How to get the logged username in windows from a remote server Apache/jboss.
I have deployed a war file in tomcat apache which is in host_1. I am accessing the web application from host_2. host_2 windows machine and logged in as a testuser. host_1 is a unix machine.
I want the server application to get the logged in username of windows[testuser] when i hit the request in browser. Is this possible? Do i need to do any settings in my browser?
Any help is appreciated.
Essentially the internet is anonymous and there the user name is not returned as a http header.
You would need to run some javascript on the users browser to determine the username - and as it is a security risk I dont think it will work very well
I found this link
JavaScript - How to get the name of the current user
Related
I want to automatically authenticate, 'active directory users', which are logged in to their windows, in my applications.
in short, i want SSO for my applications using windows credentials.
**Client is React and back-end is Java 8 and Spring 4.1.2 and Spring Security is 3.2.5.
I already authenticate and search 'active directory users' in my applications, using spring LDAP 3.2.5.
but users should submit their username and password when they use browser.
I have read about 'Integrated Windows Authentication' (IWA), 'Kerberos', 'NTLM'.
should I use NTLM instead of LDAP ???
or, should I use Kerberos ???
or, should I use ADFS ???
should I config anything in active directory for that ???
**I cant config anything in active directory
should I get windows credentials programmatically in react and send it to server and from server I should send that credentials to active directory to verify it ???
I don't know but, should I say any thing in my 'HTTP response' to 'HTTP OPTION Request' to force browser to set windows credentials in next request ??
and, thanks for your time.
There are a couple ways to do this:
Windows Authentication
This is best for the user as it is a seamless login. If the website is trusted, then the browser will automatically send the credentials of the currently-logged-on user to the site.
In this case, the web server (Tomcat in this case) handles the authentication and passes the credentials to the application. If you were using IIS and Windows, the setup would be super easy. But with Tomcat on Linux, it's a little harder. You need to setup kerberos, which requires setting up SPN (Service Principal Name) values on the domain so that your server is trusted on your domain to authenticate. The full instructions for setting this up in Tomcat 8 are here: Windows Authentication How-To
Once that is setup, your website needs to be trusted by the browsers. If your site is recognized as an intranet site, then this should already be true. If not, then your site's domain needs to be added to the Trusted Sites in the Internet Options on the client computers. This can also be done via Group Policy. That will work for IE and Chrome. Firefox uses its own network.negotiate-auth.delegation-uris setting.
Forms Authentication
Another way is to use a login page to ask the user for their username and password, then authenticate them via LDAP in your Java application code. I will assume you know how to setup a login page, so you just need to know how to verify the credentials. You can use the answer here for that code. That answer has the code in a console app, but you can pull out the code that takes the username and password and verifies it.
This is arguably easier to setup, but at the cost to the user.
I have been asked to implement seamless SSO authentication against active directory for a weblogic web based application.
After loads of testing and experimentation I have managed to get all the chain working as required.
Users logging in from a windows managed PC and using IE can seamlessly login to the web application.
After that, an apache was configured and installed between the web browser and weblogic in order to perform HTTPS-->HTTP termination. Once this was done the browser stopped performing seamless login - though basic authentication did work;
Investigating further, I noticed that the Authorization header was not forwarded across to weblogic which justifies why the authentication does not take place.
Note that the apache server I am using is 2.2.
Does anybody know if apache explicitly removes the Authorization header? I have also tried increasing the request maximum size to 30KB in case that was the problem
Thank you
We need to install the following package.
apt-get install libapache-mod-auth-kerb
First we have copy the HTTP.keytab (which is generated at "Active Directory") to etc/krb5.keytab like as below.
cp /root/HTTP.keytab /etc/krb5.keytab
Next we will have to give proper permissions.
chown www-data:www-data /etc/krb5.keytab
chmod 400 /etc/krb5.keytab
Next we go to Apache virtual hosts path
vi /etc/apache2/sites-available/default
Add one directory as like below
`<Directory />
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbServiceName HTTP
KrbAuthRealm YOURDOMAIN.LOCAL //It is Domain name of your server
KrbMethodNegotiate on
KrbSaveCredentials on
KrbVerifyKDC on
Require valid-user
</Directory>`
Restart Apache web server
/etc/init.d/apache2 restart
Next go to browser of Active Directory client machine and hit the web server with FQDN of apache server. It will not ask you the password to open that website.
NOTE:
For explorer browser we need set automatic logon with user name and password at security tab
user authentication -> logon -> automatic logon with user name and password
If you found any difficulties please update me.
I am working on an application which will use pubcookie authentication. My application runs on JBoss server and is front ended by Apache webserver which has the pubcookie setup. I have been able to setup the pubcookie module and the user authentication happens fine whenever a user tries to access a resource from my application. However, I am unable to pass the logged in user's id from apache webserver to my application running on JBoss server. I need this information in my application in order for my application to lookup its datastore and determine the users permissions. How does this information flow happen?
Pubcookie puts the logged-in user into the REMOTE_USER environment variable.
I have a requirement in which I need to send links to the user who has some requests pending at his role. When user clicks on that link, he can access the application skipping the login but for creating a session. I need to use the windows username. I tried using system.getProperty("user.name") but it is giving user name which is host dependent, which means giving username of a particular host. But I need the windows username of a user sending the request. I tried using request.getRemoteUser() and getPrincipalUser() but facing some authentication issues.
Can anyone help me regarding this issue?
How can I retrieve the credentials for the currently logged-in Windows user that accessing my web application in java
From a standalone application, I can access the user id of a logged-in window user using
com.sun.security.auth.module.NTSystem NTSystem = new com.sun.security.auth.module.NTSystem();
System.out.println(NTSystem.getName());
However, this will not work for web app, since it will always print out the id of the user that running Tomcat, not the id of the user who accessing the web application
I see this being done before, that if I access a website via IE, it automatically log me in, but I use other browser, then a log-in box pop out. Any idea how to achieve this, thank you?
My web app is written in JSF with Tomcat 7.
You need to use a library that can receive the Kerberos token that IE will sent (assuming that it is configured with Integrated Windows Authentication).
There are multiple approaches/libraries to doing this, which are well documented on Apache's site for Tomcat. Here you go: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
You have some different options to achieve this. Tomcat has some suggestions on their homepage. I've used both IIS fronting and the spring-security kerberos extension and they work just fine.