Re: Tomcat NTLM Authentication
הילה hilavalensia at gmail.com writes: -Jespa (commercial) -Samba JCIFs (obsolete, no NTLMv2) You may try this open source Java NTLMv2 API and SSO filter: http://sourceforge.net/projects/ntlmv2auth/ It's an extension of JCIFS, based on code from the (also open source) Liferay portal. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
It seems that only using the new jdbc pool has solved the memory leak :] it's funny that the idea to use it came from a different thread here in the users list. :] Thanks for your help Hila בתאריך 7 במרס 2011 17:15, מאת הילה hilavalen...@gmail.com: Thanks :] I'll dig into it. Any other ideas will be more than welcomed :] 2011/3/7 André Warnier a...@ice-sa.com But does the Microsoft Driver has the ability to support windows authentication? If so, how is it implemented? Don't know. You should ask Microsoft. Or try to find out yourself, beginning e.g. at the page I mentioned. I would tend to think that, this being a Microsoft module, it would be rather unlikely that it would not support what MS considers as the standard authentication method. (This being said, we will keep on telling you that it is a bad idea, just so you don't forget) ;-) and by the way... what is the difference between this Microsoft JDBC driver, to what discussed earlier in a different thread, of tomcat pool JDBC (which use the tomcat-jdbc.jar file)? maybe i'm mixing two different stuff, but if so- why does it called the same? JDBC is the generic name of a technology, or let's say the description of the interface, on the Java side. That's why the name is similar. All JDBC drivers behave more or less the same way on the Java side, but on the other side they are each adapted to their particular database system. So yes, you may have to change some details of your configuration for the driver. The driver's documentation should tell you how. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
Hi Hila, I have a similar requirement in my current project. End users (using browsers and java desktop apps) which work on windows workstations which are in a domain, must be able to log in the application without needing to type in username and password (using their windows credentials). Additionaly, the connection to the underlying database must also be done using those user credentials. My steps while implementing this were: 1. Implement authentication (browser-server, desktop app - server) which uses kerberos 2. Enable credential delegation so your app server can impersonate client when connecting to the database 3. Connect to the database as the client from within app server code/process (this is database-specific) This is how I solved it: I use SPNEGO for browser/webapp scenario authentication. These materials helped me come up with a working server side SPNEGO implementation: This is what I ended up using for reading a SPNEGO token: http://blog.springsource.com/2009/09/28/spring-security-kerberos/ Some general information about kerberos from msdn: http://msdn.microsoft.com/en-us/library/ms995329.aspx http://msdn.microsoft.com/en-us/library/ms995330.aspx Very nice articles about credentials delegation (you need that so your app server can impersonate clients when it connects to the database) http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java http://spnego.sourceforge.net/credential_delegation.html I also had some java desktop apps which needed to authenticate in a similar way, which use Spring HttpInvoker as a remoting protocol, so I decided to make HttpInvoker pass some SPNEGO headers as well, and it seems to work: https://jira.springsource.org/browse/SES-11 We use Oracle as the database and some materials that were helpfull were these: Oracle Jdbc connection with kerberos http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7 http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html Some general info on Oracle Advanced Security http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG If you also use Oracle I can send you a complete code example for this - I have the whole thing working for simple tests..I should have a more complete implementation in few weeks. Cheers. 2011/3/7 הילה hilavalen...@gmail.com: Hey, The tomcat is running on windows server 2008 R2 STD I don't now if using windows authentication is less secure and affects all network's security, since this user have permissions only on the DB. you can't even perform login to servers with this user. anyway, I appreciate your comments and discussion of why it's less secure or not, but I need to perform this (task I've been given from guys in high above positions), so please help with what I'm trying to do :] If I can't use spnego and other stuff of the list i've found, what can I do? Thanks Hila 2011/3/6 André Warnier a...@ice-sa.com wrote: Hey, I want to change the way that tomcat authenticates to the DB of our application, from SQL authentication to Windows authentication. We use Tomcat 6.0.29 , and the user and password to connect to the DB is specified in clear text in the xml configuration file under the folder conf/catalina/localhost. My goal is to remove the user and password from the xml file, and letting the tomcat windows service run with a domain user that has permissions to the DB. when I searched for a solutions for what i'm trying to do, i got to this page- http://wiki.apache.org/tomcat/FAQ/Windows#Q4 Which suggest these methods: -Waffle/JNA -Tomcat SPNEGO -SPNEGO SF -Jespa (commercial) -Tomcat IIS Connector -Samba JCIFs (obsolete, no NTLMv2) Are one of these methods suit for what I'm trying to do? When reading about Tomcat SPNEGO, it says that users working on a windows client OS and IE or Firefox, can be silently authenticated (SSO) to a Tomcat running on a windows server via NTLM or kerberos. It doesn't seem to be what I aim for, since tomcat users are not interest me, only the tomcat windows service and how it connects to the DB Exactly. Now you have the issue correctly framed. And you are right above : all these methods indeed identify/authenticate the client of the Tomcat application to Tomcat, not Tomcat itself to something else. (**) The one thing missing in your description above, is that your Tomcat server is running on a Windows machine. And also that your back-end database system is able itself to perform user authentication either in clear-text (user-id + password), or via Windows NTLM authentication. (And, if the back-end database server is set to do NTLM authentication, then it can only do so for Domain user-id's; NTLM authentication will not work with a server-local user-id). So now you have to make one additional effort of thinking rationally, and answer the following fundamental question
Re: Tomcat NTLM Authentication
One of the links I sent you was broken, the right link is: Oracle Jdbc connection with kerberos http://download.oracle.com/docs/cd/B28359_01/java.111/b31224/clntsec.htm#CIHCIDHF Or just google for 'oracle jdbc kerberos' if they move the content again. On Mon, Mar 7, 2011 at 10:55 AM, Borut Hadžialić borut.hadzia...@gmail.com wrote: Hi Hila, I have a similar requirement in my current project. End users (using browsers and java desktop apps) which work on windows workstations which are in a domain, must be able to log in the application without needing to type in username and password (using their windows credentials). Additionaly, the connection to the underlying database must also be done using those user credentials. My steps while implementing this were: 1. Implement authentication (browser-server, desktop app - server) which uses kerberos 2. Enable credential delegation so your app server can impersonate client when connecting to the database 3. Connect to the database as the client from within app server code/process (this is database-specific) This is how I solved it: I use SPNEGO for browser/webapp scenario authentication. These materials helped me come up with a working server side SPNEGO implementation: This is what I ended up using for reading a SPNEGO token: http://blog.springsource.com/2009/09/28/spring-security-kerberos/ Some general information about kerberos from msdn: http://msdn.microsoft.com/en-us/library/ms995329.aspx http://msdn.microsoft.com/en-us/library/ms995330.aspx Very nice articles about credentials delegation (you need that so your app server can impersonate clients when it connects to the database) http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java http://spnego.sourceforge.net/credential_delegation.html I also had some java desktop apps which needed to authenticate in a similar way, which use Spring HttpInvoker as a remoting protocol, so I decided to make HttpInvoker pass some SPNEGO headers as well, and it seems to work: https://jira.springsource.org/browse/SES-11 We use Oracle as the database and some materials that were helpfull were these: Oracle Jdbc connection with kerberos http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7 http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html Some general info on Oracle Advanced Security http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG If you also use Oracle I can send you a complete code example for this - I have the whole thing working for simple tests..I should have a more complete implementation in few weeks. Cheers. 2011/3/7 הילה hilavalen...@gmail.com: Hey, The tomcat is running on windows server 2008 R2 STD I don't now if using windows authentication is less secure and affects all network's security, since this user have permissions only on the DB. you can't even perform login to servers with this user. anyway, I appreciate your comments and discussion of why it's less secure or not, but I need to perform this (task I've been given from guys in high above positions), so please help with what I'm trying to do :] If I can't use spnego and other stuff of the list i've found, what can I do? Thanks Hila 2011/3/6 André Warnier a...@ice-sa.com wrote: Hey, I want to change the way that tomcat authenticates to the DB of our application, from SQL authentication to Windows authentication. We use Tomcat 6.0.29 , and the user and password to connect to the DB is specified in clear text in the xml configuration file under the folder conf/catalina/localhost. My goal is to remove the user and password from the xml file, and letting the tomcat windows service run with a domain user that has permissions to the DB. when I searched for a solutions for what i'm trying to do, i got to this page- http://wiki.apache.org/tomcat/FAQ/Windows#Q4 Which suggest these methods: -Waffle/JNA -Tomcat SPNEGO -SPNEGO SF -Jespa (commercial) -Tomcat IIS Connector -Samba JCIFs (obsolete, no NTLMv2) Are one of these methods suit for what I'm trying to do? When reading about Tomcat SPNEGO, it says that users working on a windows client OS and IE or Firefox, can be silently authenticated (SSO) to a Tomcat running on a windows server via NTLM or kerberos. It doesn't seem to be what I aim for, since tomcat users are not interest me, only the tomcat windows service and how it connects to the DB Exactly. Now you have the issue correctly framed. And you are right above : all these methods indeed identify/authenticate the client of the Tomcat application to Tomcat, not Tomcat itself to something else. (**) The one thing missing in your description above, is that your Tomcat server is running on a Windows machine. And also that your back-end database system is able itself to perform user authentication
Re: Tomcat NTLM Authentication
Borut, thanks. I think that this is very helpful. It does not do what the OP wanted to do, but it does what he /should/ be doing (in my view). הילה, if the users connect to Tomcat, and the connections to the database are all done under the Tomcat user-id, then basically you are putting all the users into one big pot, and the database does not know who is really connecting to it. That means that now any of the users can do in the database anything that this Tomcat user-id can do, and you can never find out afterwards who did it. And because this Tomcat user needs to be able to do in the database anything that any user could do, it needs to have very broad rights to the database (the sum of all the users rights). In the scheme below, that is not true : each user connects to the database under his own user-id, so the database can decide who is allowed to do what, and can also keep track of who did what. Borut Hadžialić wrote: Hi Hila, I have a similar requirement in my current project. End users (using browsers and java desktop apps) which work on windows workstations which are in a domain, must be able to log in the application without needing to type in username and password (using their windows credentials). Additionaly, the connection to the underlying database must also be done using those user credentials. My steps while implementing this were: 1. Implement authentication (browser-server, desktop app - server) which uses kerberos 2. Enable credential delegation so your app server can impersonate client when connecting to the database 3. Connect to the database as the client from within app server code/process (this is database-specific) This is how I solved it: I use SPNEGO for browser/webapp scenario authentication. These materials helped me come up with a working server side SPNEGO implementation: This is what I ended up using for reading a SPNEGO token: http://blog.springsource.com/2009/09/28/spring-security-kerberos/ Some general information about kerberos from msdn: http://msdn.microsoft.com/en-us/library/ms995329.aspx http://msdn.microsoft.com/en-us/library/ms995330.aspx Very nice articles about credentials delegation (you need that so your app server can impersonate clients when it connects to the database) http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java http://spnego.sourceforge.net/credential_delegation.html I also had some java desktop apps which needed to authenticate in a similar way, which use Spring HttpInvoker as a remoting protocol, so I decided to make HttpInvoker pass some SPNEGO headers as well, and it seems to work: https://jira.springsource.org/browse/SES-11 We use Oracle as the database and some materials that were helpfull were these: Oracle Jdbc connection with kerberos http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7 http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html Some general info on Oracle Advanced Security http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG If you also use Oracle I can send you a complete code example for this - I have the whole thing working for simple tests..I should have a more complete implementation in few weeks. Cheers. 2011/3/7 הילה hilavalen...@gmail.com: Hey, The tomcat is running on windows server 2008 R2 STD I don't now if using windows authentication is less secure and affects all network's security, since this user have permissions only on the DB. you can't even perform login to servers with this user. anyway, I appreciate your comments and discussion of why it's less secure or not, but I need to perform this (task I've been given from guys in high above positions), so please help with what I'm trying to do :] If I can't use spnego and other stuff of the list i've found, what can I do? Thanks Hila 2011/3/6 André Warnier a...@ice-sa.com wrote: Hey, I want to change the way that tomcat authenticates to the DB of our application, from SQL authentication to Windows authentication. We use Tomcat 6.0.29 , and the user and password to connect to the DB is specified in clear text in the xml configuration file under the folder conf/catalina/localhost. My goal is to remove the user and password from the xml file, and letting the tomcat windows service run with a domain user that has permissions to the DB. when I searched for a solutions for what i'm trying to do, i got to this page- http://wiki.apache.org/tomcat/FAQ/Windows#Q4 Which suggest these methods: -Waffle/JNA -Tomcat SPNEGO -SPNEGO SF -Jespa (commercial) -Tomcat IIS Connector -Samba JCIFs (obsolete, no NTLMv2) Are one of these methods suit for what I'm trying to do? When reading about Tomcat SPNEGO, it says that users working on a windows client OS and IE or Firefox, can be silently authenticated (SSO) to a Tomcat running on a windows server via NTLM or kerberos. It doesn't seem to be what I aim
Re: Tomcat NTLM Authentication
Yes Andre you are right, I misunderstood the OP - Hila wants to access the database as a single domain user. How to implement this is probably database specific. For example Oracle jdbc driver requires you to either: A) be running the process which makes the database connections as the domain user which can access the database. B) somehow get an instance of javax.security.auth.Subject representing such an user, for example by using a kerberos keytab file. There are code examples for A) (connectWithDefaultUser()) and B) (connectWithSpecificUser()) on the page i linked in the last mail. The problem after that is how to get connection pooling (you might need to implement you own). Hila, what database are you using? On Mon, Mar 7, 2011 at 11:59 AM, André Warnier a...@ice-sa.com wrote: Borut, thanks. I think that this is very helpful. It does not do what the OP wanted to do, but it does what he /should/ be doing (in my view). הילה, if the users connect to Tomcat, and the connections to the database are all done under the Tomcat user-id, then basically you are putting all the users into one big pot, and the database does not know who is really connecting to it. That means that now any of the users can do in the database anything that this Tomcat user-id can do, and you can never find out afterwards who did it. And because this Tomcat user needs to be able to do in the database anything that any user could do, it needs to have very broad rights to the database (the sum of all the users rights). In the scheme below, that is not true : each user connects to the database under his own user-id, so the database can decide who is allowed to do what, and can also keep track of who did what. Borut Hadžialić wrote: Hi Hila, I have a similar requirement in my current project. End users (using browsers and java desktop apps) which work on windows workstations which are in a domain, must be able to log in the application without needing to type in username and password (using their windows credentials). Additionaly, the connection to the underlying database must also be done using those user credentials. My steps while implementing this were: 1. Implement authentication (browser-server, desktop app - server) which uses kerberos 2. Enable credential delegation so your app server can impersonate client when connecting to the database 3. Connect to the database as the client from within app server code/process (this is database-specific) This is how I solved it: I use SPNEGO for browser/webapp scenario authentication. These materials helped me come up with a working server side SPNEGO implementation: This is what I ended up using for reading a SPNEGO token: http://blog.springsource.com/2009/09/28/spring-security-kerberos/ Some general information about kerberos from msdn: http://msdn.microsoft.com/en-us/library/ms995329.aspx http://msdn.microsoft.com/en-us/library/ms995330.aspx Very nice articles about credentials delegation (you need that so your app server can impersonate clients when it connects to the database) http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java http://spnego.sourceforge.net/credential_delegation.html I also had some java desktop apps which needed to authenticate in a similar way, which use Spring HttpInvoker as a remoting protocol, so I decided to make HttpInvoker pass some SPNEGO headers as well, and it seems to work: https://jira.springsource.org/browse/SES-11 We use Oracle as the database and some materials that were helpfull were these: Oracle Jdbc connection with kerberos http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7 http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html Some general info on Oracle Advanced Security http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG If you also use Oracle I can send you a complete code example for this - I have the whole thing working for simple tests..I should have a more complete implementation in few weeks. Cheers. 2011/3/7 הילה hilavalen...@gmail.com: Hey, The tomcat is running on windows server 2008 R2 STD I don't now if using windows authentication is less secure and affects all network's security, since this user have permissions only on the DB. you can't even perform login to servers with this user. anyway, I appreciate your comments and discussion of why it's less secure or not, but I need to perform this (task I've been given from guys in high above positions), so please help with what I'm trying to do :] If I can't use spnego and other stuff of the list i've found, what can I do? Thanks Hila 2011/3/6 André Warnier a...@ice-sa.com wrote: Hey, I want to change the way that tomcat authenticates to the DB of our application, from SQL authentication to Windows authentication. We use
Re: Tomcat NTLM Authentication
I'm using Microsoft SQL Server 2008, latest SP. the use of domain user is used with the jtds package, which allows the tomcat service to authenticate to the DB with the presence of native SSPI DLL called ntlmauth.dll However, it generated a memory leak in the server. So I'm looking for alternatives. Thanks Hila 2011/3/7 Borut Hadžialić borut.hadzia...@gmail.com Yes Andre you are right, I misunderstood the OP - Hila wants to access the database as a single domain user. How to implement this is probably database specific. For example Oracle jdbc driver requires you to either: A) be running the process which makes the database connections as the domain user which can access the database. B) somehow get an instance of javax.security.auth.Subject representing such an user, for example by using a kerberos keytab file. There are code examples for A) (connectWithDefaultUser()) and B) (connectWithSpecificUser()) on the page i linked in the last mail. The problem after that is how to get connection pooling (you might need to implement you own). Hila, what database are you using? On Mon, Mar 7, 2011 at 11:59 AM, André Warnier a...@ice-sa.com wrote: Borut, thanks. I think that this is very helpful. It does not do what the OP wanted to do, but it does what he /should/ be doing (in my view). הילה, if the users connect to Tomcat, and the connections to the database are all done under the Tomcat user-id, then basically you are putting all the users into one big pot, and the database does not know who is really connecting to it. That means that now any of the users can do in the database anything that this Tomcat user-id can do, and you can never find out afterwards who did it. And because this Tomcat user needs to be able to do in the database anything that any user could do, it needs to have very broad rights to the database (the sum of all the users rights). In the scheme below, that is not true : each user connects to the database under his own user-id, so the database can decide who is allowed to do what, and can also keep track of who did what. Borut Hadžialić wrote: Hi Hila, I have a similar requirement in my current project. End users (using browsers and java desktop apps) which work on windows workstations which are in a domain, must be able to log in the application without needing to type in username and password (using their windows credentials). Additionaly, the connection to the underlying database must also be done using those user credentials. My steps while implementing this were: 1. Implement authentication (browser-server, desktop app - server) which uses kerberos 2. Enable credential delegation so your app server can impersonate client when connecting to the database 3. Connect to the database as the client from within app server code/process (this is database-specific) This is how I solved it: I use SPNEGO for browser/webapp scenario authentication. These materials helped me come up with a working server side SPNEGO implementation: This is what I ended up using for reading a SPNEGO token: http://blog.springsource.com/2009/09/28/spring-security-kerberos/ Some general information about kerberos from msdn: http://msdn.microsoft.com/en-us/library/ms995329.aspx http://msdn.microsoft.com/en-us/library/ms995330.aspx Very nice articles about credentials delegation (you need that so your app server can impersonate clients when it connects to the database) http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java http://spnego.sourceforge.net/credential_delegation.html I also had some java desktop apps which needed to authenticate in a similar way, which use Spring HttpInvoker as a remoting protocol, so I decided to make HttpInvoker pass some SPNEGO headers as well, and it seems to work: https://jira.springsource.org/browse/SES-11 We use Oracle as the database and some materials that were helpfull were these: Oracle Jdbc connection with kerberos http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7 http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html Some general info on Oracle Advanced Security http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG If you also use Oracle I can send you a complete code example for this - I have the whole thing working for simple tests..I should have a more complete implementation in few weeks. Cheers. 2011/3/7 הילה hilavalen...@gmail.com: Hey, The tomcat is running on windows server 2008 R2 STD I don't now if using windows authentication is less secure and affects all network's security, since this user have permissions only on the DB. you can't even perform login to servers with this user. anyway, I appreciate your comments
Re: Tomcat NTLM Authentication
הילה wrote: I'm using Microsoft SQL Server 2008, latest SP. the use of domain user is used with the jtds package, which allows the tomcat service to authenticate to the DB with the presence of native SSPI DLL called ntlmauth.dll However, it generated a memory leak in the server. So I'm looking for alternatives. So, the problem now, correctly stated, is : - does there exist a Java driver for SQL Server 2008, which allows for NTLM authentication with SQL Server, and does not have a memory leak ? (and I would think that Microsoft would be the place to look first) But it is still a bad solution with respect to security, agreed ? It would still be interesting to know in what exact terms you were given this task. Did they tell you - that the userid and password should in no circumstances be stored in clear in any file on the Tomcat server (even if this file cannot be accessed by anyone) ? - or did they tell you : our security scanner found a file containing a user-id and password; this is not acceptable ? - or some other formulation ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
Hey, I cannot look for it in Microsoft, since the Java is of SUN, and the implementation is on the Java side, not the SQL Microsoft side. Option no' 1 :] User and password should not exist in clear text in the xml file. 2011/3/7 André Warnier a...@ice-sa.com הילה wrote: I'm using Microsoft SQL Server 2008, latest SP. the use of domain user is used with the jtds package, which allows the tomcat service to authenticate to the DB with the presence of native SSPI DLL called ntlmauth.dll However, it generated a memory leak in the server. So I'm looking for alternatives. So, the problem now, correctly stated, is : - does there exist a Java driver for SQL Server 2008, which allows for NTLM authentication with SQL Server, and does not have a memory leak ? (and I would think that Microsoft would be the place to look first) But it is still a bad solution with respect to security, agreed ? It would still be interesting to know in what exact terms you were given this task. Did they tell you - that the userid and password should in no circumstances be stored in clear in any file on the Tomcat server (even if this file cannot be accessed by anyone) ? - or did they tell you : our security scanner found a file containing a user-id and password; this is not acceptable ? - or some other formulation ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
On 3/7/2011 8:10 AM, הילה wrote: Hey, I cannot look for it in Microsoft, since the Java is of SUN, and the implementation is on the Java side, not the SQL Microsoft side. Microsoft may have a jdbc driver you could use, though. D Option no' 1 :] User and password should not exist in clear text in the xml file. 2011/3/7 André Warniera...@ice-sa.com הילה wrote: I'm using Microsoft SQL Server 2008, latest SP. the use of domain user is used with the jtds package, which allows the tomcat service to authenticate to the DB with the presence of native SSPI DLL called ntlmauth.dll However, it generated a memory leak in the server. So I'm looking for alternatives. So, the problem now, correctly stated, is : - does there exist a Java driver for SQL Server 2008, which allows for NTLM authentication with SQL Server, and does not have a memory leak ? (and I would think that Microsoft would be the place to look first) But it is still a bad solution with respect to security, agreed ? It would still be interesting to know in what exact terms you were given this task. Did they tell you - that the userid and password should in no circumstances be stored in clear in any file on the Tomcat server (even if this file cannot be accessed by anyone) ? - or did they tell you : our security scanner found a file containing a user-id and password; this is not acceptable ? - or some other formulation ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
I read that JTDS (jtds-1.2.5.jar) is more stable and less buggy than JDBC of Microsoft. So I don't want to add more logs to the fire.. :] 2011/3/7 David kerber dcker...@verizon.net On 3/7/2011 8:10 AM, הילה wrote: Hey, I cannot look for it in Microsoft, since the Java is of SUN, and the implementation is on the Java side, not the SQL Microsoft side. Microsoft may have a jdbc driver you could use, though. D Option no' 1 :] User and password should not exist in clear text in the xml file. 2011/3/7 André Warniera...@ice-sa.com הילה wrote: I'm using Microsoft SQL Server 2008, latest SP. the use of domain user is used with the jtds package, which allows the tomcat service to authenticate to the DB with the presence of native SSPI DLL called ntlmauth.dll However, it generated a memory leak in the server. So I'm looking for alternatives. So, the problem now, correctly stated, is : - does there exist a Java driver for SQL Server 2008, which allows for NTLM authentication with SQL Server, and does not have a memory leak ? (and I would think that Microsoft would be the place to look first) But it is still a bad solution with respect to security, agreed ? It would still be interesting to know in what exact terms you were given this task. Did they tell you - that the userid and password should in no circumstances be stored in clear in any file on the Tomcat server (even if this file cannot be accessed by anyone) ? - or did they tell you : our security scanner found a file containing a user-id and password; this is not acceptable ? - or some other formulation ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
הילה wrote: I read that JTDS (jtds-1.2.5.jar) is more stable and less buggy than JDBC of Microsoft. So I don't want to add more logs to the fire.. :] That's a funny thing to say, considering that it has a memory leak, and that nobody is answering your calls for help on the jTDS list. What about this one : http://msdn.microsoft.com/en-us/sqlserver/aa937724 2011/3/7 David kerber dcker...@verizon.net On 3/7/2011 8:10 AM, הילה wrote: Hey, I cannot look for it in Microsoft, since the Java is of SUN, and the implementation is on the Java side, not the SQL Microsoft side. Microsoft may have a jdbc driver you could use, though. D Option no' 1 :] User and password should not exist in clear text in the xml file. 2011/3/7 André Warniera...@ice-sa.com הילה wrote: I'm using Microsoft SQL Server 2008, latest SP. the use of domain user is used with the jtds package, which allows the tomcat service to authenticate to the DB with the presence of native SSPI DLL called ntlmauth.dll However, it generated a memory leak in the server. So I'm looking for alternatives. So, the problem now, correctly stated, is : - does there exist a Java driver for SQL Server 2008, which allows for NTLM authentication with SQL Server, and does not have a memory leak ? (and I would think that Microsoft would be the place to look first) But it is still a bad solution with respect to security, agreed ? It would still be interesting to know in what exact terms you were given this task. Did they tell you - that the userid and password should in no circumstances be stored in clear in any file on the Tomcat server (even if this file cannot be accessed by anyone) ? - or did they tell you : our security scanner found a file containing a user-id and password; this is not acceptable ? - or some other formulation ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
On 3/7/2011 8:27 AM, הילה wrote: I read that JTDS (jtds-1.2.5.jar) is more stable and less buggy than JDBC of Microsoft. So I don't want to add more logs to the fire.. :] As Andre says, the one you're using now seems to be rather buggy. We have been using the Microsoft driver for a few months now with no trouble, though we're not using NTLM authentication with it, and the SQL we're using isn't very demanding. 2011/3/7 David kerberdcker...@verizon.net On 3/7/2011 8:10 AM, הילה wrote: Hey, I cannot look for it in Microsoft, since the Java is of SUN, and the implementation is on the Java side, not the SQL Microsoft side. Microsoft may have a jdbc driver you could use, though. D Option no' 1 :] User and password should not exist in clear text in the xml file. 2011/3/7 André Warniera...@ice-sa.com הילה wrote: I'm using Microsoft SQL Server 2008, latest SP. the use of domain user is used with the jtds package, which allows the tomcat service to authenticate to the DB with the presence of native SSPI DLL called ntlmauth.dll However, it generated a memory leak in the server. So I'm looking for alternatives. So, the problem now, correctly stated, is : - does there exist a Java driver for SQL Server 2008, which allows for NTLM authentication with SQL Server, and does not have a memory leak ? (and I would think that Microsoft would be the place to look first) But it is still a bad solution with respect to security, agreed ? It would still be interesting to know in what exact terms you were given this task. Did they tell you - that the userid and password should in no circumstances be stored in clear in any file on the Tomcat server (even if this file cannot be accessed by anyone) ? - or did they tell you : our security scanner found a file containing a user-id and password; this is not acceptable ? - or some other formulation ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
Yeah, ha :] Since I'm desperate, I'll try it out. Do I need to change the connectionURL or DriverClassName in the XML configuration file of tomcat, in order for this to work? 2011/3/7 André Warnier a...@ice-sa.com הילה wrote: I read that JTDS (jtds-1.2.5.jar) is more stable and less buggy than JDBC of Microsoft. So I don't want to add more logs to the fire.. :] That's a funny thing to say, considering that it has a memory leak, and that nobody is answering your calls for help on the jTDS list. What about this one : http://msdn.microsoft.com/en-us/sqlserver/aa937724 2011/3/7 David kerber dcker...@verizon.net On 3/7/2011 8:10 AM, הילה wrote: Hey, I cannot look for it in Microsoft, since the Java is of SUN, and the implementation is on the Java side, not the SQL Microsoft side. Microsoft may have a jdbc driver you could use, though. D Option no' 1 :] User and password should not exist in clear text in the xml file. 2011/3/7 André Warniera...@ice-sa.com הילה wrote: I'm using Microsoft SQL Server 2008, latest SP. the use of domain user is used with the jtds package, which allows the tomcat service to authenticate to the DB with the presence of native SSPI DLL called ntlmauth.dll However, it generated a memory leak in the server. So I'm looking for alternatives. So, the problem now, correctly stated, is : - does there exist a Java driver for SQL Server 2008, which allows for NTLM authentication with SQL Server, and does not have a memory leak ? (and I would think that Microsoft would be the place to look first) But it is still a bad solution with respect to security, agreed ? It would still be interesting to know in what exact terms you were given this task. Did they tell you - that the userid and password should in no circumstances be stored in clear in any file on the Tomcat server (even if this file cannot be accessed by anyone) ? - or did they tell you : our security scanner found a file containing a user-id and password; this is not acceptable ? - or some other formulation ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
*As Andre says, the one you're using now seems to be rather buggy. We have been using the Microsoft driver for a few months now with no trouble, though we're not using NTLM authentication with it, and the SQL we're using isn't very demanding* But does the Microsoft Driver has the ability to support windows authentication? If so, how is it implemented? and by the way... what is the difference between this Microsoft JDBC driver, to what discussed earlier in a different thread, of tomcat pool JDBC (which use the tomcat-jdbc.jar file)? maybe i'm mixing two different stuff, but if so- why does it called the same? Thanks Hila 2011/3/7 David kerberdcker...@verizon.net On 3/7/2011 8:10 AM, הילה wrote: Hey, I cannot look for it in Microsoft, since the Java is of SUN, and the implementation is on the Java side, not the SQL Microsoft side. Microsoft may have a jdbc driver you could use, though. D Option no' 1 :] User and password should not exist in clear text in the xml file. 2011/3/7 André Warniera...@ice-sa.com הילה wrote: I'm using Microsoft SQL Server 2008, latest SP. the use of domain user is used with the jtds package, which allows the tomcat service to authenticate to the DB with the presence of native SSPI DLL called ntlmauth.dll However, it generated a memory leak in the server. So I'm looking for alternatives. So, the problem now, correctly stated, is : - does there exist a Java driver for SQL Server 2008, which allows for NTLM authentication with SQL Server, and does not have a memory leak ? (and I would think that Microsoft would be the place to look first) But it is still a bad solution with respect to security, agreed ? It would still be interesting to know in what exact terms you were given this task. Did they tell you - that the userid and password should in no circumstances be stored in clear in any file on the Tomcat server (even if this file cannot be accessed by anyone) ? - or did they tell you : our security scanner found a file containing a user-id and password; this is not acceptable ? - or some other formulation ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
הילה wrote: ... But does the Microsoft Driver has the ability to support windows authentication? If so, how is it implemented? Don't know. You should ask Microsoft. Or try to find out yourself, beginning e.g. at the page I mentioned. I would tend to think that, this being a Microsoft module, it would be rather unlikely that it would not support what MS considers as the standard authentication method. (This being said, we will keep on telling you that it is a bad idea, just so you don't forget) ;-) and by the way... what is the difference between this Microsoft JDBC driver, to what discussed earlier in a different thread, of tomcat pool JDBC (which use the tomcat-jdbc.jar file)? maybe i'm mixing two different stuff, but if so- why does it called the same? JDBC is the generic name of a technology, or let's say the description of the interface, on the Java side. That's why the name is similar. All JDBC drivers behave more or less the same way on the Java side, but on the other side they are each adapted to their particular database system. So yes, you may have to change some details of your configuration for the driver. The driver's documentation should tell you how. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
Thanks :] I'll dig into it. Any other ideas will be more than welcomed :] 2011/3/7 André Warnier a...@ice-sa.com But does the Microsoft Driver has the ability to support windows authentication? If so, how is it implemented? Don't know. You should ask Microsoft. Or try to find out yourself, beginning e.g. at the page I mentioned. I would tend to think that, this being a Microsoft module, it would be rather unlikely that it would not support what MS considers as the standard authentication method. (This being said, we will keep on telling you that it is a bad idea, just so you don't forget) ;-) and by the way... what is the difference between this Microsoft JDBC driver, to what discussed earlier in a different thread, of tomcat pool JDBC (which use the tomcat-jdbc.jar file)? maybe i'm mixing two different stuff, but if so- why does it called the same? JDBC is the generic name of a technology, or let's say the description of the interface, on the Java side. That's why the name is similar. All JDBC drivers behave more or less the same way on the Java side, but on the other side they are each adapted to their particular database system. So yes, you may have to change some details of your configuration for the driver. The driver's documentation should tell you how. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat NTLM Authentication
Hey, I want to change the way that tomcat authenticates to the DB of our application, from SQL authentication to Windows authentication. We use Tomcat 6.0.29 , and the user and password to connect to the DB is specified in clear text in the xml configuration file under the folder conf/catalina/localhost. My goal is to remove the user and password from the xml file, and letting the tomcat windows service run with a domain user that has permissions to the DB. when I searched for a solutions for what i'm trying to do, i got to this page- http://wiki.apache.org/tomcat/FAQ/Windows#Q4 Which suggest these methods: -Waffle/JNA -Tomcat SPNEGO -SPNEGO SF -Jespa (commercial) -Tomcat IIS Connector -Samba JCIFs (obsolete, no NTLMv2) Are one of these methods suit for what I'm trying to do? When reading about Tomcat SPNEGO, it says that users working on a windows client OS and IE or Firefox, can be silently authenticated (SSO) to a Tomcat running on a windows server via NTLM or kerberos. It doesn't seem to be what I aim for, since tomcat users are not interest me, only the tomcat windows service and how it connects to the DB Your help would be appreciated :] Thanks Hila
Re: Tomcat NTLM Authentication
wrote: Hey, I want to change the way that tomcat authenticates to the DB of our application, from SQL authentication to Windows authentication. We use Tomcat 6.0.29 , and the user and password to connect to the DB is specified in clear text in the xml configuration file under the folder conf/catalina/localhost. My goal is to remove the user and password from the xml file, and letting the tomcat windows service run with a domain user that has permissions to the DB. when I searched for a solutions for what i'm trying to do, i got to this page- http://wiki.apache.org/tomcat/FAQ/Windows#Q4 Which suggest these methods: -Waffle/JNA -Tomcat SPNEGO -SPNEGO SF -Jespa (commercial) -Tomcat IIS Connector -Samba JCIFs (obsolete, no NTLMv2) Are one of these methods suit for what I'm trying to do? When reading about Tomcat SPNEGO, it says that users working on a windows client OS and IE or Firefox, can be silently authenticated (SSO) to a Tomcat running on a windows server via NTLM or kerberos. It doesn't seem to be what I aim for, since tomcat users are not interest me, only the tomcat windows service and how it connects to the DB Exactly. Now you have the issue correctly framed. And you are right above : all these methods indeed identify/authenticate the client of the Tomcat application to Tomcat, not Tomcat itself to something else. (**) The one thing missing in your description above, is that your Tomcat server is running on a Windows machine. And also that your back-end database system is able itself to perform user authentication either in clear-text (user-id + password), or via Windows NTLM authentication. (And, if the back-end database server is set to do NTLM authentication, then it can only do so for Domain user-id's; NTLM authentication will not work with a server-local user-id). So now you have to make one additional effort of thinking rationally, and answer the following fundamental question : why ? I mean, what exactly is the problem with having a user-id and a password for the database, in clear in a Tomcat configuration file ? Are there users that can connect to the Tomcat server, and read those configuration files, and which should not be able to do so ? And if that is the case, can you not do something like : a) either block these users from accessing the Tomcat server (the best solution) OR b) - start Tomcat under some Windows user-id (with password) - set the permissions of the Tomcat configuration files, so that *only* this user-id can read them ? Various people have previously tried to point out different aspects which remain true, among which : 1) encrypting something is often a chicken-and-egg kind of problem : if you encrypt something, then you need to decrypt it somewhere else; and the key to decrypt it has to be stored somewhere also. And so on.. 2) in terms of security, it is much better to run Tomcat under a server local user-id than as a Domain user-id. That is because the local user-id only gives access to the local machine, while a domain user-id gives access to the whole domain. By running Tomcat as a domain user, you decrease the security of the whole network. 3) security is always a matter of multiple layers of defense. In this case, your first line is to prevent unauthorised people to access the Tomcat configuration files. Because if they can do that, then they can break through any other security that you would put in place. Think about it : no matter how, Tomcat needs access to the DB. If Tomcat has access to the the DB, then any user who can control Tomcat can access the DB. (*) 4) your second line of defense, would be that the DB server only accepts connections from Tomcat. This way, if someone can get hold of the user-id of Tomcat, at least they cannot use it to access the DB directly. (*) Suppose Tomcat runs under domain user-id XYZ, with a very secret password. If I can get access to the Tomcat configuration files, then I can also install any Tomcat application somewhere, and make Tomcat run it. And this application will run under the Tomcat user-id, even if I do not know what this user-id is. So this application could for example dump the whole database in some network directory of my choice (and then, if I am really a bad guy, delete the database too). (**) unless you want real security of access to the DB, and have the Tomcat application make its own connection to the DB, and authenticate to the DB as the final user of the application. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
Hey, The tomcat is running on windows server 2008 R2 STD I don't now if using windows authentication is less secure and affects all network's security, since this user have permissions only on the DB. you can't even perform login to servers with this user. anyway, I appreciate your comments and discussion of why it's less secure or not, but I need to perform this (task I've been given from guys in high above positions), so please help with what I'm trying to do :] If I can't use spnego and other stuff of the list i've found, what can I do? Thanks Hila 2011/3/6 André Warnier a...@ice-sa.com wrote: Hey, I want to change the way that tomcat authenticates to the DB of our application, from SQL authentication to Windows authentication. We use Tomcat 6.0.29 , and the user and password to connect to the DB is specified in clear text in the xml configuration file under the folder conf/catalina/localhost. My goal is to remove the user and password from the xml file, and letting the tomcat windows service run with a domain user that has permissions to the DB. when I searched for a solutions for what i'm trying to do, i got to this page- http://wiki.apache.org/tomcat/FAQ/Windows#Q4 Which suggest these methods: -Waffle/JNA -Tomcat SPNEGO -SPNEGO SF -Jespa (commercial) -Tomcat IIS Connector -Samba JCIFs (obsolete, no NTLMv2) Are one of these methods suit for what I'm trying to do? When reading about Tomcat SPNEGO, it says that users working on a windows client OS and IE or Firefox, can be silently authenticated (SSO) to a Tomcat running on a windows server via NTLM or kerberos. It doesn't seem to be what I aim for, since tomcat users are not interest me, only the tomcat windows service and how it connects to the DB Exactly. Now you have the issue correctly framed. And you are right above : all these methods indeed identify/authenticate the client of the Tomcat application to Tomcat, not Tomcat itself to something else. (**) The one thing missing in your description above, is that your Tomcat server is running on a Windows machine. And also that your back-end database system is able itself to perform user authentication either in clear-text (user-id + password), or via Windows NTLM authentication. (And, if the back-end database server is set to do NTLM authentication, then it can only do so for Domain user-id's; NTLM authentication will not work with a server-local user-id). So now you have to make one additional effort of thinking rationally, and answer the following fundamental question : why ? I mean, what exactly is the problem with having a user-id and a password for the database, in clear in a Tomcat configuration file ? Are there users that can connect to the Tomcat server, and read those configuration files, and which should not be able to do so ? And if that is the case, can you not do something like : a) either block these users from accessing the Tomcat server (the best solution) OR b) - start Tomcat under some Windows user-id (with password) - set the permissions of the Tomcat configuration files, so that *only* this user-id can read them ? Various people have previously tried to point out different aspects which remain true, among which : 1) encrypting something is often a chicken-and-egg kind of problem : if you encrypt something, then you need to decrypt it somewhere else; and the key to decrypt it has to be stored somewhere also. And so on.. 2) in terms of security, it is much better to run Tomcat under a server local user-id than as a Domain user-id. That is because the local user-id only gives access to the local machine, while a domain user-id gives access to the whole domain. By running Tomcat as a domain user, you decrease the security of the whole network. 3) security is always a matter of multiple layers of defense. In this case, your first line is to prevent unauthorised people to access the Tomcat configuration files. Because if they can do that, then they can break through any other security that you would put in place. Think about it : no matter how, Tomcat needs access to the DB. If Tomcat has access to the the DB, then any user who can control Tomcat can access the DB. (*) 4) your second line of defense, would be that the DB server only accepts connections from Tomcat. This way, if someone can get hold of the user-id of Tomcat, at least they cannot use it to access the DB directly. (*) Suppose Tomcat runs under domain user-id XYZ, with a very secret password. If I can get access to the Tomcat configuration files, then I can also install any Tomcat application somewhere, and make Tomcat run it. And this application will run under the Tomcat user-id, even if I do not know what this user-id is. So this application could for example dump the whole database in some network directory of my choice (and then, if I am really a bad guy, delete the database too). (**) unless you
Tomcat NTLM authentication
Forgive me for shameless advertising. This should be useful to lots of people. We've published a free Tomcat 6 Negotiate authenticator based on JNA that supports the Negotiate protocol, including Kerberos and the much requested NTLM. This is equivalent to checking the Integrated Authentication box in IIS, enabling single sign-on for windows servers that are both joined or not to an Active Directory domain. The authenticator is part of project Waffle. Tutorial: http://code.dblock.org/ShowPost.aspx?id=103 Download Waffle: http://waffle.codeplex.com/ Hope this helps, your feedback is much appreciated, -dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York
RE: Tomcat NTLM authentication
-Original Message- From: dB. Sent: Thursday, May 20, 2010 8:42 Subject: Tomcat NTLM authentication Forgive me for shameless advertising. This should be useful to lots of people. We've published a free Tomcat 6 Negotiate authenticator based Apache License? on JNA that supports the Negotiate protocol, including Kerberos and the much requested NTLM. This is equivalent to checking the Integrated Authentication box in IIS, enabling single sign-on for windows servers that are both joined or not to an Active Directory domain. The authenticator is part of project Waffle. Tutorial: http://code.dblock.org/ShowPost.aspx?id=103 Download Waffle: http://waffle.codeplex.com/ Hope this helps, your feedback is much appreciated, -dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat NTLM authentication
Eclipse Public License http://waffle.codeplex.com/license I am happy to attach another license to this if there're any real issues with it. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Jason Pyeron [mailto:jpye...@pdinc.us] Sent: Thursday, May 20, 2010 8:50 AM To: 'Tomcat Users List' Subject: RE: Tomcat NTLM authentication -Original Message- From: dB. Sent: Thursday, May 20, 2010 8:42 Subject: Tomcat NTLM authentication Forgive me for shameless advertising. This should be useful to lots of people. We've published a free Tomcat 6 Negotiate authenticator based Apache License? on JNA that supports the Negotiate protocol, including Kerberos and the much requested NTLM. This is equivalent to checking the Integrated Authentication box in IIS, enabling single sign-on for windows servers that are both joined or not to an Active Directory domain. The authenticator is part of project Waffle. Tutorial: http://code.dblock.org/ShowPost.aspx?id=103 Download Waffle: http://waffle.codeplex.com/ Hope this helps, your feedback is much appreciated, -dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM authentication
On 20/05/2010 13:48, dB. wrote: Eclipse Public License http://waffle.codeplex.com/license I am happy to attach another license to this if there're any real issues with it. There are. Sort of. The ASF can't include source code that is EPL licensed in Apache products. However, the bugzilla issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=49318 when read with the terms of creating a bugzilla account: https://issues.apache.org/bugzilla/createaccount.cgi and section 5 of the Apache License: http://www.apache.org/licenses/LICENSE-2.0.html is legally sufficient for us to include this code in Tomcat. Despite that, we (the ASF) would rather an explicit Yes we're fine with you doing that rather than relying on the legalese since we don't want to do do something you don't like, even if legally we could. If you are happy for this to be included then a +1 here is all that is required. Mark dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Jason Pyeron [mailto:jpye...@pdinc.us] Sent: Thursday, May 20, 2010 8:50 AM To: 'Tomcat Users List' Subject: RE: Tomcat NTLM authentication -Original Message- From: dB. Sent: Thursday, May 20, 2010 8:42 Subject: Tomcat NTLM authentication Forgive me for shameless advertising. This should be useful to lots of people. We've published a free Tomcat 6 Negotiate authenticator based Apache License? on JNA that supports the Negotiate protocol, including Kerberos and the much requested NTLM. This is equivalent to checking the Integrated Authentication box in IIS, enabling single sign-on for windows servers that are both joined or not to an Active Directory domain. The authenticator is part of project Waffle. Tutorial: http://code.dblock.org/ShowPost.aspx?id=103 Download Waffle: http://waffle.codeplex.com/ Hope this helps, your feedback is much appreciated, -dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat NTLM authentication
You have my explicit +1 to take this code and use/include it in Tomcat. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, May 20, 2010 9:29 AM To: Tomcat Users List Subject: Re: Tomcat NTLM authentication On 20/05/2010 13:48, dB. wrote: Eclipse Public License http://waffle.codeplex.com/license I am happy to attach another license to this if there're any real issues with it. There are. Sort of. The ASF can't include source code that is EPL licensed in Apache products. However, the bugzilla issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=49318 when read with the terms of creating a bugzilla account: https://issues.apache.org/bugzilla/createaccount.cgi and section 5 of the Apache License: http://www.apache.org/licenses/LICENSE-2.0.html is legally sufficient for us to include this code in Tomcat. Despite that, we (the ASF) would rather an explicit Yes we're fine with you doing that rather than relying on the legalese since we don't want to do do something you don't like, even if legally we could. If you are happy for this to be included then a +1 here is all that is required. Mark dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Jason Pyeron [mailto:jpye...@pdinc.us] Sent: Thursday, May 20, 2010 8:50 AM To: 'Tomcat Users List' Subject: RE: Tomcat NTLM authentication -Original Message- From: dB. Sent: Thursday, May 20, 2010 8:42 Subject: Tomcat NTLM authentication Forgive me for shameless advertising. This should be useful to lots of people. We've published a free Tomcat 6 Negotiate authenticator based Apache License? on JNA that supports the Negotiate protocol, including Kerberos and the much requested NTLM. This is equivalent to checking the Integrated Authentication box in IIS, enabling single sign-on for windows servers that are both joined or not to an Active Directory domain. The authenticator is part of project Waffle. Tutorial: http://code.dblock.org/ShowPost.aspx?id=103 Download Waffle: http://waffle.codeplex.com/ Hope this helps, your feedback is much appreciated, -dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2885 - Release Date: 05/20/10 02:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM authentication
On 20/05/2010 15:11, dB. wrote: You have my explicit +1 to take this code and use/include it in Tomcat. Cheers. Looking at this is on my todo list. There is also another enhancement in BZ that covers SPNEGO. I'm not sure either solution is exactly what I am looking for since my (maybe impossible) ideal is to do this with not much more than a couple of Java classes. I'll see how feasible that is when I get around to looking at this. I suspect I'll end up borrowing heavily from both proposals. It it does end up that the only solution is one that requires a handful of extra JARs then it will probably become a Tomcat module. Thanks again, Mark dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, May 20, 2010 9:29 AM To: Tomcat Users List Subject: Re: Tomcat NTLM authentication On 20/05/2010 13:48, dB. wrote: Eclipse Public License http://waffle.codeplex.com/license I am happy to attach another license to this if there're any real issues with it. There are. Sort of. The ASF can't include source code that is EPL licensed in Apache products. However, the bugzilla issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=49318 when read with the terms of creating a bugzilla account: https://issues.apache.org/bugzilla/createaccount.cgi and section 5 of the Apache License: http://www.apache.org/licenses/LICENSE-2.0.html is legally sufficient for us to include this code in Tomcat. Despite that, we (the ASF) would rather an explicit Yes we're fine with you doing that rather than relying on the legalese since we don't want to do do something you don't like, even if legally we could. If you are happy for this to be included then a +1 here is all that is required. Mark dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Jason Pyeron [mailto:jpye...@pdinc.us] Sent: Thursday, May 20, 2010 8:50 AM To: 'Tomcat Users List' Subject: RE: Tomcat NTLM authentication -Original Message- From: dB. Sent: Thursday, May 20, 2010 8:42 Subject: Tomcat NTLM authentication Forgive me for shameless advertising. This should be useful to lots of people. We've published a free Tomcat 6 Negotiate authenticator based Apache License? on JNA that supports the Negotiate protocol, including Kerberos and the much requested NTLM. This is equivalent to checking the Integrated Authentication box in IIS, enabling single sign-on for windows servers that are both joined or not to an Active Directory domain. The authenticator is part of project Waffle. Tutorial: http://code.dblock.org/ShowPost.aspx?id=103 Download Waffle: http://waffle.codeplex.com/ Hope this helps, your feedback is much appreciated, -dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2885 - Release Date: 05/20/10 02:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat NTLM authentication
Hello Everybody, I have implemented the Samba solution to authenticate MSIE clients against a windows domain controller and, If the credentials are correct, then they are authenticated and the user is authorized to see a particular page. So everything is good. Now, if I insert wrong credentials then a blank/white page is returned to my browser. I would like to add an error message to this page so the user will be noticed that his credentials have not been accepted. I have added the following error-page tags in my conf/web.xml file with no results. error-page error-code404/error-code location/404.jsp/location /error-page error-page error-code500/error-code location/500.jsp/location /error-page error-page exception-typejava.lang.Throwable/exception-type location/all_errors.jsp/location /error-page Is there any way to get a solution to this problem? I appreciate your feedback. Thank you, -Camil