I'm developing a Java application which is run in Windows domain environment.
To authenticate users I'm using Krb5LoginModule available in JAAS.
JAAS Login Configuration File (let's call it jaas.conf) is embedded in application jar, which is stored on network share (read-only access).
Now every user can copy the application jar to his local disk, edit jaas.conf, and set his own LoginModule which would allow him to act as different user.
Is there any way to prevent this? How to secure the application?
Usr e Pwd must be provided by user. You have to call your own login interface where the user can provide username and password. Why you want put the usr&pwd into the jaas.conf?
Anyway, if you want to lock the usr&pwd you can
use certificate
crypt into the file
write into a code
Related
I need to develop a web application for the Intranet users. I don't want them to enter the login credentials each time they visit the site. It should be automatically loaded from the System Username and Password.
I have successfully implemented functionality which prompt user name and password registered with active directory and validate against LDAP. I need some tips to login directly from intranet website without prompt username & password.
Here is my queries, please let me know your suggestion.
Is it compulsory to set SPN?
Do we need to create separate keytab file for each client? In my organization, there is around 800 people are working so should I need to add all client principal in keytab file & copy to client machine to perform autologin.
I have tried many API's like JESSO, Waffle, Spring Kerberos, SPNGO but failed to implement auto login.
If you want to use Kerberos/SPNEGO (which would be my recommendation) you do have to set up SPN. And you only need one keytab for AD domain. Are you running your Java program on some app server, like Weblogic, or as a standalone program? Servers do have security framework that you could use, while for standalone program you'd have to do a bunch of stuff manually.
I've found that the easiest way to do this is to use Atlassian's Crowd (https://www.atlassian.com/software/crowd/overview) instead of implementing it yourself. It's a commercial product, but last time I checked, it was dirt cheap, and it just works.
I need to write automated test scripts for webapp and tests require user credentials for login recieved from csv file. The problem is that it's my personal credentials and they are shared for some other services but all project is under svn and I need some way to hide my credentials.
I there some way to store credentials in some "closed" method or library and get credentials with methods like getUserName() and getPassword().
Thanks.
You can save them to properties file and encrypt it.. Now, when your web application up, it will decrypt file and read all credentials store in memory using java.util.Properties and than you can use them whenever you want.
I want to fetch data from an Active Directory using Java and JNDI from my EJB.
Doing this search I need to define a user and a password.
I was thinking of creating a service account (for my server) in the AD.
I will also be using Kerberos protocol and WebLogic Server.
As I understand it now, I need to create a keytab file that will contain this service account's credentials. This keytab file will then be configured in the WebLogic Server?
So, this means that I will have to state the username/password both for the keytab file and in my EJB (to fetch the data from the AD using JNDI). What is the best approach for this? Can the keytab file be defined dynamically? Which would simplify changing the password and only doing this at one place.
Have your machine join the domain, start you WebLogic server with the machine account or give access to the machine keytab, create a JDNI resource with the DirContextSourceFactory and you are able to access the AD as you wish.
I have two windows domains A and B.
I have two servers: nasB on domain B, and webserverA on domain A.
I have two users: userB on domain B and access to nasB and userA on domain A with access to webserverA
I am running tomcat as a service on webserverA and it has the logon as property set to userA.
I have \\nasB\myFiles$\ mapped on webserverA using userB credentials. The mapping is only to allow the JVM access. I always access the drive using UNC in the code. I also have credentials in the manage network passwords. Both methods work when running any java app directly but not as a service :(
If I run tomcat as a service it throws a filenotfound except when trying to access \\nasB\myFiles$\somefile.txt. If I run tomcat using the startup.bat it can access the file fine.
I cannot run tomcat service using userB as he does not have access to webserverA. How do I let my tomcat service use the userB credentials when accessing nasB?
Don't try using mapped drives.
Given the fact users' configuration and mapped drives are available only if the user logins using interactive login, you won't be able to use such resources. Try with UNC paths and, if that doesn't work due to user restrictions, get a hand over jcifs library, it is quite handy in those cases because it allows you to authenticate when accesing the resource with the UNC path, so it reduces uncertainty about ability to read folders and files in network drives (also, configuring tomcat service to be ran as an administrative user, giving credentials that shouldn't expire,...).
I' ve faced this myself and this is just my personal view.
Create Windows user with username/password identical on both Windows servers.
Example userA/passA
Then run Tomcat Windows service with that user.
I'm in the process of writing a server application that mainly allows people to submit jobs to a DRM system (e.g. TORQUE) over RMI. The application needs to run as root so that it can submit proxy jobs (where a job is run as a user other than the user who submits it), however this obviously isn't secure - the user name is simply a string parameter in the RMI. Anyone could pass any user name in and have a job run as that user.
What's the best way to get Java to authenticate this user name against authorised users of the system (with the aid of a password that would also be passed in)? I've had a look at JAAS and Apache Shiro, but they seem to be all about creating your own authentication methods. I want to use the system's existing authentication methods (Unix-like system), whatever they happen to be. Essentially if the user can SSH in, they're all right.
If your backend uses LDAP (which is possible if you have to manage a relatively large number of users for which a local /etc/passwd might be tedious), you can use JAAS and the existing LdapLoginModule.
If you want to authenticate against you local system (assuming Linux server) without this, it looks like JAAS-PAM might be able to help, although I've never tried it.