I have two windows domains A and B.
I have two servers: nasB on domain B, and webserverA on domain A.
I have two users: userB on domain B and access to nasB and userA on domain A with access to webserverA
I am running tomcat as a service on webserverA and it has the logon as property set to userA.
I have \\nasB\myFiles$\ mapped on webserverA using userB credentials. The mapping is only to allow the JVM access. I always access the drive using UNC in the code. I also have credentials in the manage network passwords. Both methods work when running any java app directly but not as a service :(
If I run tomcat as a service it throws a filenotfound except when trying to access \\nasB\myFiles$\somefile.txt. If I run tomcat using the startup.bat it can access the file fine.
I cannot run tomcat service using userB as he does not have access to webserverA. How do I let my tomcat service use the userB credentials when accessing nasB?
Don't try using mapped drives.
Given the fact users' configuration and mapped drives are available only if the user logins using interactive login, you won't be able to use such resources. Try with UNC paths and, if that doesn't work due to user restrictions, get a hand over jcifs library, it is quite handy in those cases because it allows you to authenticate when accesing the resource with the UNC path, so it reduces uncertainty about ability to read folders and files in network drives (also, configuring tomcat service to be ran as an administrative user, giving credentials that shouldn't expire,...).
I' ve faced this myself and this is just my personal view.
Create Windows user with username/password identical on both Windows servers.
Example userA/passA
Then run Tomcat Windows service with that user.
Related
Im implemeting an SSO login feature for an application. Problem is that tomcat server need to be installed on linux or windows - so i cannt use waffle.
I also dont want to use kerberos because i can't enforce client to generate keytab files and also application runs sometimes on localhost or intranet - SPN name is different for this case. Next problem is that i cant modify Active Directory structure (add new computer user etc.).
Finally i think that i should use NTLM to negotiate access to application. Is it right ?
Is there any library like waffle which can let tomcat to handle negotiate ? Or is there other way to do that ?
I am working on an application which will use pubcookie authentication. My application runs on JBoss server and is front ended by Apache webserver which has the pubcookie setup. I have been able to setup the pubcookie module and the user authentication happens fine whenever a user tries to access a resource from my application. However, I am unable to pass the logged in user's id from apache webserver to my application running on JBoss server. I need this information in my application in order for my application to lookup its datastore and determine the users permissions. How does this information flow happen?
Pubcookie puts the logged-in user into the REMOTE_USER environment variable.
I write a web application I have to do signin in that using the windows username..
I tried to get username using system.get property() but its giving the username of server windows name only.but I want to the username of client system..can any one help me?
If I understood you correctly you want to sign in to the web application using the Windows credentials. If so - the problem is that the server machine knows nothing about the client. It can provide you the user info only after successful login (see Get windows username using JAVA or JSP).
You could point your system to some user store (e.g. LDAP) that will be used by both Windows system and your app. In this situation you will be able to sign in to the app using Windows credentials.
The Browser is an application to generate the view based on an HTML code. It wont give access to the client machine.
You can use request.getRemoteUser() to get the user name, that too is possible only if its allowed in the client machine.
If your client is running on a windows machine you can get the user name using this
var wshshell=new ActiveXObject("wscript.shell");
var username=wshshell.ExpandEnvironmentStrings("%username%");
This is a solution for getting the user name, but i will never recommend this, it surely is a bad practice.
Is the entire Java application running on the server? How would your application even know about a specific client machine? And how would it deal with concurrently logged in users? And how would it deal with a primitive client machine which does not have a notion of a user name?
You can instead run a Java applet which is invoked on the client's machine. You could the send this information to the server to process. However, your users would most likely not like that and not grant the required privileges.
Alternatively, you could try to use JavaScript to read the user name, in case that you are communicating via a webpage. I want to stress the word try in this context since there is not universally functional approach and most users will most likely not allow you to read this property either.
In a nutshell: Users do not normally want to share this information with you and therefore you cannot access it. If you could, you would have found a security hole which would most likely get fixed. Rather, ask your application's users to enter a name to use for whatever reason you would require it. Or, if this is an option, organize for example your Windows credentials in a service that can be accessed by a standardized API.
I'm developing a Java application which is run in Windows domain environment.
To authenticate users I'm using Krb5LoginModule available in JAAS.
JAAS Login Configuration File (let's call it jaas.conf) is embedded in application jar, which is stored on network share (read-only access).
Now every user can copy the application jar to his local disk, edit jaas.conf, and set his own LoginModule which would allow him to act as different user.
Is there any way to prevent this? How to secure the application?
Usr e Pwd must be provided by user. You have to call your own login interface where the user can provide username and password. Why you want put the usr&pwd into the jaas.conf?
Anyway, if you want to lock the usr&pwd you can
use certificate
crypt into the file
write into a code
I want to fetch data from an Active Directory using Java and JNDI from my EJB.
Doing this search I need to define a user and a password.
I was thinking of creating a service account (for my server) in the AD.
I will also be using Kerberos protocol and WebLogic Server.
As I understand it now, I need to create a keytab file that will contain this service account's credentials. This keytab file will then be configured in the WebLogic Server?
So, this means that I will have to state the username/password both for the keytab file and in my EJB (to fetch the data from the AD using JNDI). What is the best approach for this? Can the keytab file be defined dynamically? Which would simplify changing the password and only doing this at one place.
Have your machine join the domain, start you WebLogic server with the machine account or give access to the machine keytab, create a JDNI resource with the DirContextSourceFactory and you are able to access the AD as you wish.