Discussions
Categories
- 384.6K All Categories
- 2.5K Data
- 556 Big Data Appliance
- 1.9K Data Science
- 451.4K Databases
- 222.1K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 32 Multilingual Engine
- 562 MySQL Community Space
- 479 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3.1K ORDS, SODA & JSON in the Database
- 561 SQLcl
- 4K SQL Developer Data Modeler
- 187.5K SQL & PL/SQL
- 21.4K SQL Developer
- 296.9K Development
- 1 Application Development
- 18 Developer Projects
- 140 Programming Languages
- 293.6K Development Tools
- 112 DevOps
- 3.1K QA/Testing
- 646.2K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 193 Java Community Process
- 106 Java 25
- 22.1K Java APIs
- 138.2K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 21 Java Essentials
- 167 Java 8 Questions
- 86K Java Programming
- 81 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 206 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 537 LiveLabs
- 39 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 178 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 236 Portuguese
How to get the username/password of the current owner of the running code
680524
Member Posts: 43
Dear friends,
Our product is running on the App Server(weblogic/websphere...) and we also use security provider(OpenLDAP) and kerberos to support SSO. Before, when a user tyies to login in the first time, the way we use to authenticate the user is:
1) Accept the username/password
2) Query the security provider(OpenLDAP) to get the principles.
3) verity if the username/password is corrent or not.
As we know, to query the principles, we need to provide a search user(both username and password) if we configured the access control of the ldap server:
I have configured my envirioment as follows
1) In the LDAP server, configured the Middle Tire user(The Operating System user running the App Server) to have the permission to query principles.
2) The server is configured to runing on SSO envirioment.
My question is could I get the username/password of the OS user running the App Server at runtime so that I can query the ldap server without explicitly providing the search user?
Thanks,
RR
Edited by: Ricky Ru on Oct 9, 2011 1:50 AM
Our product is running on the App Server(weblogic/websphere...) and we also use security provider(OpenLDAP) and kerberos to support SSO. Before, when a user tyies to login in the first time, the way we use to authenticate the user is:
1) Accept the username/password
2) Query the security provider(OpenLDAP) to get the principles.
3) verity if the username/password is corrent or not.
As we know, to query the principles, we need to provide a search user(both username and password) if we configured the access control of the ldap server:
I have configured my envirioment as follows
1) In the LDAP server, configured the Middle Tire user(The Operating System user running the App Server) to have the permission to query principles.
2) The server is configured to runing on SSO envirioment.
My question is could I get the username/password of the OS user running the App Server at runtime so that I can query the ldap server without explicitly providing the search user?
Thanks,
RR
Edited by: Ricky Ru on Oct 9, 2011 1:50 AM
Answers
-
You can almost certainly not get the password, and if you can it is a sure sign that the system you are using is insecure. The way to verify the password with an LDAP server is to attempt an 'LDAP bind' as that user. In JNDI terms that means setting the authentication principal and credentials as environment properties of the context and attempting context.reconnect().
-
I might not describe clearly. The puspose is that in SSO enviroment, we want to use the Middle Tire Credential to search the principles from ldap server which is configured to allowed that. The question is that how to use the Middle Tire Credential at runtime. Could you specify your thoughts? Thanks.
-
My thoughts are exactly the same. Unless you configure LDAP with plaintext passwords, which is strongly deprecated on security grounds, you can't get the user's password, because it is hashed, one way or another. So you have to do what I said. If this is for SSO you have to organize all the SSO subsystems to rely on the same LDAP authentication.
-
Thanks EJP.
I have made some progress on this. But I have met another issue.
*1) Using JAAS to login.*
loginContext.login();
Subject subject = loginContext.getSubject();
ldapContext = (LdapContext) Subject.doAs(subject, this);
*2) Init the ldapContext to use the GSSAPI authentication*
// this is called automatically by login()
public Object run() {
Hashtable ldapEnv = new Hashtable();
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://9.30.215.197");
ldapEnv.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
ldapEnv.put(Context.SECURITY_PRINCIPAL,"");
ldapEnv.put(Context.SECURITY_CREDENTIALS,"");
//System.setProperty("sun.security.krb5.debug", "false");
// This tells the GSS-API to use the cached ticket as
// credentials, if it is available
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
try {
InitialLdapContext ctx = new InitialLdapContext(ldapEnv,null);
But I got the following exception when excuting new InitialLdapContext(ldapEnv,null);
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is [email protected]
Commit Succeeded
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at LDAPKerbService.run(LDAPKerbService.java:66)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at LDAPKerbService.login(LDAPKerbService.java:40)
at LDAPKerbService.main(LDAPKerbService.java:82)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 17 more
Caused by: KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 20 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 25 more
Do you have any clue on this? Thanks.
This discussion has been closed.