tags:

views:

41

answers:

2
+1  Q: 

Single Sign On with Java + Exchange 2007 EWS

Hi

I've been working on a project which uses SPNEGO to have Single Sign On for a Java based webapp. At the moment, it is working successfully with Jetty + SPNEGO and Active Directory so if you visit my test page, it can output the auth_user as well as the Negotiate token if the browser has been configured properly.

The next step of the project is to be able to pass that user and token to the Exchange Web Services as the authentication so I can access the remote users exchange directory (mail, contacts etc)

I've run JAX-WS to generate the stub files from the Services.wsdl file and able to connect to Exchange using these classes. The only problem is that it will only authenticate the user that is running the web server, not the remote user.

I've also noticed that I can't find the correct class to pass the token, rather than username and password to the EWS. Also, the generated files don't have any references to SPNEGO.

Does anyone know of a possible solution, or does it look like I'll have to generate the SOAP calls manually rather than using the generated classes?

Thanks for your time

A: 

I think, the best way to authenticate against the EWS is to use the user that is running the web server. This is your "Service Account" for the Exchange Web Services. This account needs the privilege "Exchange Web Services Impersonation" (ms-Exch-EPI-Impersonation).

If you want to access the remote users exchange data you have to use "exchange impersonation" in your calls. For the individual exchange server user ("Act As Account") you have to allow the Service Account that he can impersonate them by settings the privilege "Allow Impersonation to Personal Exchange Info" (ms-Exch-EPI-May-Impersonate).

So, every call is authenticated using the same Service Account, but then you act as a specific user/mailbox using exchange impersonation in your calls.

The single sign-on in your webapp is used to determine the current "Act As Account" to use for the exchange impersonation. You need the users email address or SID for this.

Soundlink  2010-08-09 22:08:55
At the minute, I've had to generate the actual SOAP requests programatically _without_ using the wsdl. We had problems with different users being logged in due to using java.net.Authenticator to save the credentials.I would say the whole wsdl / axis or jax-ws method is flawed due to this. I did try reusing the SPNEGO tokens, but because I didn't generate it, it always failed.
Paul  2010-08-10 08:08:05
The Authenticator is only initialized at the first call, so this should be the user of the webserver, your Service Account for EWS. I don't think it's possible to use each individual remote user here. You should then use Exchange Impersonation to make the calls. I think this mechanism is identical, if you are using the wsdl to create the proxy classes or generating the SOAP requests programatically.
Soundlink  2010-08-10 11:28:30
A: 

We've managed to get a solution up and running now using Apache HTTP Client 4.1 alpha / Samba JCIFS library and generating the SOAP requests. This allows us to have multiple users logged in without any configuration required to their exchange account.

We did use HttpClient 3.1 but run into problems due to the change in NTLM protocol with newer versions of windows so we upgraded to the latest version.

Paul  2010-08-13 14:27:11
So, you are using the method described here? http://hc.apache.org/httpcomponents-client-4.0.1/ntlm.html How do you specify the password of each user for the call?
Soundlink  2010-08-30 19:39:46

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java