I have a Java web application running in JBOSS with Tomcat with two web applications (contexts) running on it.
A button press on one of the applications opens runs a javascript command to open a new window with a page from the other.
The problem I seem to be having is that this raises a security alert in IE. with the following message:
I can't really ask my customer to add an exception to "http://" what are the likely causes for it not picking up the site?
The browser is correctly pointed at the full url for the page (Ie www.something.net:8080/blah/somepage.jsp) the browser is IE7 with enhanced security running on windows 2003.
You need to uninstall "Explorer Enhanced Security", which is on by default in Windows Servers, before IE will act like a normal browser. :)
Workstations shouldn't get this problem.
IE Enhanced Security Configuration is deliberately designed to prevent general purpose browsing from servers. Folks who want to do workstation-style browsing and just happen to be on a server SKU should disable ESC.
What's the exactly line of code? window.open("http://fullURL", etc), or something like var v=window.open("about:blank"); v.location.href=etc ?
Do the two applications have different domains? IE is preventing the cross-site scripting.
Can you not just have a link to the other site?
EDIT: If this is on Windows Server 2003, then the only way that I've managed to get around it is to disable to enhanced browser security. If this is the case, then you shouldn't really be browsing from a server in the first place.
Edit2:I'm guessing that it is the enhanced browser security that is doing this.
Check out this link: http://support.microsoft.com/kb/815141 on info about it.
Your choices are to either to disable it, add an exception for that site, or use another browser.
Related
Recently we started to upgrade our clients from Java 6u31 to 8u121.
Here we see an impact on our internal web application written in Java.
Client(s) connects to a web-server which has the JNLP and JARs locally.
However now with the new Java 8u121 we get a pop-up from java : Authentication required.
We can click on cancel and the Java app will load but this is not acceptable for our users.
Is this a Java problem or a Proxy problem?
We started to do a trace with wire-shark to see what happens when the Java pop-up "authentication required" occurs. Here we could see that our proxy server blocks a global-sign site to validate a certificate. Here we made an exception for that site. Now we have no issue anymore and the pop-up is not occurring anymore.
You can prevent that authentication window by setting the property deployment.security.authenticator value to false in the deployment.properties
Normally Plug-in and Web Start install an Authenticator to handle
communication with Authenticating web pages or Authenticating proxies.
This is the default behavior (true). This option can be used to turn
the normal behavior off if, for example, an application communicates
directly with an authenticating web page and needs to install its own
Authenticator.
Location of the deployment.properties
in Windows - \LocalLow\Sun\Java\Deployment\deployment.properties
in Linux - ${user.home}/.java/deployment/deployment.properties
in OS X - ~/Library/Application Support/Oracle/Java/Deployment/deployment.properties
So, I have made a proxy-like Java Applet. It lets you navigate a site, handling cookies an everything, and supports authentication on the remote site. The thing is that after logging in on the remote site, I try to navigate by clicking the links and it complains that I have JavaScript disabled. To clarify, the site is functioning perfectly well when accessed directly.
My question is, can I somehow enable JavaScript inside my applet? Is it something that has to do with the browser, is it some HTTP header I must include? Am I missing something in the picture..?
Thanks in advance! :)
Where should we get started setting up single sign on for a single Windows (Active Directory) domain with a Java web application?
What I DON'T mean by single sign on is that the user signs into one Java website explicitly, and then stays signed in for other Websphere sites.
We're looking for something that will effectively "detect" the Windows user that is currently logged in on the client browser's PC (Windows XP, soon to be Windows 7), and supply that user's login name to the Java WebSphere application.
The software is Java/WebSphere, with a Flex front end which we can put in a JSP if needed. (Currently it's just an html page, which is preferrable. GraniteDS is used for remoting.)
The server is NOT a Windows server, so Waffle is not an option. Research so far seems to indicate that we need to use something called SPNEGO, but I've yet to find information about what the Java developer's role is when setting it up.
I'd be interested in both server-side (WebSphere) config & requirements as well as Java application configuration & code required (this seems to be difficult to locate even via Google).
The Java application developer only needs to configure the Web application to rely on authentication from the container (Websphere Application Server).
The rest is all up to the configuration of the container to provide the right credentials, etc. The WAS administrator would do something like this for SPNEGO/Kerboros: http://www.redbooks.ibm.com/abstracts/sg247771.html. Further, browser configuration would need to add the site hosted by Websphere to the domains allowed within the Intranet zone and the security mechanism.
A much better 'hack' might be (not tested) to put Websphere behind IIS as in http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing.
In all cases, you will still need to figure out how to get Flex to get the browser to do Windows NTLM authentiation, or for it to so itself. Best of luck.
I'm trying to get the windows user name of the user in my web application. Can any one suggest how to get it?
I'm developing a web application. So if a user is accessing my application, then I need to get the user's windows id and his host name. I tried a few different ways but it never worked. Any suggestions are highly appreciated.
Windows user details are not sent in plain HTTP requests, which makes it impossible for you to derive them from a user in a web application without additional data.
The host name from which the request is sent is available in the request headers, though.
If you'd still like to get Windows user details, you'll have to do some work, like ask the user to provide them in some form, or, if you have access to the user's Naming/Directory service, you can find things out through his IP/hostname.
This is something you generally don't have readily available in web applications, though.
Im not sure exactly to get the windows user name, but HTML5 The System Information API may provide some useful info. Go through this link once, You may find it helpful.
In YERY OLD(!) version of Internet Explorer the pattern %USER% inside of a URL was replaced by the login username. But with current browsers this doesn't work anymore, and that's good that way.
With JAVA applet you can request it via:
System.getProperty("user.name")
But I don't know if this works for you...
For the intranet case take a look at
How to retrieve the current windows logged on user for Single Sign On purposes in Java
and
Can you get a Windows (AD) username in PHP?
And it seems to be intentionally impossible in common case with modern browsers:
Can your Windows or Linux username be exposed to websites?
How can I retrieve the credentials for the currently logged-in Windows user that accessing my web application in java
From a standalone application, I can access the user id of a logged-in window user using
com.sun.security.auth.module.NTSystem NTSystem = new com.sun.security.auth.module.NTSystem();
System.out.println(NTSystem.getName());
However, this will not work for web app, since it will always print out the id of the user that running Tomcat, not the id of the user who accessing the web application
I see this being done before, that if I access a website via IE, it automatically log me in, but I use other browser, then a log-in box pop out. Any idea how to achieve this, thank you?
My web app is written in JSF with Tomcat 7.
You need to use a library that can receive the Kerberos token that IE will sent (assuming that it is configured with Integrated Windows Authentication).
There are multiple approaches/libraries to doing this, which are well documented on Apache's site for Tomcat. Here you go: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
You have some different options to achieve this. Tomcat has some suggestions on their homepage. I've used both IIS fronting and the spring-security kerberos extension and they work just fine.