Windows Authentication for Java Based web applications, How to?

Question

I have a couple of Java-based web applications developed. Both the applications have separate Authentication logic based on some ActiveX directory implementation.

Now, I need to change this to Windows authentication so that whenever the user hits the URLs of my web applications, instead of redirecting him to login page I need to check his Windows credentials.

I do not want to store his windows credentials in URL.

Is there any good way to do this ?

Answer 1

Depending on the level of integration you want your web application to have, Spring Security should have you covered in just about all aspects of what you are after.

If redirecting to a login page and authenticating the entered credentials against an Active Directory server via LDAP is acceptable, then the LDAP extension is the way to go.

If you want more of a Single Sign On (SSO) flow and your users are already authenticated against the authoritative Active Directory server in question (eg. they are logged in to the domain), then the Kerberos plugin for Spring Security may be more appealing, since your users will simply have to go to the web application and won't have to go through any other authentication steps. The systems will take care of it behind the scenes.

You can also combine / layer these approaches if you which and try Kerberos-based authentication first and if that falls through, fall back to a login form and LDAP-based authentication.

If you need to go beyond that, Spring Security is flexible enough to allow you to use OpenID or in-app authentication as well if needed.

Answer 2

I'd recommending using Active Directory to expose it's windows authentication layer over LDAP, which can then be hit by something like Spring Security.

This would effectively force anyone using your application to use their windows login.