[TriLUG] Java and AD Authentication
alexeyt at freeshell.org
Mon Nov 28 11:02:29 EST 2011
I've never heard of quite what you're describing, but there is a way that
the browser on a windows machine can automatically authenticate to an IIS
web server in the same AD domain, often called 'NTLM authentication' but
often also referred to as 'integrated windows authentication' or just
'single sign on'. There's no really authoritative web resource I can point
you at, but if you google for "ntlm http authentication" you'll find lots
of related stuff.
Apache does not natively support this sort of auth, but a company I used
to work for (geminisecurity.com) sold an apache plugin that would enable
it to do so. Firefox doesn't aupport this out of the box, but there's
apparently a way to enable it (add firefox to the search terms). IIS and
Explorer both support it.
On Mon, 28 Nov 2011, Brian McCullough wrote:
> I am going to ask here because I know that there are some deep resources here, including pointers to other groups or web links.
> I am working with some Java code that I have inherited, using Spring Security version 2, and have been asked to add the ability to authenticate against an Active Directory server in the same environment ( network ).
> The idea is to use the existing environment to provide information about the person already logged in, and ask the AD server for further roles and permissions.
> All of the research that I have been doing points at using the AD server as an LDAP server ( as far the the Spring Security module is concerned ), with or without the "internal" login prompt that it would provide.
> However, in a very brief conversation, someone suggested that there was a SOAP way to do this that would just "automagically KNOW" who was logged in, and carry on the conversation with the AD server in the background.
> None of my searches seem to be turning up anything that looks appropriate, maybe I am just not reading things correctly.
> Does anybody know of this integration technique linking Java with, I guess, a web service provided by the AD server, that would just "know" what it needs to know about the current user? I guess that the Java application is running on the client browser, talking to Tomcat on the web server, and also to the AD server.
More information about the TriLUG