aspose file tools*
The moose likes Tomcat and the fly likes Tomcat NTLM authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat NTLM authentication" Watch "Tomcat NTLM authentication" New topic
Author

Tomcat NTLM authentication

Shailesh Chandra
Ranch Hand

Joined: Aug 13, 2004
Posts: 1081

I have developed a application which authenticates against Domain server using NTLM authentication, Different user of application are using their domain credential to log into application.

I am facing a problem that application is not using every user login credential, rather it uses first user's credential (seems It is caching authentication results), so whenever new user passes the authentication , it simply logs into application because some other user was authenticated earlier.

my standalone program is not having such issue

I am using Java authenticator to authenticate




Just wondering what's causing this

Thanks,
Shailesh


Gravitation cannot be held responsible for people falling in love ~ Albert Einstein
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

I'm afraid that there isn't enough there for me to make sense of.

However, if you've coded the authentication process into the application itself, I don't recommend that.

Partly because webapps with user-designed security are virtually all insecure, but in this particular case also because there is a Tomcat Realm plugin that can handle the authentication and authorization processes instead of making the webapp do it.


Customer surveys are for companies who didn't pay proper attention to begin with.
Shailesh Chandra
Ranch Hand

Joined: Aug 13, 2004
Posts: 1081

I think I didn't give enough information here.

I am writing service components exposed as REST , and my service component are accessing SSRS(SQL Server Reporting Services) via webservice exposed by SSRS,

I need to authenticate myself before accessing SSRS and same authentication user is used to by SSRS to verify various credential, so for each user. If I enable any tomcat based authentication which will definitely authenticate but still , I have to authenticate user while creating connection to SSRS webservices, in other words the tomcat authentication is not fruitful for me, because second authentication is inevitable .

So I am using Java Authentication before creating SoapService object which is working for me, but It is causing issue in subsequent calls. Credential of first authentication are being used every time.

my standalone program works fine, so only difference I see is, JVM terminates in standalone program and in tomcate JVM is alive, which I suspect is caching the authentication result.


Thanks,
Shailesh
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

Ah yes, REST. No, that's one case where the standard container system doesn't appear to work well. In large part because the container system is intended to authenticate sessions, but the very definition of REST is that it's (allegedly) sessionless.

The javaDocs on Authenticator seem to indicate that it's intended for use on a client, not a server. And definitely not as a multi-user authenticator. For that, I think you'd have to instantiate a new authenticator for each request, not expect the Authenticator class itself to serve as a factory or provider.

Also, Authenticator seems to get involved in security negotiations. In a standard HTTP security authentication session, the server would either respond to the original request with an "authentication required" response (which would cause a browser to pop up the userid/password dialog) or, in cases of J2EE form-based security, return the login form, which is then submitted back to resume the original request which the server had shunted off to a holding area. In other words, I'm not sure that the HTTP protocol sequences are appropriate.

For NTLM requests, there is metadata that's piggybacked onto the initial request. Thus, the server needs to check that metadata before routing the request to the REST response handler. I'm thinking that the best place to do this would be in a Tomcat Valve. You might want to google around and see if there's one pre-written that you can use. If you did code the security check into the webapp itself, you'd have to basically do the same thing that the NTLM Realm module does, except do it manually. And that, incidentally is one reason why I prefer container-based security where possible. Because sooner or later a maintenance programmer will either forget to code the check or botch the job (or add logic that bypasses the check).
Shailesh Chandra
Ranch Hand

Joined: Aug 13, 2004
Posts: 1081



The javaDocs on Authenticator seem to indicate that it's intended for use on a client, not a server.


Though I am using it inside tomcat but still my complete application is client of another application , where authentication is being triggered.


And definitely not as a multi-user authenticator. For that, I think you'd have to instantiate a new authenticatorfor each request, not expect the authenticator class itself to serve as a factory or provider.


I did try to use new Instance every time by writing a new class extending the authenticator class, but did't work

Actually once a negotiation happens, it doesn't trigger any negotiation, to my surprise when I removed network cable ad tomcat was on my local machine, authentication was successful



On other environment , when I changed the authentication to kerberos, I am not facing any issue.

However I am trying to know exact cause of issues with NTLM and possible solutions for same


Thanks,
Shailesh


Shailesh Chandra
Ranch Hand

Joined: Aug 13, 2004
Posts: 1081

This URL explains my problem, but none of suggestion working for me
Shailesh Chandra
Ranch Hand

Joined: Aug 13, 2004
Posts: 1081

Hi Tim

Thanks for your time and giving me food of thought, I have solved the issue using one of the suggestion in above posted URL.

I have used below code to solve my issue


only cache for which It didn't work earlier was: I didn't create separate class for Authenticator, rather I did use inner anonymous class


Thanks,
Shailesh
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Tomcat NTLM authentication