• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JAAS and Tomcat

 
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have an intranet application, for which I need to get the user credentials.
If they are connected to the network, they can access this app. I'm using the below code and calling the authenticate() method.



My .config file has
JaasSample {
com.sun.security.auth.module.NTLoginModule required debug=true;
}
server.xml has
<Realm className="org.apache.catalina.realm.JAASRealm" appName="JaasSample" debug="99" />

The code works except that it is unable to override Tomcat, so my username is always 'SYSTEM'.
How can I override this?

 
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How do the users provide their credentials?
 
Swathi Ram
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The user does not have to provide a userid or password.
If the user is logged into the network then the information should be grabbed and he should be able to access the site based on his user group.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'd guess that 'SYSTEM' is the account used to run Tomcat ... which kind of makes sense if no user credentials are provided.

System.exit(-1);


A server application should never call System.exit.
 
Swathi Ram
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
System.exit(-1); happens only in the catch block.
The code works fine and never hits the catch block. Only it is not able to overide the tomcat security.
Another wierd thing is, I'm able to get the user credentials with the exact same code when I start tomcat using the tomcat6.exe, but it prints 'SYSTEM' when I start tomcat using Admin Services.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

System.exit(-1); happens only in the catch block. The code works fine and never hits the catch block.


Exception handlers are situations for when the code does NOT work fine. I can assure you, having the server quit is not want to happen in such a case.

Another wierd thing is, I'm able to get the user credentials with the exact same code when I start tomcat using the tomcat6.exe, but it prints 'SYSTEM' when I start tomcat using Admin Services.


That's because it runs under your account in the former case. As I said in my previous post, it grabs the credentials of the account it runs under - which is yours if you start it via the exe, but the system account if you start it as a service.
 
Swathi Ram
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So is there any way to grab the username from the network without the user providing it again once he is already in the network?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
See http://jcifs.samba.org/src/docs/ntlmhttpauth.html and -afterwards- http://www.ioplex.com/jespa.html for a possible approach.
 
Swathi Ram
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you. will go through that.
 
Jimmy Clark
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You could implement the javax.security.auth.callback.CallbackHandler interface and get the network credentials with this object.



And then...

 
Swathi Ram
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What do you mean by '// Code that gets network credentials here'?

I created the object and called it from my authenticate() method, but still get the same output

About to Login
[NTLoginModule] succeeded importing info:
user name = SYSTEM
user SID = S-1-5-18
user domain = NT AUTHORITY
user primary group = S-1-5-18
user group = S-1-5-32-544
user group = S-1-1-0
user group = S-1-5-11
impersonation token = 3724
Subject:
Principal: NTUserPrincipal: SYSTEM
Principal: NTSidUserPrincipal: S-1-5-18
Principal: NTDomainPrincipal: NT AUTHORITY
Principal: NTSidPrimaryGroupPrincipal: S-1-5-18
Principal: NTSidGroupPrincipal: S-1-5-32-544
Principal: NTSidGroupPrincipal: S-1-1-0
Principal: NTSidGroupPrincipal: S-1-5-11
Public Credential: NTNumericCredential: 3724

After the Login
Authentication succeeded!
 
Jimmy Clark
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

What do you mean by '// Code that gets network credentials here'?



In the 'handle' method of the CallBackHandler you can retrieve the network credentials of the logged in user.

And you most likely will need to implement your own LoginModule and use this
instead of com.sun.security.auth.module.NTLoginModule.

In the statement below, what purpose does tthe TextCallbackHandler object serve?

 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic