views:

521

answers:

2

I'm currently writing a Java application to be used with a Windows-Machine authed with an ActiveDirectory. The application basically only needs to know the user's name and hostname. I know there are

System.getProperty("user.name")

and

java.net.InetAddress.getLocalHost().getHostName()

But I am not sure wether System.getProperty("user.name") will function correctly with the VM running on windows (I searched google and found a lot of threads saying it might not work with windows, as it might return something different, depending on the environment-variables (and I am currently unable to test it [I'm running ubuntu and archLinux]).

So, I wondered if there is a better and more secure way to handle this and stumbled upon NTSystem . But NTSystem does not seem to be available on Linux (which I use for developing), which - I think - is due to calling native windows code.

My question would hence be: "Is there a secure way to retrieve the logged in user's name in Windows and if yes - how would you accomplish that?"

+1  A: 

user.name is inherently insecure because it can be overridden via -Duser.name=XYZ. This might be an issue for you, or it may not be

Obviously NTSystem won't work on Linux but you mention that you are writing a GUI to be run on Windows. Are you trying to validate the Windows user name of the user? You can do this via NTSystem embedded in the code which runs on the Windows client but not (of course) code which runs under the Linux OS.

Or are you trying to validate them on a Linux server? Perhaps you have a kerberos domain you could do this with? (i.e. if there is a kerberos domain, then you can have a secure, authenticated communication between client and server, ensuring that the client is who they say they are)

EDIT: I may be confused by the fact you are saying that you're writing a Java App "in Linux". I took this to mean a Linux server and Windows client - but possibly you just mean that you are using Lenux as your development environment? In this case, you might think of writing a pluggable identification layer which you can switch between using NTSystem on the Windows box and user.name for testing

oxbow_lakes
Yes, Linux is my development environment.I'm just trying to avoid the user.name property, as it is - as you said - inherently insecure.(Actually the setup looks like this: Linux Server with Windows-Server-VirtualMachine(+ActiveDirectory), a bunch of Windows clients. I've got a java application running on the server, a c++ client running on all windows-machines and a java-client running on *certain* windows-machines. But I also want to avoid having to contact the AD/Windows-Server-VM)
Tedil
Here's how I chose to do it:I downloaded the windows java jdk and extracted com.sun.security.* from its libs. I then added them as a library to my project an imported NTSystem. In the app itself I check which OS it is running on to determine which System to use (either NTSystem or UnixSystem).This could and can easily be avoided by having NTSystem and UnixSystem implement an interface which provides 'getUserName' and similar methods, so that you can use a more generic System (you could name it "GenericSystem" or "AbstractSystem" e.g.). Would be a nice addition to openJDK, I think ;)
Tedil
A: 

Use JNA, com.sun.platform.jna.win32 has a number of methods to do this wrapping the Win32 API. Try Advapi32Util.getUserName or Kernel32Util.getUserNameEx.

dblock