• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Paul Clapham
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Roland Mueller
  • Piet Souris
Bartenders:

Authenticate user without Login page

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello

We have a web application in which we need to figure out who is currently logged in based on their Windows and/or Linux user credentials. We've tried using getRemoteUser() function, but this returns NULL. After some research on the internet, we figured that getRemoteUser() will only work if we have enable user authentication in Tomcat. However, this is not desirable.

Since, all users are on secure network within the organization, we were hoping to get Windows and/or Linux user credential from the system and return the same to server and use it to authenticate the user. We want to avoid using Login page to authenticate any user.

Is there a way in JSP (using Stripes framework) based web application running on Tomcat to read user credentials and send it to server?

Any help would be appreciated.
 
Sheriff
Posts: 7413
1423
IntelliJ IDE jQuery Eclipse IDE Postgres Database Tomcat Server Chrome Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Shishir, welcome to JavaRanch!

You can't (and should not be able to) access information below the layer in which the web browser is running. In particular, getRemoteUser() has nothing to do with the user credentials of the operating system - it simply returns the login of the authentication that the browser might have made. There are some JavaScript, and ActiveX (Windows) workarounds though, but all these workarounds are inherently unstable and not inter-operable.

Moving to the Servlets forum.
 
Sheriff
Posts: 22862
132
Eclipse IDE Spring TypeScript Quarkus Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can do all this with authentication, as long as you set it up correctly. You can setup Tomcat to authenticate against an LDAP server. The browser then sends (after some configuration in Firefox) the current user's credentials to Tomcat which then successfully authenticates the user. For a Windows Active Directory system you can use several solutions like JCIFS (outdated but free) or Jespa (non-free). For other LDAP systems you'd need to search around a bit first.
 
Saloon Keeper
Posts: 28755
211
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Shishir!

Web application user authentication is generally totally unrelated to LAN user authentication. Were it not so, Amazon.com would have had to set up LAN accounts for every customer they'd ever had. And just because you're authenticated on YOUR LAN doesn't mean that that should automatically give you rights on MY LAN!

Of course, for webapps that are partially or wholly internal use, having a separate login and user identity for the LAN and the webapps can be a real pain.

Fortunately, there are ways of dealing with that. For webapps that don't get clever and try and invent their own security systems - meaning apps that use the standard J2EE security functions, security is a plug-in feature that wraps around the webapp. That, is, it's container-managed security. Because different shops/apps have different security needs, the actually authentication and authorization functions are handled by what's known as a Realm.. Most webapp servers - Tomcat for example - come with a number of standard Realm modules and often support third-party Realms as well.

LAN authentication is a variant of Single-Signon authentication. Straight SSO only requires the user to login ones to authenticate to all apps in its Realm. LAN authentication takes that one step further, but using the user's LAN login as the basis. Because this form of authentication needs to know information about the LAN client that web browsers aren't normally expected to know, you have to be using a browser that is capable of providing that information. I don't know if it's still true or not, but at one time, IE users also had to have their browser security settings changed, as well - a rare case (at the time) where Microsoft ran secure by default.

A variation of this security architecture is sometimes used. Some shops find it convenient for both internal and external users to be supported, where the internal users use their LAN security rights, but external users have to login using credentials from a non-LAN source such as an LDAP server or database. That is actually only slightly more complicated.

The main things that are required are to install and configure a suitable Ream module and to ensure that any appropriate client settings are in the right configuration. After that it's all automatic.
 
Ranch Hand
Posts: 147
Eclipse IDE Tomcat Server Debian
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There are two sides to your request: first, the Tomcat server needs some way to authenticate you against the domain; second, you need some way to get your browser to send those credentials.

The first part can be solved using an LDAP Realm. You'll need to play with it, and determine if just anyone in your LDAP system can log in, or if they need to be a member of a particular group to gain access (most likely, they'll need to be a member of a group).

The second part requires configuration on the desktop. By default, your browser doesn't send this kind of information - and that's a good thing! You really don't want your browser to send your authentication credentials to every site you visit, after all.

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
An alternative to setting up a realm is to use the JCIFS filter at http://jcifs.samba.org/

This will use the SPNEGO protocol to get a network token from your browser. The server (i.e. filter) will use a password/id to check the token against a domain controller. Then getRemoteUser() will return the user's network principal. It is less standard and does not provide authorization but if you are just trying to authenticate it may be worth a look.
reply
    Bookmark Topic Watch Topic
  • New Topic