java impersonation to connect to sql server using windows authentication

Question

right now I have the following architecture built with classic asp and visual basic 6

I have a COM+ component developed in VB6 which connects to the dabatase. I set the DB conf thru an .udl file configured with integrated security.

At the web server (IIS) I register the componente with the com+ manager, and configure it to be run under an account name, something like mydomain\appAccount...

in sql 2005 I give the appropiate permissions the mydomain\appAccount

from asp, I just use the component with server.createobject...

I'd like to develop a similar solution with java, the question(s) is(are) the following:

is it possible?

how can I configure a domain account to connect to a sql server 2005 db?

where should I store the db conf? and where should I configure the domain account? in tomcat / jetty configuration?

I'd like the solution to be as simple and straight forward as possible (I'm trying to avoid things like glassfish or jboss)

well, thanks a lot...

Answer 1

Check this tomcat documentation about how to configure a datasource. http://tomcat.apache.org/tomcat-6.0-doc/jndi-datasource-examples-howto.html

Answer 2

What you'll need to do is make sure that the Tomcat JVM process is being executed by the user with the trusted connection to the database.

Then you'll need to configure the data source in Tomcat, per Bhushan's answer.

The following MSDN article details how you set up the data source to use integrated security:

• http://msdn.microsoft.com/en-us/library/ms378428.aspx

Answer 3

So this is a real tough issue, and I'm going through the same problems right now. I haven't solved impersonation within an app server yet, but my team is getting close.

So far, we've been successful in Authenticating a user against a Domain Controller with Kerberos. Both the SourceForge SPNEGO and Spring Security Kerberos Extension have been very helpful in that regard. We have also been able to successful impersonate the process running a Java application when connecting to SQL Server. The real problem is impersonation via delegation, since it requires you to obtain a Kerberos ticket that can be delegated to another service. This is the issue we are currently working on.

If you are going to impersonate a user in SQL Server, you've got to do it using NTLM or Kerberos. Kerberos offers the best security, and to be quite honest, we haven't even bothered to try using NTLM. There are two JDBC drivers (that I know of) that will allow you to connect to SQL Server using a Domain account: jTDS and DataDirect JDBC. jTDS is a Type-2 JDBC driver, which means it relies on a native library to grab credentials for the user. jTDS will only impersonate the user running the process, and will not allow you to impersonate other accounts (also, it can only do this on Windows). The DataDirect driver (Commercial) is a Type-4 driver, which means it's a pure Java implementation (and will work on *nix). This is the driver we are using and its working great.

If I get a solution working, I'm going to post it because I think a lot of people in the community are hurting on this issue.

Good Luck!