I am working on an application which will use pubcookie authentication. My application runs on JBoss server and is front ended by Apache webserver which has the pubcookie setup. I have been able to setup the pubcookie module and the user authentication happens fine whenever a user tries to access a resource from my application. However, I am unable to pass the logged in user's id from apache webserver to my application running on JBoss server. I need this information in my application in order for my application to lookup its datastore and determine the users permissions. How does this information flow happen?
Pubcookie puts the logged-in user into the REMOTE_USER environment variable.
Related
I have an application developed in MS Access, and I'm currently switching it to a web application with Apache Tomcat.
The Access application has our SQL Server database fully linked, so it has entire control of the data.
The application is running a hidden process by passing the ActiveDirectory authentication to the SQL Server, so the users never type their passwords.
But from Tomcat, I tried to connect on the SQL Server using JDBC driver and Windows authentication (jdbc:sqlserver://SERVERADDRESS;integratedSecurity=true;) in just one jsp file to test the database connection.
The problem here is instead of passing the user login which launched the app through his web browser, it passes the Server identifier (Which is DOMAIN\SERVERNAME).
Can I get the username with this way, or do I need to completely change my connection system?
Impossible without credential delegation/S4U services for Kerberos. Especially, if you don't use Java's Kerberos implementation, but the one from Windows SSPI.
Start your users to authenticate via SPNEGO first, then come back.
How to get the logged username in windows from a remote server Apache/jboss.
I have deployed a war file in tomcat apache which is in host_1. I am accessing the web application from host_2. host_2 windows machine and logged in as a testuser. host_1 is a unix machine.
I want the server application to get the logged in username of windows[testuser] when i hit the request in browser. Is this possible? Do i need to do any settings in my browser?
Any help is appreciated.
Essentially the internet is anonymous and there the user name is not returned as a http header.
You would need to run some javascript on the users browser to determine the username - and as it is a security risk I dont think it will work very well
I found this link
JavaScript - How to get the name of the current user
I am building a small Java (servlet) authentication web application that will be running on Tomcat. The application will authenticate a user and then redirect the user to another web application (on a different server). The problem is that after the user authenticates I need to somehow tell Apache that this session is authenticated and that Apache should redirect (using RewriteRules) the http request to the target web application (and not the one for authentication).
According to my research I have 3 options:
1. After authentication success I redirect to a URL that tells Apache that this session is authenticated (using RewriteRules). I can store this information in Cookie (issue: security) or Apache Environment Variables (issue: clearing inactive Environment variables ...).
2. Use a apache mod for storing sessions in to a database. On auth success I update the database with Java app, apache redirects all requests to target URL (issue: DB access load (up to 500 active concurent users)).
3. HTTP tunneling. But this means that every request for target application is going through my authentication application (issue: redundant, slow, ...)
Is there another way to do this?
What would be the best way to do this?
Thanks a bunch.
A few ways of doing this,
If you can afford an enterprise solution, go with Oracle Identity
Management / Oracle Access Management. It will redirect to a login
page, once login is successful and the right cookie has been added,
all future requests will get a header injected in their requests on
the internal side. Your internal app can key in on the header and
confirm that the user has logged in. To do development, you can run
the secure app without OIM/OAM by using Firefox ModifyHeaders
plugin.
If you cannot afford an enterprise solution, go with OpenIAM, it
does the same thing but at a small scale without reporting and high-availability features.
There might be a third of doing this, but I've never tried it, that
would be by using Apache's authentication modules (or a combination
of them), like http://authmemcookie.sourceforge.net/, or
http://httpd.apache.org/docs/trunk/mod/mod_session.html
Good luck!
I have two windows domains A and B.
I have two servers: nasB on domain B, and webserverA on domain A.
I have two users: userB on domain B and access to nasB and userA on domain A with access to webserverA
I am running tomcat as a service on webserverA and it has the logon as property set to userA.
I have \\nasB\myFiles$\ mapped on webserverA using userB credentials. The mapping is only to allow the JVM access. I always access the drive using UNC in the code. I also have credentials in the manage network passwords. Both methods work when running any java app directly but not as a service :(
If I run tomcat as a service it throws a filenotfound except when trying to access \\nasB\myFiles$\somefile.txt. If I run tomcat using the startup.bat it can access the file fine.
I cannot run tomcat service using userB as he does not have access to webserverA. How do I let my tomcat service use the userB credentials when accessing nasB?
Don't try using mapped drives.
Given the fact users' configuration and mapped drives are available only if the user logins using interactive login, you won't be able to use such resources. Try with UNC paths and, if that doesn't work due to user restrictions, get a hand over jcifs library, it is quite handy in those cases because it allows you to authenticate when accesing the resource with the UNC path, so it reduces uncertainty about ability to read folders and files in network drives (also, configuring tomcat service to be ran as an administrative user, giving credentials that shouldn't expire,...).
I' ve faced this myself and this is just my personal view.
Create Windows user with username/password identical on both Windows servers.
Example userA/passA
Then run Tomcat Windows service with that user.
How can I retrieve the credentials for the currently logged-in Windows user that accessing my web application in java
From a standalone application, I can access the user id of a logged-in window user using
com.sun.security.auth.module.NTSystem NTSystem = new com.sun.security.auth.module.NTSystem();
System.out.println(NTSystem.getName());
However, this will not work for web app, since it will always print out the id of the user that running Tomcat, not the id of the user who accessing the web application
I see this being done before, that if I access a website via IE, it automatically log me in, but I use other browser, then a log-in box pop out. Any idea how to achieve this, thank you?
My web app is written in JSF with Tomcat 7.
You need to use a library that can receive the Kerberos token that IE will sent (assuming that it is configured with Integrated Windows Authentication).
There are multiple approaches/libraries to doing this, which are well documented on Apache's site for Tomcat. Here you go: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
You have some different options to achieve this. Tomcat has some suggestions on their homepage. I've used both IIS fronting and the spring-security kerberos extension and they work just fine.