How to use Windows login for single-sign-on and fo

2019-01-31 17:06发布

I'd like to have my desktop Java application to have single sign on related to Active Directory users. In two steps, I'd like to :

  1. Be sure that the particular user has logged in to Windows with some user entry.
  2. Check out some setup information for that user from the Active Directory

With Java: Programatic Way to Determine Current Windows User I can get the name of the current Windows user but can I rely to that? I think the

System.getProperty("user.name")

won't be secure enough? ("user.name" seems to be got from environment variables, so I can't rely on that, I think?)

Question Authenticating against Active Directory with Java on Linux provides me the authentication for given name+pass but I'd like to authenticate based on the Windows logon?

For the Active Directory access, the LDAP would probably be the choise?

I'm not totally sure if I'm asking the right questions but hopefully somebody has some ideas to forward me on.

8条回答
甜甜的少女心
2楼-- · 2019-01-31 17:26

Check jCifs at http://jcifs.samba.org/

Other than that, stick with LDAP (actually, it should be my first try, but...)

查看更多
Rolldiameter
3楼-- · 2019-01-31 17:29

Just for the benefit of others reading this thread, http://www.javaactivedirectory.com/?page_id=196 has an example on how to do single sign on with Windows/Active Directory

查看更多
Explosion°爆炸
4楼-- · 2019-01-31 17:31

Have you considered using the JNA api (allows you to do native calls to the operating system easy)?

You can call the win32 metod GetCurrentUser MSDN documentation at http://msdn.microsoft.com/en-us/library/ms724432(VS.85).aspx. It's located inside Advapi32.dll.

It also has a unicode version, GetCurrentUserW if needed.

And you are right. It does seem that the environment variable can be changed, so that can be misleading to use.

I'm not sure about cross platform implications over 32/64bit windows. If you need the solution in code, I'm sure I could write something up for it.

But yea, just an idea :)

查看更多
爱情/是我丢掉的垃圾
5楼-- · 2019-01-31 17:32

It is not supported. Java 6 has improvements, but not enough yet.

Java has its own GSS stack. The problem is for single sign-on, you need to get the Kerberos ticket from the OS (not the Java stack). Otherwise the user has to authenticate a second time (defeating the purpose of single sign-on).

Look at http://java.sun.com/developer/technicalArticles/J2SE/security/. Look down for "Access Native GSS-API" and it talks about a new system property sun.security.jgss.native which when set to true causes Java to use the underlying OS GSS implementation, giving access to the OS level authentication. Perfect!.... except its only supported for Solaris and Linux, not Microsoft Windows.

Java 6 however does appear to have enough support for acting as a server receiving SPNEGO authentication requests from IE and then authenticating that user against Active Directory. Its just the desktop client support that is still incomplete.

查看更多
Fickle 薄情
6楼-- · 2019-01-31 17:37

You will probably get most flexibility by using Spring Security. You can use it with both JAAS and LDAP authentication.

查看更多
一夜七次
7楼-- · 2019-01-31 17:40

Use JAAS with an LDAP LoginModule. This will allow you to plug-into the underlying Java security infrastructure.

When you need to take the app offline or "debug" the app, you can easily swap-out the LDAP module for a dummy module. This allows you to continue testing your "security", without depending on Active Directory. Highly testable, decoupled, and you can the authentication scheme at a later time with almost no grief.

查看更多
登录 后发表回答