8

Here's the scenario. I am code running on a web server in an AD domain. Some client has connected to me. How do I get that client's username, without having the client fill out a form in their browser? Must use Java technologies on the web server side.

edit:

I ended up using the Spring Security Negotiate Filter as described at the below link. There is a tutorial available. Using request.getPrincipal().getName() from within a servlet gives the username.

http://waffle.codeplex.com/

TylerH
  • 20,799
  • 66
  • 75
  • 101
KyleM
  • 4,445
  • 9
  • 46
  • 78
  • @DA.. :) .. btw, the reason for that is I'm using tomcat and spring. – KyleM Apr 28 '11 at 22:58
  • There is no username. Your request is intrinsically meaningless, unless you're in an AD domain. – SLaks Apr 28 '11 at 23:03
  • @Slaks I am in an AD domain. Sorry for not including that essential info. – KyleM Apr 28 '11 at 23:07
  • 1
    You need to set up NTLM authentication. I have no idea how to do that in Tomcat. – SLaks Apr 28 '11 at 23:09
  • the question is tagged 'spring-security'. are you using it to authenticate? – abalogh May 04 '11 at 15:31
  • @aba I'm trying to use spring security and waffle as well. Haven't gotten very far. – KyleM May 04 '11 at 18:46
  • Do you have authentication at the moment? Or you are developing an internal page where it isn't needed, but the AD user info is? – abalogh May 04 '11 at 18:54
  • @ aba it's an internal page so if they can access the page they are already authenticated on their machine anyway. Redoing the authentication using Single Sign On would not hurt, but I cannot figure it out. However, the AD User info IS absolutely essential. – KyleM May 04 '11 at 18:56

5 Answers5

11

You need to set up the Spring Security Kerberos extension - this is the only out of the box way to do what you're describing in Spring Security 3. This supports SPNEGO negotiation, but requires some amount of setup on the server (and knowledge of how SPNEGO and Kerberos works).

There's not much documentation - but Mike's sample applications that he ships with 1.0M2 are great, and cover most of the common scenarios, including automated SPNEGO authentication.

The key thing for SPNEGO is to set up a custom AuthenticationEntryPoint - you'll need to do this with a custom spring bean as follows:

<bean id="kerbEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />

<bean id="kerbAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

... there are more beans that'll be required besides these (again, refer to the samples w/the Kerberos extension). Post back if you get further along with Spring Security or if you want exact details (since there are a number of beans / config bits involved, some knowledge of your configuration would be helpful, such as whether you are using the <http> namespace style or not).

Other than this option, you would have to set up a similar type of SPNEGO auth (such as using WAFFLE, as you suggest) - other SO questions cover this pretty well.

Finally, you could possibly front Tomcat with another web server which supports SPNEGO or NTLM better, such as Microsoft IIS or Apache Web Server with mod_spnego.

Hopefully one of these ideas would work for you!

Community
  • 1
  • 1
Peter Mularien
  • 2,578
  • 1
  • 25
  • 34
  • Thanks Peter. I'd prefer a solution such as Waffle that works with or without Kerberos so I think I'll stick with that. Regardless, thanks for the help and links. – KyleM May 05 '11 at 13:36
  • Just to clarify - if you are on an AD domain as you describe, you are probably already running Kerberos - W2K3 and up typically have it enabled by default. – Peter Mularien May 05 '11 at 17:05
6

What browser are your users using? If IE; there is a simple solution:

<html>
<script type="text/javascript">
var WinNetwork = new  ActiveXObject("WScript.Network");
alert(WinNetwork.UserName);
</script>
</html>
abalogh
  • 8,239
  • 2
  • 34
  • 49
  • 1
    Thanks, but like I said "must use java technologies on the web server side". JS doesn't cut it because a motivated user could send me whatever username they want to. Have an upvote anyway. – KyleM May 05 '11 at 13:37
  • I imagined in a controlled environment you wouldn't have motivated users, anyway, thanks for the upvote. – abalogh May 05 '11 at 13:42
  • You're correct - I doubt a user in my environment would attempt (or even know how) to do that - but I'm being extra cautious, and it doesn't hurt for the sake of learning. – KyleM May 05 '11 at 13:45
  • I see. Please do post your final solution here, I'd be extremely curious - for the sake of learning. – abalogh May 05 '11 at 13:46
  • Your comment cracked me up. It reminded me of the cubical farm in SQ3. – Andre Artus May 10 '11 at 16:25
2

The latest way for Windows to do it is SPNEGO. To make it work fully you need you server to have an account in AD, and communicate with Kerberos. Then Spring Security, I was told, supports this.

Now, not always you need to authorize users. Sometimes (e.g. for stats reasons) it's enough to get the AD id of the user. When I was playing with SPNEGO, the binary data that was passed from browser were including the user id in clear text. It can be extract from there, but cannot be trusted of course.

NTLM is outdated, considered less secure, and largely rolled out from the environments.

Vladimir Dyuzhev
  • 18,130
  • 10
  • 48
  • 62
  • I don't need to authenticate the user, just look at their username or "AD Id" as you said. – KyleM Apr 29 '11 at 13:46
1

If you are using Tomcat, then use WAFFLE.

Alex
  • 32,506
  • 16
  • 106
  • 171
0

I bet you can put Apache web server in front of tomcat so apache can authenticate using NTLM or Kerberos. Then you can use rewrite rules to sent requests to tomcat with username in the plain. This is just an idea, I have not implemented this myself. However we are using Apache Kerberos authentication in our intranet. My suggestion is not to use NTLM, it's outdated and flaky.

Mike Starov
  • 7,000
  • 7
  • 36
  • 37