4

I'm working on a server written in Java, and a client (a desktop application written in .Net) that runs on Windows machines on the same network. I would like to have some basic authentication so that the server can determine the username of the user running the client, without needing the user to re-enter their Windows password in the client.

Is this possible, and what's the simplest way to accomplish it?

I had a look at some of the available APIs, it looks as though the org.ietf.jgss package in Java, and NegotiateStream class in .Net, should probably be able to talk to one another to achieve this - but I keep hitting frustrating error messages I don't understand. I thought I'd check if this is the right approach, if so I'll post a separate question with more detail about the errors in question :)

Luke Halliwell
  • 7,312
  • 6
  • 31
  • 31
  • Can you add some specifics about how they communicate? http? rmi? jms? socket? – Nathan Sep 24 '09 at 21:59
  • The "real thing" is SOAP. Having said that, it takes a while to build and run the full application, so my tests so far have been with a tiny little raw socket-based server - simply so I can make a change and re-run it within seconds. If I can get that working, it should be relatively simple to extend to the real app (I hope!) – Luke Halliwell Sep 24 '09 at 22:36

4 Answers4

3

The approach is the right one. Notice a number of things, though:

  • this will have nothing to do with "Basic Authentication" (in http)
  • .NET will try to use the SPNEGO GSS mechanism. See the Sun documentation for proper support of this mechanism.
  • your service will need to incarnate a service principal. So you need to create an Active Directory account not only for the user, but also for the service, and you need to put the service's password into the Java keytab.
Martin v. Löwis
  • 124,830
  • 17
  • 198
  • 235
  • Thanks. When I said "basic authentication", I guess I chose an unfortunate phrase - didn't realise it had a specific meaning. I just meant that I'm not trying to do anything complex. – Luke Halliwell Sep 24 '09 at 22:54
  • @Luke: I was guessing that much. Notice that using GSS-API and Kerberos is *very* complex, as is any other single-logon mechanism. – Martin v. Löwis Sep 24 '09 at 23:00
  • I posted a follow-up with more specific detail on where I've got to, if you know about this stuff I'd appreciate your eyes on it! :) http://stackoverflow.com/questions/1499267/how-to-get-negotiatestream-to-use-kerberos – Luke Halliwell Sep 30 '09 at 17:11
  • Ok ... so, the .Net client code appears to be working now. The Java server code seems ok, it was a wee bit of a battle but it helps having access to the source code there :) Finally, I seem to have problems simply setting up the SPN and keytab file correctly. I've put the question about them over on serverfault as I don't think there's any programming involved in that part! :) http://serverfault.com/questions/70335/creating-keytabs-and-service-principal-names Nearly there, I think/hope :) – Luke Halliwell Oct 01 '09 at 14:35
0

If you're using Active Directory, I think the Spring LDAP module can offer you a nice way to access credentials.

duffymo
  • 305,152
  • 44
  • 369
  • 561
0

Not being familiar with the GSS mechanism. I would suggest a shared key mechanism used in passwordless ssh.

whatnick
  • 5,400
  • 3
  • 19
  • 35
0

This open source library http://spnego.sourceforge.net has exactly what you are looking for. It implements an HTTP Servlet Filter on the server so that your web-app can call request.getRemoteUser() to find out the username.

Pat Gonzalez
  • 249
  • 2
  • 7