File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Single sign using windows credentials Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Single sign using windows credentials" Watch "Single sign using windows credentials" New topic

Single sign using windows credentials

Aj Chawla

Joined: Jul 13, 2007
Posts: 4

I've a requirement of using windows credentials for login into my JSP/servlet based web application instead of the user paswords that I store in database.
I undrestand that some kind of interface is required which would pick up the login credentials from windows, but Iam not sure how to go about it.

Looking forward to inputs for the same.

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
I don't think it's possible for a browser to pick up the client Windows username and password - that would be a security violation. But you can use that username and password for authentication once the user has entered those into your login page. The details differ from server to server; Tomcat has the JNDIRealm, which can authenticate against Windows Active Directory.
Jason Moors
Ranch Hand

Joined: Dec 04, 2001
Posts: 188
It won't pickup the password from the client, but the single sign-on functionality is possible if users are using Internet Explorer and you have IIS as a reverse proxy by using Integrated Windows Authentication.

I would recommend searching google for Kerberos and JAAS.

Ranch Hand

Joined: Nov 22, 2008
Posts: 18944
I'm not sure i understant your problem i see 2 possibilities:
1) you want to have a popup in wich the user can enter nt username and password (in this case setup a ldap realm base on the active directory)

2) you want a silent log on ! you are in a intranet and you want that the user is automaticaly authenticated. In this case you can use a implementation of ntlm or kerberos. Or wich is my personnal choice trust Microsoft . How you setup iis to force authentication and you create a virtual directory that is based on a isapi filter (they exist for most of the application server (i know them for tomcat , jboss ,oracle oas....). This isapy filter will work like a proxy and forward a request to your application server but if you try a request.getRemoteUser() you will receive the nt username .

I don't know what you need i hope it helps!
Aj Chawla

Joined: Jul 13, 2007
Posts: 4

Thanks Ulf and Jason. I'll explore more on the options that you have given.
Benjamin, here is my exact requirement -
1. A web application (jsp/servlet based) is to be used by windows users in an intranet.
2. Some of the windows users (in the intranet) should be directly able to login into the web application (no login screen) when they access the application.
3. Rest other users, when they try to login should be prompted for a user/password via a login screen.

Henry McClain

Joined: Jul 26, 2007
Posts: 1
Wait just one minute. I have the exact same requirement and nearly the very same environment you mentioned.

I have an IIS6 server with an ISAPI filter directing all requests to a Tomcat 5.5 server.

I implemented Windows Integrated Authentication and my test servlet that looked for getAuthType(), getRemoteUser() and getUserPrincipal() always return null.

I am successfully using the Tagish JAAS module to manually authenticate form collected usernames/passwords, but when I implement a JAASRealm for the application, it is not picking up the username/password from the client (MSIE7). I continue to get null for the above mentioned servlet methods.

I am also a SharePoint admin here and I am trying to produce a similar login-scheme as that with Tomcat. I want my web server, namely Tomcat 5.5 directly or via IIS6, to pickup the client credentials when the client makes the initial request and simply identify (not necessarily authenticate) the user. I just need the username.

I agree. Here's the link:
subject: Single sign using windows credentials
It's not a secret anymore!