needs to show a browser window. This can easily be achieved using JavaFX WebView. I have successfully tested Google and ADFS login using JavaFX WebView. NB: If you use ADFS you must set up ADFS to use Form-based auth.
A helper webservice needs to be built. The webservice will provide a method secured by any federated authentication mechanism (SAML2, OAuth, etc). I haven't been able to do this in Java. There are some solutions like JOSSO but they're ridiculously cumbersome or severely lacking. However, C# has outstanding support for federated auth which makes it an excellent choice for this task.
When the user needs to authenticate, the desktop app shows the browser window which automatically calls the method above. After the federated auth handshake, the browser will be able to access the method. This method tells the desktop app whether the calling user is allowed access.
The final step is to close the browser window and log in the user.
NB: This is not an easy task. It takes about a week's worth of work to put everything together.
Desktop apps. don't have browsers.
WS-Fed and SAML are built around browser redirects.
Why do you need SAML? What about OpenID Connect / OAuth?
If that's an option have a look at the ADAL Java samples - Azure Active Directory Authentication Libraries. There is limited OAuth support in ADFS. V3.0
Your other alternative is to use the active profile (web services) rather than the passive (browser).
But that's WS-Trust not SAML.

Google authentication and gmail access in java

I am working on a JSF application.
In which a user should be able to login with gmail/google apps account (redirected to google login page and returned after authentication)
and user should be able to check/delete emails (using Java Gmail) in the subsequent screen.
This application is to be hosted in jboss/tomcat server and not in GAE appspot.
I checked examples to create login and logout urls using GAE API or OAuth2.
https://developers.google.com/appengine/docs/java/users/overview
But it seems it is not possible to access gmail after authentication in the above method.
If somebody can provide any inputs, it is highly appreciated. Thanks for your time.

Transparent authentication with LDAP and Servlet

We have Windows Active Directory, where all users are registered and use to login in Windows.
We have an Apache server configured to use LDAP to authenticate users in that Active Directory. It's setup so that, in PHP, all we have to do is call $_SERVER['REMOTE_USER']. Browser verifies user login in Windows and sends this data to Apache, which talks to LDAP to verify authentication. When LDAP authenticates, that code returns user's login, otherwise it returns null.
This way we can safely and easily authenticate users inside PHP and use their AD login to control access to our softwares. Another advantage is that we don't need a login page and not even have to handle passwords in variables: authentication is handled transparently to users and they are automatically logged to our softwares all the time, and their password never comes into our code.
I'd like to do the same thing with Servlet. I see no reason for it not happen if it works with PHP. But I can't find how to do it. I googled but couldn't find anything. Has anybody done something like that and could point me a way?
Standard authentication with login and password is working in Java. If I have domain, login and password, (that in Servlet would come from a login page) I can authenticate any user.
What you're looking to do is plug a SSO provider into your web app. There are several options, you will have to do your own research into what will work best in your environment. You might want to investigate the following security frameworks, which all enable SSO:
Apache Shiro
Spring Security
JCIFS
There are also commercial products like CA SiteMinder that do the same thing.
the HttpServletRequest object you have in the doGet and doPost methods on the servlet has the equivalent of PHP $_SERVER['REMOTE_USER'], it is called getRemoteUser().
Your post is tagged as Tomcat. You could add a "realm" in tomcat to do the Authentication.
I have no idea how you can not prompt for a password unless you are using some sort of SASL plugin to verify the user against LDAP.
$_SERVER['REMOTE_USER'] implies you are using "HTTP Authentication" header which would (AFIK) require a popup for the credentials. Perhaps this is transparent if only using IE against a Windows server.
There is an example of how to configure tomcat

need help on gmail sso

I am developing a web application using strut2 framework and using gmail credentials for login to that application. I am able to use google account services for login purpose successfully. Now I am trying to implement SSO between gmail & my application. The use case is "If user is already logged into gmail, I want that user to log automatically into my application".
How should I go about it?

Categories