Authenticating Windows users in Java server

Question

I'm working on a server written in Java, and a client (a desktop application written in .Net) that runs on Windows machines on the same network. I would like to have some basic authentication so that the server can determine the username of the user running the client, without needing the user to re-enter their Windows password in the client.

Is this possible, and what's the simplest way to accomplish it?

I had a look at some of the available APIs, it looks as though the org.ietf.jgss package in Java, and NegotiateStream class in .Net, should probably be able to talk to one another to achieve this - but I keep hitting frustrating error messages I don't understand. I thought I'd check if this is the right approach, if so I'll post a separate question with more detail about the errors in question :)

Answer 1

The approach is the right one. Notice a number of things, though:

• this will have nothing to do with "Basic Authentication" (in http)
• .NET will try to use the SPNEGO GSS mechanism. See the Sun documentation for proper support of this mechanism.
• your service will need to incarnate a service principal. So you need to create an Active Directory account not only for the user, but also for the service, and you need to put the service's password into the Java keytab.

Answer 2

如果您使用的是Active Directory，我认为Spring LDAP模块可以为您提供访问凭据的好方法。

Answer 3

Not being familiar with the GSS mechanism. I would suggest a shared key mechanism used in passwordless ssh.

Answer 4

This open source library http://spnego.sourceforge.net has exactly what you are looking for. It implements an HTTP Servlet Filter on the server so that your web-app can call request.getRemoteUser() to find out the username.