Where should we get started setting up single sign on for a single Windows (Active Directory) domain with a Java web application?
What I DON'T mean by single sign on is that the user signs into one Java website explicitly, and then stays signed in for other Websphere sites.
We're looking for something that will effectively "detect" the Windows user that is currently logged in on the client browser's PC (Windows XP, soon to be Windows 7), and supply that user's login name to the Java WebSphere application.
The software is Java/WebSphere, with a Flex front end which we can put in a JSP if needed. (Currently it's just an html page, which is preferrable. GraniteDS is used for remoting.)
The server is NOT a Windows server, so Waffle is not an option. Research so far seems to indicate that we need to use something called SPNEGO, but I've yet to find information about what the Java developer's role is when setting it up.
I'd be interested in both server-side (WebSphere) config & requirements as well as Java application configuration & code required (this seems to be difficult to locate even via Google).
The Java application developer only needs to configure the Web application to rely on authentication from the container (Websphere Application Server).
The rest is all up to the configuration of the container to provide the right credentials, etc. The WAS administrator would do something like this for SPNEGO/Kerboros: http://www.redbooks.ibm.com/abstracts/sg247771.html. Further, browser configuration would need to add the site hosted by Websphere to the domains allowed within the Intranet zone and the security mechanism.
A much better 'hack' might be (not tested) to put Websphere behind IIS as in http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing.
In all cases, you will still need to figure out how to get Flex to get the browser to do Windows NTLM authentiation, or for it to so itself. Best of luck.
Related
Recently we started to upgrade our clients from Java 6u31 to 8u121.
Here we see an impact on our internal web application written in Java.
Client(s) connects to a web-server which has the JNLP and JARs locally.
However now with the new Java 8u121 we get a pop-up from java : Authentication required.
We can click on cancel and the Java app will load but this is not acceptable for our users.
Is this a Java problem or a Proxy problem?
We started to do a trace with wire-shark to see what happens when the Java pop-up "authentication required" occurs. Here we could see that our proxy server blocks a global-sign site to validate a certificate. Here we made an exception for that site. Now we have no issue anymore and the pop-up is not occurring anymore.
You can prevent that authentication window by setting the property deployment.security.authenticator value to false in the deployment.properties
Normally Plug-in and Web Start install an Authenticator to handle
communication with Authenticating web pages or Authenticating proxies.
This is the default behavior (true). This option can be used to turn
the normal behavior off if, for example, an application communicates
directly with an authenticating web page and needs to install its own
Authenticator.
Location of the deployment.properties
in Windows - \LocalLow\Sun\Java\Deployment\deployment.properties
in Linux - ${user.home}/.java/deployment/deployment.properties
in OS X - ~/Library/Application Support/Oracle/Java/Deployment/deployment.properties
Im implemeting an SSO login feature for an application. Problem is that tomcat server need to be installed on linux or windows - so i cannt use waffle.
I also dont want to use kerberos because i can't enforce client to generate keytab files and also application runs sometimes on localhost or intranet - SPN name is different for this case. Next problem is that i cant modify Active Directory structure (add new computer user etc.).
Finally i think that i should use NTLM to negotiate access to application. Is it right ?
Is there any library like waffle which can let tomcat to handle negotiate ? Or is there other way to do that ?
All..
I am hoping someone who can confirm for me, what I read and what I have observed, regarding the Tomcat Java applet server?
I have Linux server running Tomcat (I built two new ones, but based the configuration off the previous two that were present when I came on the job). I am fairly new to Tomcat servers -vs- web servers.
When a client connects to the Tomcat server address...
A static web page is served, with a link to a java applet:
When they click a link, Tomcat serves up an applet to the browser.
When the applet is served:
All connections and traffic that the applet creates is tunneled back to the Tomcat server? (pretty sure this is happening, and what is supposed to happen)
All connections connect through the client network connection? (All tests I have done can not confirm this.)
Is the tunneling a reason why Tomcat is used over just serving up the Java applet via a Apache server?
We have a SSL secure connection with certificates setup to allow https connections to the Tomcat server, and I am assuming all the data between Tomcat server and the applet is encrypted because of this?
Thanks!
There's no good reason from what you've told us so far to use Tomcat over a lighter httpd such as apache or nginx - if it's really just serving a Java applet and web page (static content). The former two are application servers, and as that implies that means a little more than just static content - although it will serve static content just fine, too. But there is no "Default" integration between the two technologies. In particular - your data will not be encrypted by default, you've got to make sure that your applet makes secure request. Serving the applet offer SSL only protects the connection that actually serves the applet, not subsequent ones - though there's no reason these shouldn't also go through the same SSL endpoint, the applet has to initiate that, there's nothing "magical" going on.
Here's a good article on when you'd want to use one or the other.
As for the other part - there is a security model that comes with an applet. By default, the applet will only be able to make connections back to the server from which it came - this is to prevent certain kinds of "cross-site" attacks which were seen in the past. These days, different sites interoperating are more common so there are many technologies you could use to for that, if you need to - but applets are largely considered outdated and not widely used - but your end user may also configure applets to get around this default policy.
Here is information about the appliet security model, including network restrictions.
I have two applications. One is running on IIS and second is on Tomcat. Both the applications are authenticating users through active directory. Currently users have to provide their domain, username and password in both the application separately in order to use them.
What I want is - if user logs in Tomcat application using AD details then we will show a button in the application which will open our IIS application in other tab of browser (already done) and in that IIS application this user don't need to login using AD details again (it should be logged in automatically). As he has already used same account to login in another application (Tomcat application).
Is this possible? if yes, please tell me how can I achieve this.
You want Kerberos. Builtin into IIS, Available for Tomcat: http://tomcatspnegoad.sourceforge.net/ (Yes, I am the author of that and it works great in multidomain environment.)
Best to think along some slightly different lines than you currently do:
Attempt to authenticate both Tomcat as well as IIS to a common SSO system - rather than just from one to the other. SSO systems are specifically made to allow this. Neat side effect is that these systems are single-purpose, relatively easy to monitor/protect and they'll be the only ones in touch with your passwords - no application that is using SSO for sign-on needs to know any user's password. So you can't loose any password.
Whatever route you go (Michael-O has suggested Kerberos, I'm not recommending any specific product or protocol), don't try to provide one system's password to the other system. This would inherently introduce security issues.
How can I retrieve the credentials for the currently logged-in Windows user that accessing my web application in java
From a standalone application, I can access the user id of a logged-in window user using
com.sun.security.auth.module.NTSystem NTSystem = new com.sun.security.auth.module.NTSystem();
System.out.println(NTSystem.getName());
However, this will not work for web app, since it will always print out the id of the user that running Tomcat, not the id of the user who accessing the web application
I see this being done before, that if I access a website via IE, it automatically log me in, but I use other browser, then a log-in box pop out. Any idea how to achieve this, thank you?
My web app is written in JSF with Tomcat 7.
You need to use a library that can receive the Kerberos token that IE will sent (assuming that it is configured with Integrated Windows Authentication).
There are multiple approaches/libraries to doing this, which are well documented on Apache's site for Tomcat. Here you go: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
You have some different options to achieve this. Tomcat has some suggestions on their homepage. I've used both IIS fronting and the spring-security kerberos extension and they work just fine.