I have a running website which has its own set of users and have an authentication system which does a basic database lookup to authenticate the users to login to the site. A client of ours is interested in the website and has a requirement that instead of registering all their existing users with us again they have an Active Directory and I should use it to authenticate them. This prevents the client from registering all their users with us and from remembering another set of username and password.
My website is built with Java and I am looking at a solution where in I can integrate with active directory.
I am new to Active Directory and have been searching through the web but failed to find an optimum solution. My understanding of Active Directory is that it would have a set of username and passwords and if I am successfully able to integrate with it, in addition to having my own database of users I will have to look up in client's Active Directory as well and if a match is found, I can authenticate the user.
Please correct me if my understanding is wrong and could you please point me to the right direction?
Thanks,
Mayank
Try my Tomcat SPNEGO/Active Directory Authnz if you are on Tomcat 6 and up. The code has production quality, the release is upcoming. Build the site and read the docs, everything is described.
Where is your app deployed? If it is on your customer's premises, then the easiest might be to do an LDAP query against AD (an LDAP server) like #nzpcmad suggests. Tomcat has support for Windows Authentication too if I'm not mistaken, so it might be easier to go that path.
If it is off-premises, you will have to use an identity federation approach. You will have to change your app to accept SAML tokens and implement the SAML protocol (because you are in the Java world that might be the best option). Your customer will need to deploy an STS (like ADFS).
It really depends on how your app is designed and accessed by your customers (on-prem vs hosted, single tenant vs multi-tenant).
You've tagged this with adfs but nothing on the question refers to that?
Funny enough, you may be able to do this with ADFS.
If you can integrate an STS on your side, then you can federate with ADFS and then the user can choose which repository to authenticate on.
I'm not sure how your DB does the authentication? If it's custom then there may not be a STS that supports this.
Alternatively, add another screen in front of your authentication screen. This screen asks the user which repository to use. If they choose AD, then just access the AD via the Java API's for Active Directory - such as JNDI.
Related
We have a java application which currently uses a single Active Directory account (username + password) to do the following:
- Run application as a Windows Service
- Authenticate with SQL Server through jdbc
- Query/scan AD using LDAP
A customer is asking if we can support Group Managed Service Accounts (GMSA). I can't seem to find any mention of how to do this here or other sites. Can someone give me some hints on the last 2 items in the list? Is the LDAP authentication just a matter of additional parameters being given? Or a totally different method?
We are using unbound for LDAP access.
We have had similar problems using the UnboundID LDAP SDK, as well as Spring LDAP, to do a LDAP bind to a gMSA. After a lot of trial and error I found a solution. A quick rundown of the solution: A .Net console application to extract the password and decrypt it, the writing it to the output to be able to read it from a Java application. Then using a DIGEST-MD5 bind we are able to bind to the gMSA user. More info about all of this can be found in this post:
https://sourceforge.net/p/ldap-sdk/discussion/1001257/thread/bb0f55349f/
Since you asked for hints (not the answer) and I don't know which security framework you're using, I can at least give you one hint:
Search for Spring Security Framework. They have options so you can use LDAP, AD and other authentication types.
We have JAVA JEE5 enterprise application consisting of a web module and an app client running on glassfish.
We need to set authentication against active directory. I am aware that it is easy to set up LDAP based authentication for a web module or application client module but they are asking us to pick up the credentials from the windows logon when launching the application client and that somehow the credentials get propagated to the ejb tier as usual. This including not only the user principal but also the roles.
In brief, my question is: Can JAAS plug in to the windows authentication mechanism for desktop clients without prompting the user for user name and password?
Thanks,
Pablo.
I don't know about the details or JAAS compability but I believe that SPNEGO and/or Integrated Windows Authentication are the things you are looking for.
I haven't tried this, but here is a code example of pulling the NTLM username from the browser:
http://www.rgagnon.com/javadetails/java-0441.html
But, since you are talking about a desktop application your question may be how to get the username from within your java application, since NTLM really isn't involved.
http://www.roseindia.net/java/java-get-example/java-get-windows-username.shtml
Basically you would just use: System.getProperty("user.name").
UPDATE:
Since roles and all are needed, you may find that using JNI (http://download.oracle.com/javase/6/docs/technotes/guides/jni/) may be your best bet, but then you are tying this app to Windows, but it sounds like it will be anyway, as you can then call Windows API functions from Java.
I need to implement single sign-on in my java web application which can achieve the following features:
All the computer joined in my domain smb.local , after user login in the computer, and type http://localhost:8080, my application know to use the current logined user to login into my web application.
So what protocal should I implement ? Or any reference ?
Thanks very much !
If you want to "automatically" extract the user's Windows credentials, one option (maybe the only one?) is NTLM. Once you've actually got the credentials, you'll need to check them against the authoritative source - Active Directory exposes details as LDAP, so most security frameworks would be able to cope with this.
I've done such a thing a few years ago with Spring Security, including deriving privileges based on Windows group membership, and it worked very well.
Recently I worked with CAS from Jasig, you can also check OpenSSO or Josso to have a SSO. From there, you'll find the documentation of each project and how to integrate it in your application.
For the automatic connection "as long as your logged on the computer", I'm not sure that's even possible. If it is you'll certainly need a specific browser (and some plugins for this browser).
Is the authentication centralized anywhere (LDAP, for example)?
I need to choose an authentication method for an application installed and integrated in customers environment. There are two types of environments - windows and linux/unix. Application is user based, no web stuff, pure Java. The requirement is to authenticate users which will use my application against customer provided user base. Meaning, customer installs my app, but uses his own users to grant or deny access to my app. Typical, right?
I have three options to consider and I need to pick up the one which would be a) the most flexible to cover most common modern environments and b) would take least effort while stay robust and standard.
Option (1) - Authenticate locally managing user credentials in some local storage, e.g. file. Customer would then add his users to my application and it will then check the passwords. Simple, clumsy but would work. Customers would have to punch every user they want to grant access to my app using some UI we will have to provide. Lots of work for me, headache to the customer.
Option (2) - Use LDAP authentication. Customers would tell my app where to look for users and I will walk their directory resolving names into user names and trying to bind with found password. This is better approach IMO, but more fragile because I will have to walk an unknown directory structure and who knows if this will be permitted everywhere. Would be harder to test since there are many LDAP implementation out there, last thing I want is drowning in this voodoo.
Option(3) - Use plain Kerberos authentication. Customers would tell my app what realm (domain) and which KDC (key distribution center) to use. In ideal world these two parameters would be all I need to set while customers could use their own administration tools to configure domain and kdc. My application would simply delegate user credentials to this third party (using JAAS or Spring security) and consider success when third party is happy with them.
I personally prefer #3, but not sure what surprises I might face. Would this cover windows and *nix systems entirely? Is there another option to consider?
Go with LDAP. Access is very easy, and the only parameter you need is the LDAP Server (and ActiveDirectory is one). If the user exists and the password is correct, he will always be able to log into the LDAP server.
I'm interested in the best practices of using LDAP authentication in a Java-based web application. In my app I don't want to store username\password, only some ids. But I want to retrieve addition information (Name, Last name) if any exists in an LDAP catalog.
My team uses LDAP as a standard way of authentication. Basically, we treat LDAP as any another database.
To add user to application, you have to pick one from LDAP or create it in LDAP; when user is deleted from application, it stays in LDAP but has no access to application.
You basically need to store only LDAP username locally. You can either read LDAP data (e-mail, department etc) from LDAP each time, or pull it in application in some way, though reading it from LDAP is probably simpler and smarter since LDAP data can change. Of course, if you need reporting or use LDAP data extensively, you might want to pull it from LDAP (manually or with batch task).
The nice thing is that once a user is disabled in LDAP, it's disabled in all applications at once; also, user has same credentials in all applications. In corporate environment, with a bunch of internal applications, this is a major plus. Don't use LDAP for users for only one application; no real benefits in that scenario.
For general best practices with LDAP, see "LDAP: Programming practices".
If you have more than one web based application and want to use LDAP authentication then a prepackaged single sign on solution might be better than creating your own LDAP authentication. CAS supports LDAP authentication and can pull back the data you need for your application.
At my college we actually have implemented CAS as a single sign on against our Active Directory server. We also utilize CAS to authenticate our J2EE applications and are working on using CAS to authenticate our PHP applications.
We use AD to hold the users for the domain. There are certain OUs for based on the type of user. The users each have a unique ID which happens to be their student/employee ID, so applications can use that as a primary key in their databases. We have a database driven authorization method for our PHP applications. Authorization for the J2EE application comes from a value in LDAP.
Good luck with your application.
So, you want user to enter ID only, and then grab the rest of their info from LDAP? That's quite easy.
Create LdapInitial context and connect to LDAP
Do a search for the ID (it should be stored as some attribute value) -- e.g. (&(userid=john)(objectClass=user)) -- which means "userid=john AND objectClass=user"
SearchResult object would contain all Attributes (or the ones you asked)
Some LDAP implementations (notable MS ActiveDirectory LDAP) do not let you connect with anonymous user. For those you need to have a technical userid/password to connect.
As said above, LDAP is normally makes sense when you have many applications.
P.S. For feeling what LDAP is try Apache Directory Studio.