How to use Windows login for single-sign-on and for Active Directory entries for Desktop Java application?

java active-directory single-sign-on windows-authentication
42,255

Solution 1

It is not supported. Java 6 has improvements, but not enough yet.

Java has its own GSS stack. The problem is for single sign-on, you need to get the Kerberos ticket from the OS (not the Java stack). Otherwise the user has to authenticate a second time (defeating the purpose of single sign-on).

Look at http://java.sun.com/developer/technicalArticles/J2SE/security/. Look down for "Access Native GSS-API" and it talks about a new system property sun.security.jgss.native which when set to true causes Java to use the underlying OS GSS implementation, giving access to the OS level authentication. Perfect!.... except its only supported for Solaris and Linux, not Microsoft Windows.

Java 6 however does appear to have enough support for acting as a server receiving SPNEGO authentication requests from IE and then authenticating that user against Active Directory. Its just the desktop client support that is still incomplete.

Solution 2

Use JAAS with an LDAP LoginModule. This will allow you to plug-into the underlying Java security infrastructure.

When you need to take the app offline or "debug" the app, you can easily swap-out the LDAP module for a dummy module. This allows you to continue testing your "security", without depending on Active Directory. Highly testable, decoupled, and you can the authentication scheme at a later time with almost no grief.

Solution 3

Project Waffle has both client and server-side code to do SSO on Windows. It's JNA-based, no native libraries required.

Share:
42,255
Apollon
Author by

Apollon

Updated on July 18, 2020

Comments

  • Apollon
    Apollon almost 4 years

    I'd like to have my desktop Java application to have single sign on related to Active Directory users. In two steps, I'd like to:

    1. Be sure that the particular user has logged in to Windows with some user entry.
    2. Check out some setup information for that user from the Active Directory

    With Java: Programatic Way to Determine Current Windows User I can get the name of the current Windows user but can I rely to that? I think the

    System.getProperty("user.name")

    won't be secure enough? ("user.name" seems to be got from environment variables, so I can't rely on that, I think?)

    Question Authenticating against Active Directory with Java on Linux provides me the authentication for given name+pass but I'd like to authenticate based on the Windows logon?

    For the Active Directory access, LDAP would probably be the choice?

  • Apollon
    Apollon over 15 years
    Thanks, Does that support authentication by Windows login? (So that when the user is logged to Windows, he/she doesn't have to enter username&password for the java application separately) At first I didn't find that, got to keep on looking still.
  • James Schek
    James Schek over 15 years
    Hmmm. The only modules I've seen that do that are part of a bigger framework like WebLogic... or are design for the Java client to pass credentials to a Web Server. You may have to write a small JAAS Provider using native calls to do this reliably.
  • Apollon
    Apollon about 15 years
    Instead of using LDAP LoginModule, the Krb5LoginModule seems to be able to use OS ticket cache (the credentials got on Windows logon) when used with parameter useTicketCache. There seem still to be some issues, but this works for now on..
  • matbrgz
    matbrgz about 14 years
    Does any other JVM provide access to the Kerberos ticket as described?
  • Ramiro
    Ramiro over 7 years
    It seems that Java 8 has that support, though. docs.oracle.com/javase/8/docs/technotes/guides/security/jgss‌​/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I call Active Directory using Windows Authentication without prompting for username/password?
Java SSO: Kerberos authentication against Active Directory
How do I configure a SQL Server datasource in JBoss to connect using a specific Active Directory user?
401 - Unauthorized in IE7 only with windows authentication.
Integrated Windows Authentication (NTLM) in a Java/WebLogic app?
Single Sign On with apache on windows 7 and mod_auth_sspi
How to get all members of AD group via LDAP in Java
How to implement single sign-on in my java project?
AD return 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
LDAP query get all groups (nested) of a group