仅使用用户名和密码即可使用LDAP的Tomcat认证
[英]Tomcat Authentication using LDAP with just username and without password
问题描述
I have a web application which is hosted on apache web server. 
我有一个托管在Apache Web服务器上的Web应用程序。 And i have external java application which runs on tomcat integrated in this web application. 我有在此Web应用程序中集成的tomcat上运行的外部Java应用程序。
The apache is kerberized and I get the username of the person accessing it in the intranet. apache被kerberized,我在Intranet中获得了访问它的人的用户名。 I want to use the same username and pass it on tomcat to check against ldap and authorize the user. 我想使用相同的用户名,并将其传递给tomcat来检查ldap并授权用户。
I was looking into JNDI realm which supports LDAP module. 我正在研究支持LDAP模块的JNDI领域。 But the problem is I do not have access to the user's password. 但是问题是我无法访问用户的密码。 But I'm able to get the groups the user belongs to and based on that I want to authenticate the user. 但是我可以获取用户所属的组,并以此为基础对用户进行身份验证。
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password? 所以我的问题是,我能够仅使用用户名而不使用密码通过LDAP对Tomcat服务器进行身份验证吗?
PS: Sorry there is no code or configuration that I can post at this point. PS:抱歉,目前我无法发布任何代码或配置。 The only resources i found implemented both username and password. 我发现的唯一资源实现了用户名和密码。 I cannot kerberize the tomcat server because I have other issues in the network. 由于网络中还有其他问题,我无法对tomcat服务器进行kerberize。
1 个解决方案
解决方案1
0 2013-04-26 19:05:09
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. 一旦要求我写一些代码来做同样的事情。 I found a way to make it work. 我找到了使之工作的方法。 However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! 但是,尽管它与Internet Explorer可以自动检测Windows用户名(因为我的代码正在解析仅Internet Explorer作为标头传递的一些NTLM信息)一起使用似乎效果很好,但是在Firefox或任何其他浏览器中,都会向用户显示带有验证框,并且他们输入的任何用户名都将被接受! Its very insecure. 它很不安全。
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.) (好吧,仅IE传递标头并不是真正的事实。只有IE自动传递标头;但是在有人获得身份验证框并键入他们想要的任何名称后,Firefox也会将标头传递进来。)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. 我建议编写一个C#.NET服务,以在IIS且启用了集成身份验证的Web服务器上进行真实身份验证。 Then, redirect to the C# service when someone hits the Java site and the username session variable is null. 然后,当有人访问Java网站并且用户名会话变量为null时,重定向到C#服务。 Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created. 让C#服务将信息保存在一个受信任/安全的数据库中,包括ip地址和浏览器,然后重定向到Java应用程序,该应用程序读取数据库以验证IP地址和浏览器,并且记录刚刚创建。
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. 编辑:我刚刚注意到您说您的Apache已被kerberized,并且已经获得Windows用户名,这可能会导致上述问题,即解析NTLM标头为null和void的不可靠性。 In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. 在这种情况下,如果可以通过LDAP获取AD组,则可以使用自己的代码对Webapp中的用户进行身份验证,但可能不使用官方的Tomcat身份验证方案。 What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. 上面描述的原因仅仅是因为我的Tomcat没有与Apache服务器配对,而是与IIS服务器配对。 So basically, its the same thing, except you won't need C#. 因此,基本上来说,这是相同的,除了不需要C#。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.