How can I retrieve the credentials for the currently logged-in Windows user that accessing my web application in java
From a standalone application, I can access the user id of a logged-in window user using
com.sun.security.auth.module.NTSystem NTSystem = new com.sun.security.auth.module.NTSystem();
System.out.println(NTSystem.getName());
However, this will not work for web app, since it will always print out the id of the user that running Tomcat, not the id of the user who accessing the web application
I see this being done before, that if I access a website via IE, it automatically log me in, but I use other browser, then a log-in box pop out. Any idea how to achieve this, thank you?
My web app is written in JSF with Tomcat 7.
You need to use a library that can receive the Kerberos token that IE will sent (assuming that it is configured with Integrated Windows Authentication).
There are multiple approaches/libraries to doing this, which are well documented on Apache's site for Tomcat. Here you go: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
You have some different options to achieve this. Tomcat has some suggestions on their homepage. I've used both IIS fronting and the spring-security kerberos extension and they work just fine.
Related
I want to automatically authenticate, 'active directory users', which are logged in to their windows, in my applications.
in short, i want SSO for my applications using windows credentials.
**Client is React and back-end is Java 8 and Spring 4.1.2 and Spring Security is 3.2.5.
I already authenticate and search 'active directory users' in my applications, using spring LDAP 3.2.5.
but users should submit their username and password when they use browser.
I have read about 'Integrated Windows Authentication' (IWA), 'Kerberos', 'NTLM'.
should I use NTLM instead of LDAP ???
or, should I use Kerberos ???
or, should I use ADFS ???
should I config anything in active directory for that ???
**I cant config anything in active directory
should I get windows credentials programmatically in react and send it to server and from server I should send that credentials to active directory to verify it ???
I don't know but, should I say any thing in my 'HTTP response' to 'HTTP OPTION Request' to force browser to set windows credentials in next request ??
and, thanks for your time.
There are a couple ways to do this:
Windows Authentication
This is best for the user as it is a seamless login. If the website is trusted, then the browser will automatically send the credentials of the currently-logged-on user to the site.
In this case, the web server (Tomcat in this case) handles the authentication and passes the credentials to the application. If you were using IIS and Windows, the setup would be super easy. But with Tomcat on Linux, it's a little harder. You need to setup kerberos, which requires setting up SPN (Service Principal Name) values on the domain so that your server is trusted on your domain to authenticate. The full instructions for setting this up in Tomcat 8 are here: Windows Authentication How-To
Once that is setup, your website needs to be trusted by the browsers. If your site is recognized as an intranet site, then this should already be true. If not, then your site's domain needs to be added to the Trusted Sites in the Internet Options on the client computers. This can also be done via Group Policy. That will work for IE and Chrome. Firefox uses its own network.negotiate-auth.delegation-uris setting.
Forms Authentication
Another way is to use a login page to ask the user for their username and password, then authenticate them via LDAP in your Java application code. I will assume you know how to setup a login page, so you just need to know how to verify the credentials. You can use the answer here for that code. That answer has the code in a console app, but you can pull out the code that takes the username and password and verifies it.
This is arguably easier to setup, but at the cost to the user.
I am developing a web application using Oracle ADF. In my web application user has to log in to access web application. Application is working fine. Now I need to enable a feature like once a user has logged In and due to some reasons he closed a tab not the browser. So whenever he try to access the same application he do not need to login again. Since browser has not closed the user has to be automatically logged in.
For this I googled a lot and got information that we can achieve this using browser cache and servlet filters. I got information from This Stackoverflow question. But I don't know how to implement Filters and all in Oracle ADF web application. Please help on this.
Thanks in advance.
If the user is closing ONLY the tab containing the application, but not the browser, the user doesn't need to login again - this is how authentication works with Java Servlet API and ADF is built on this API. This happens because all browser tabs share the same http session and JSESSIONID cookie is stored at session level.
You can try logging on, close the tab, open another tab and type in the url directly to your home page (.../faces/main.jsf). This should get you in without login required.
I have two applications. One is running on IIS and second is on Tomcat. Both the applications are authenticating users through active directory. Currently users have to provide their domain, username and password in both the application separately in order to use them.
What I want is - if user logs in Tomcat application using AD details then we will show a button in the application which will open our IIS application in other tab of browser (already done) and in that IIS application this user don't need to login using AD details again (it should be logged in automatically). As he has already used same account to login in another application (Tomcat application).
Is this possible? if yes, please tell me how can I achieve this.
You want Kerberos. Builtin into IIS, Available for Tomcat: http://tomcatspnegoad.sourceforge.net/ (Yes, I am the author of that and it works great in multidomain environment.)
Best to think along some slightly different lines than you currently do:
Attempt to authenticate both Tomcat as well as IIS to a common SSO system - rather than just from one to the other. SSO systems are specifically made to allow this. Neat side effect is that these systems are single-purpose, relatively easy to monitor/protect and they'll be the only ones in touch with your passwords - no application that is using SSO for sign-on needs to know any user's password. So you can't loose any password.
Whatever route you go (Michael-O has suggested Kerberos, I'm not recommending any specific product or protocol), don't try to provide one system's password to the other system. This would inherently introduce security issues.
I'm trying to get the windows user name of the user in my web application. Can any one suggest how to get it?
I'm developing a web application. So if a user is accessing my application, then I need to get the user's windows id and his host name. I tried a few different ways but it never worked. Any suggestions are highly appreciated.
Windows user details are not sent in plain HTTP requests, which makes it impossible for you to derive them from a user in a web application without additional data.
The host name from which the request is sent is available in the request headers, though.
If you'd still like to get Windows user details, you'll have to do some work, like ask the user to provide them in some form, or, if you have access to the user's Naming/Directory service, you can find things out through his IP/hostname.
This is something you generally don't have readily available in web applications, though.
Im not sure exactly to get the windows user name, but HTML5 The System Information API may provide some useful info. Go through this link once, You may find it helpful.
In YERY OLD(!) version of Internet Explorer the pattern %USER% inside of a URL was replaced by the login username. But with current browsers this doesn't work anymore, and that's good that way.
With JAVA applet you can request it via:
System.getProperty("user.name")
But I don't know if this works for you...
For the intranet case take a look at
How to retrieve the current windows logged on user for Single Sign On purposes in Java
and
Can you get a Windows (AD) username in PHP?
And it seems to be intentionally impossible in common case with modern browsers:
Can your Windows or Linux username be exposed to websites?
I have a need to be able to share a session between an apache httpclient and a web browser.
My SWT program authenticates the user via httpclient, when the user first uses the program. Later there is a need to launch a default web browser, using the same session. I'm able to launch the user's default browser using: http://johnbokma.com/mexit/2008/08/19/java-open-url-default-browser.html
I would like a general solution, if possible. If not possible, than I would settle for a solution for IE, Chrome or FireFox. I would then try to figure out how to do it for the other two browsers.
That's possible by adding the value of the session cookie in the URL opened by the default browser. The exact syntax of the URL depends on the webserver used. Here is an example with Tomcat: Supporting Sessions Without Cookies in Tomcat