Authenticating Windows users in Java server

views:

139

answers:

+4 Q:

Authenticating Windows users in Java server

I'm working on a server written in Java, and a client (a desktop application written in .Net) that runs on Windows machines on the same network. I would like to have some basic authentication so that the server can determine the username of the user running the client, without needing the user to re-enter their Windows password in the client.

Is this possible, and what's the simplest way to accomplish it?

I had a look at some of the available APIs, it looks as though the org.ietf.jgss package in Java, and NegotiateStream class in .Net, should probably be able to talk to one another to achieve this - but I keep hitting frustrating error messages I don't understand. I thought I'd check if this is the right approach, if so I'll post a separate question with more detail about the errors in question :)

If you're using Active Directory, I think the Spring LDAP module can offer you a nice way to access credentials.

duffymo 2009-09-24 22:12:18

+3 A:

The approach is the right one. Notice a number of things, though:

this will have nothing to do with "Basic Authentication" (in http)
.NET will try to use the SPNEGO GSS mechanism. See the Sun documentation for proper support of this mechanism.
your service will need to incarnate a service principal. So you need to create an Active Directory account not only for the user, but also for the service, and you need to put the service's password into the Java keytab.

Martin v. Löwis 2009-09-24 22:46:41

Thanks. When I said "basic authentication", I guess I chose an unfortunate phrase - didn't realise it had a specific meaning. I just meant that I'm not trying to do anything complex.

Luke Halliwell 2009-09-24 22:54:45

@Luke: I was guessing that much. Notice that using GSS-API and Kerberos is *very* complex, as is any other single-logon mechanism.

Martin v. Löwis 2009-09-24 23:00:30

I posted a follow-up with more specific detail on where I've got to, if you know about this stuff I'd appreciate your eyes on it! :)http://stackoverflow.com/questions/1499267/how-to-get-negotiatestream-to-use-kerberos

Luke Halliwell 2009-09-30 17:11:48

Ok ... so, the .Net client code appears to be working now. The Java server code seems ok, it was a wee bit of a battle but it helps having access to the source code there :)Finally, I seem to have problems simply setting up the SPN and keytab file correctly. I've put the question about them over on serverfault as I don't think there's any programming involved in that part! :)http://serverfault.com/questions/70335/creating-keytabs-and-service-principal-namesNearly there, I think/hope :)

Luke Halliwell 2009-10-01 14:35:28

Not being familiar with the GSS mechanism. I would suggest a shared key mechanism used in passwordless ssh.

whatnick 2009-09-25 04:34:39

This open source library http://spnego.sourceforge.net has exactly what you are looking for. It implements an HTTP Servlet Filter on the server so that your web-app can call request.getRemoteUser() to find out the username.

Pat Gonzalez 2009-11-04 16:37:56

ansaurus

tags:

views:

answers:

Authenticating Windows users in Java server

related questions