Forum Stats

  • 3,780,920 Users
  • 2,254,456 Discussions
  • 7,879,494 Comments

Discussions

SSO Web Authentication against Active Directory - AD

843810
843810 Member Posts: 46,938
edited Feb 4, 2010 10:19AM in Kerberos & Java GSS (JGSS)
Hi, everybody!

I've read a lot about authentication in other forums. I got a lot of pieces of information but didn't find how to get them together in a working solution.
I read that there are some kinds of authentications available, like Kerberos, Spenego, NTLM and so on. Well, I know it's boring to ask that, but I would like someone who has implemented a Web Authentication solution that is working well to help me to implement mine. Maybe a summary of how they work in real world would help a lot.

My current solution is using a NTLM implementation, but the user is prompted the username and password on Firefox and on IE (because of a browser configuration) it sends the user local credentials. If the user changes the configuration on IE he can send whatever he wants. The fact is that I need to authenticate the user against my local domain (i.e. my AD) - it'll be an intranet web application.

In an offline mock application I could get it done by using kerberos, but I needed to provide the user password. However, in a web environment, I know I can't just get the logged user's password. So, maybe the solution should be implemented on the server instead of the application. I don't really know! This is the point, the information I got until now didn't lead me any further...

If you have a working solution, please... tell me all steps necessary to get it working here!

My environment is Java 5 and JBoss 4.0.5 running on MS Windows 2000. The AD is on a Windows 2003 Server machine.

Any help will be welcome...

Thanks in advance!
Marcio Lima
«13

Comments

  • 843810
    843810 Member Posts: 46,938
    Hi, everybody!

    I did a deep search this afternoon and found a jCIFS example which solved my problem, except by the fact that it is an "application based solution" and I need a "server based solution". I mean, I need a solution that is managed by the application server, instead of the application itself. jCIFS works with a <filter> that intercepts all requests to perform the authentication. In the filter params you configure the AD server and your DOMAIN and it does the dirty job for you.

    If you have suggestions about a "server based solution", this post will keep opened.

    If any of you want my example of the jCIFS implementation, feel free to ask me and provide your email.

    Thanks, anyway!

    Marcio Lima
  • 843810
    843810 Member Posts: 46,938
    edited Apr 8, 2008 9:17AM
    I got some code,.execution of which is giving the the user name, domain name* and the machine name. but the problem is : i'm not getting how to extract the password from the message. i'm posting the entire code.


    <%

    String auth = request.getHeader("Authorization");
    if (auth == null)
    {
    response.setStatus(response.SC_UNAUTHORIZED);
    response.setHeader("WWW-Authenticate", "NTLM");
    response.flushBuffer();
    return;
    }
    if (auth.startsWith("NTLM "))
    {
    byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
    int off = 0, length, offset;
    if (msg[8] == 1)
    {
    byte z = 0;
    byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S', (byte)'P',
    z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z,
    (byte)1, (byte)130, z, z,z, (byte)2, (byte)2,
    (byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
    response.setHeader("WWW-Authenticate", "NTLM " +
    new sun.misc.BASE64Encoder().encodeBuffer(msg1));
    response.sendError(response.SC_UNAUTHORIZED);
    return;
    }
    else if (msg[8] == 3)
    {
    off = 30;

    length = msg[off+17]*256 + msg[off+16];
    offset = msg[off+19]*256 + msg[off+18];
    String remoteHost = new String(msg, offset, length);

    length = msg[off+1]*256 + msg[off];
    offset = msg[off+3]*256 + msg[off+2];
    String domain = new String(msg, offset, length);

    length = msg[off+9]*256 + msg[off+8];
    offset = msg[off+11]*256 + msg[off+10];
    String username = new String(msg, offset, length);

    out.println("Username:" + username + "<BR>");
    out.println("RemoteHost:" + remoteHost + "<BR>");
    out.println("Domain:" + domain + "<BR>");
    }

    %>

    Thanks and regards.

    Edited by: User123456 on Apr 8, 2008 6:16 AM
  • 843810
    843810 Member Posts: 46,938
    Hi,

    I have a requirement where in the user will log into their windows workstation and they will open my Web App (deployed in JBoss AS).
    Now my web app should get only the username/userid of the logged-in user from ActiveDirectoryServer.

    If you can provide me some details like below in order to get the above task done,

    1. What are jCIFS jar files needed and where to be placed in my app package
    2. What are the XML files to be modified on this regard (like, web.xml, jboss-web.xml, etc)
    3. And finally what are the changes to be made in the above XML files and jsp files
    4. Does the JBoss AS require to run only on WINDOWS OS (or) it can run on Linux/unix to get the user info from ActiveDirectoryServer.

    It would be great if you can give me the information. I will be really thankful for your help!!

    If you think you would want to send to my mail, please send to: [email protected]

    Regards,
    Bakar
  • 843810
    843810 Member Posts: 46,938
    HI mferlan,

    I have a requirement where in the user will log into their windows workstation and they will open my Web App (deployed in JBoss AS).
    Now my web app should get only the username/userid of the logged-in user from ActiveDirectoryServer.

    If you can provide me some details like below in order to get the above task done,

    1. What are jCIFS jar files needed and where to be placed in my app package
    2. What are the XML files to be modified on this regard (like, web.xml, jboss-web.xml, etc)
    3. And finally what are the changes to be made in the above XML files and jsp files
    4. Does the JBoss AS require to run only on WINDOWS OS (or) it can run on Linux/unix to get the user info from ActiveDirectoryServer.

    It would be great if you can give me the information. I will be really thankful for your help!!

    If you think you would want to send to my mail, please send to: [email protected]

    Regards,
    Bakar
  • 843810
    843810 Member Posts: 46,938
    Hi, everybody...

    I have a working example using jCIFS I would like to attach here for any of you who need it, but it isn't possible.

    I'm posting my code bellow. If you can't get it to work, I can send it to you by email.

    Here follows the steps to get it working. It's quite simple.

    1) Place the jcifs-1.2.18.jar in your lib directory. Ex: WEB-INF/lib/jcifs-1.2.18.jar
    2) Set up the jcifs filter in the web.xml file as bellow:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app id="WebApp_ID" version="2.4"
    	xmlns="http://java.sun.com/xml/ns/j2ee"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    
    	<display-name>AD Authentication</display-name>
    	<filter>
    		<filter-name>NtlmHttpFilter</filter-name>
    		<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
    		<init-param>
    			<param-name>jcifs.netbios.wins</param-name>
    			<!-- here goes the AD server name or IP -->
    			<param-value>adserver</param-value><!-- 123.45.67.89 -->
    		</init-param>
    		<init-param>
    			<param-name>jcifs.smb.client.domain</param-name>
    			<!-- here goes your DOMAIN name -->
    			<param-value>MYDOMAIN</param-value>
    		</init-param>
    	</filter>
    	<filter-mapping>
    		<filter-name>NtlmHttpFilter</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    
    	<welcome-file-list>
    		<welcome-file>index.jsp</welcome-file>
    	</welcome-file-list>
    </web-app>
    That's all!

    In order to test it, you can build a JSP page as bellow:
    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>AD Authentication Test</title>
    </head>
    <body>
    	<font face="verdana">
    		<h2>AD Authentication Test</h2>
    		<%
    			String userInfo = request.getUserPrincipal().getName();
    			String[] pieces = userInfo.split("\\\\"); // Firefox sends DOMAIN\USERNAME as UserPrincipal
    			String username = pieces[pieces.length -1];
    		%>
    		... and the Oscar goes to: <b><%=username%></b> <br /><br />
    	</font>
    </body>
    </html>
    Again, if you want the war file, I can send it to you.

    Have a great day!

    Regards.

    Marcio Lima
  • 843810
    843810 Member Posts: 46,938
    I'm closing this topic, but I'm available to clear any doubt you may have.

    Regards.
    Marcio Lima
  • 843810
    843810 Member Posts: 46,938
    Really Great!! Thanks a lot Marcio !!

    It would be really helpful, if you cound send the war file and the src (if possible/permissible) to my personal mail: [email protected]

    ------
    Cheers,
    Bakar
  • 843810
    843810 Member Posts: 46,938
    Thank you Marcio!

    Would you please email your war and src as well? to [email protected]

    Thank you in advance it's greatly appreciated!
  • 843810
    843810 Member Posts: 46,938
    sorry, I put an old email address, the correct one is:[email protected]

    Thanks again!
  • 843810
    843810 Member Posts: 46,938
    Hello Marcio!

    Could you please email me your war and src as well?
    [email protected]

    Thanks in advance!

    Timo
This discussion has been closed.