• Post Reply Bookmark Topic Watch Topic
  • New Topic

LDAP authentication in a web application.  RSS feed

 
rahull agarwal
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is the situation:-

Web application is hosted at hosting facility HF_1

Users from a company are logged onto their laptops via LDAP authentication. This company is outside of the HF_1 but can have VPN access, if required.

A user clicks on the link to go to Web application. The web application should now get the credentials of the user and let him/her in.

Is this possible? If yes, then how?
 
Rob Spoor
Sheriff
Posts: 21131
87
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
At work we did this using JCIFS and its jcifs.http.NtlmHttpFilter:
The filter parameters were added using arguments to Tomcat's JVM because when we put them into web.xml they were sometimes not read in time.
 
rahull agarwal
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How will java code have access to the user authenticated via Windows on a different network.

So say I am working on a company network. I hit a site outside of the company. How will the website have access to my windows authentication?
 
Rob Spoor
Sheriff
Posts: 21131
87
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
HttpServletRequest has method getUserPrincipal() that returns a java.security.Principal object* which has a method to retrieve the name.

* Actually an instance of an unknown class that implements Principal, but you can use the Principal interface to access everything you end.

And the authentication of your internal site will not be passed to the external site. That will have its own authentication. I don't think there's anything you can do about this, also because the external site doesn't even know your Windows account exists.
 
Paul Clapham
Sheriff
Posts: 22819
43
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob Spoor wrote:At work we did this using JCIFS and its jcifs.http.NtlmHttpFilter...


Although before anybody takes that as being advice, they should read the warnings at the top of the NTLM HTTP authentication page for JCIFS. In particular this one:

The HTTP "filter" in particular uses a "man in the middle" technique that cannot support NTLMv2. Since late 2008, users have started to report that client security policy is requiring NTLMv2 and that this solution no longer works.
 
rahull agarwal
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob Spoor wrote:HttpServletRequest has method getUserPrincipal() that returns a java.security.Principal object* which has a method to retrieve the name.

* Actually an instance of an unknown class that implements Principal, but you can use the Principal interface to access everything you end.

And the authentication of your internal site will not be passed to the external site. That will have its own authentication. I don't think there's anything you can do about this, also because the external site doesn't even know your Windows account exists.


Thanks Rob so much..

This is what I understand:- use getUserPrincipal to get the Principal object. Therein, I will get the getName method. This method will give me the Windows user account name. Right?

As you said, I will have no knowledge weather or not the user was authenticated on windows or not. But then, I will atleast get windows username.

Am I right?

Also, I see that userPrincipal is null in my HttpServletRequest. What am I missing?

Thanks again
 
Rob Spoor
Sheriff
Posts: 21131
87
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If getUserPrincipal() returns null then you are not authenticated.
 
rahull agarwal
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob Spoor wrote:If getUserPrincipal() returns null then you are not authenticated.


I am logged into Windows XP machine.

I hit the website.

Within the website, I get userPrincipal null (in debug mode).
 
Rob Spoor
Sheriff
Posts: 21131
87
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You're logged into Windows alright, but that login is not sent to the web application. You'll have to configure that in your Tomcat server first; that's where JCIFS or a better replacement (see Paul's link) comes into the picture. Those will tell Tomcat to ask for the login details.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!