Menu
I'd like to have my desktop Java application to have single sign on related to Active Directory users. In two steps, I'd like to:
With Java: Programatic Way to Determine Current Windows User I can get the name of the current Windows user but can I rely to that? I think the
System.getProperty("user.name")
won't be secure enough? ("user.name" seems to be got from environment variables, so I can't rely on that, I think?)
Question Authenticating against Active Directory with Java on Linux provides me the authentication for given name+pass but I'd like to authenticate based on the Windows logon?
For the Active Directory access, LDAP would probably be the choice?
781
Active Directory Federation Services (ADFS) is a type of Federated Identity Management system that also provides Single Sign-on capabilities. It supports both SAML and OIDC.
Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done. The database (or directory) contains critical information about your environment, including what users and computers there are and who's allowed to do what.
It is not supported. Java 6 has improvements, but not enough yet.
Java has its own GSS stack. The problem is for single sign-on, you need to get the Kerberos ticket from the OS (not the Java stack). Otherwise the user has to authenticate a second time (defeating the purpose of single sign-on).
Look at http://java.sun.com/developer/technicalArticles/J2SE/security/. Look down for "Access Native GSS-API" and it talks about a new system property sun.security.jgss.native which when set to true causes Java to use the underlying OS GSS implementation, giving access to the OS level authentication. Perfect!.... except its only supported for Solaris and Linux, not Microsoft Windows.
Java 6 however does appear to have enough support for acting as a server receiving SPNEGO authentication requests from IE and then authenticating that user against Active Directory. Its just the desktop client support that is still incomplete.
176
Use JAAS with an LDAP LoginModule. This will allow you to plug-into the underlying Java security infrastructure.
When you need to take the app offline or "debug" the app, you can easily swap-out the LDAP module for a dummy module. This allows you to continue testing your "security", without depending on Active Directory. Highly testable, decoupled, and you can the authentication scheme at a later time with almost no grief.
29
Project Waffle has both client and server-side code to do SSO on Windows. It's JNA-based, no native libraries required.
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
