Re: Tomcat NTLM Authentication

[Marcel Schoen]

הילה  gmail.com> writes:


> -Jespa (commercial)
> -Samba JCIFs (obsolete, no NTLMv2)

You may try this open source Java NTLMv2 API and SSO filter:

http://sourceforge.net/projects/ntlmv2auth/

It's an extension of JCIFS, based on code from the (also open source) Liferay
portal.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat NTLM Authentication

[הילה]

It seems that only using the new jdbc pool has solved the memory leak :]
it's funny that the idea to use it came from a different thread here in the
users list. :]
Thanks for your help
Hila



בתאריך 7 במרס 2011 17:15, מאת הילה :

> Thanks :]
> I'll dig into it.
> Any other ideas will be more than welcomed :]
>
>
> 2011/3/7 André Warnier 
>
>>
>>
>>
>>> But does the Microsoft Driver has the ability to support windows
>>> authentication?
>>> If so, how is it implemented?
>>>
>>
>> Don't know. You should ask Microsoft.  Or try to find out yourself,
>> beginning e.g. at the page I mentioned.
>> I would tend to think that, this being a Microsoft module, it would be
>> rather unlikely that it would not support what MS considers as the standard
>> authentication method.
>>
>> (This being said, we will keep on telling you that it is a bad idea, just
>> so you don't forget)  ;-)
>>
>>
>>
>>> and by the way... what is the difference between this Microsoft JDBC
>>> driver,
>>> to what discussed earlier in a different thread, of tomcat pool JDBC
>>> (which
>>> use the tomcat-jdbc.jar file)? maybe i'm mixing two different stuff, but
>>> if
>>> so- why does it called the same?
>>>
>>>
>> JDBC is the generic name of a technology, or let's say the description of
>> the interface, on the Java side.
>> That's why the name is similar.
>>
>> All JDBC drivers behave more or less the same way on the Java side, but on
>> the other side they are each adapted to their particular database system.
>>
>> So yes, you may have to change some details of your configuration for the
>> driver.  The driver's documentation should tell you how.
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: Tomcat NTLM Authentication

[הילה]

Thanks :]
I'll dig into it.
Any other ideas will be more than welcomed :]

2011/3/7 André Warnier 

>
>
>
>> But does the Microsoft Driver has the ability to support windows
>> authentication?
>> If so, how is it implemented?
>>
>
> Don't know. You should ask Microsoft.  Or try to find out yourself,
> beginning e.g. at the page I mentioned.
> I would tend to think that, this being a Microsoft module, it would be
> rather unlikely that it would not support what MS considers as the standard
> authentication method.
>
> (This being said, we will keep on telling you that it is a bad idea, just
> so you don't forget)  ;-)
>
>
>
>> and by the way... what is the difference between this Microsoft JDBC
>> driver,
>> to what discussed earlier in a different thread, of tomcat pool JDBC
>> (which
>> use the tomcat-jdbc.jar file)? maybe i'm mixing two different stuff, but
>> if
>> so- why does it called the same?
>>
>>
> JDBC is the generic name of a technology, or let's say the description of
> the interface, on the Java side.
> That's why the name is similar.
>
> All JDBC drivers behave more or less the same way on the Java side, but on
> the other side they are each adapted to their particular database system.
>
> So yes, you may have to change some details of your configuration for the
> driver.  The driver's documentation should tell you how.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat NTLM Authentication

[André Warnier]

הילה wrote:
...



But does the Microsoft Driver has the ability to support windows
authentication?
If so, how is it implemented?


Don't know. You should ask Microsoft.  Or try to find out yourself, beginning e.g. at the 
page I mentioned.
I would tend to think that, this being a Microsoft module, it would be rather unlikely 
that it would not support what MS considers as the standard authentication method.


(This being said, we will keep on telling you that it is a bad idea, just so you don't 
forget)  ;-)




and by the way... what is the difference between this Microsoft JDBC driver,
to what discussed earlier in a different thread, of tomcat pool JDBC (which
use the tomcat-jdbc.jar file)? maybe i'm mixing two different stuff, but if
so- why does it called the same?



JDBC is the generic name of a technology, or let's say the description of the interface, 
on the Java side.

That's why the name is similar.

All JDBC drivers behave more or less the same way on the Java side, but on the other side 
they are each adapted to their particular database system.


So yes, you may have to change some details of your configuration for the driver.  The 
driver's documentation should tell you how.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat NTLM Authentication

[הילה]

*As Andre says, the one you're using now seems to be rather buggy.  We have
been using the Microsoft driver for a few months now with no trouble, though
we're not using NTLM authentication with it, and the SQL we're using isn't
very demanding*

But does the Microsoft Driver has the ability to support windows
authentication?
If so, how is it implemented?

and by the way... what is the difference between this Microsoft JDBC driver,
to what discussed earlier in a different thread, of tomcat pool JDBC (which
use the tomcat-jdbc.jar file)? maybe i'm mixing two different stuff, but if
so- why does it called the same?

Thanks
Hila

>
>
>>
>> 2011/3/7 David kerber
>>
>>  On 3/7/2011 8:10 AM, הילה wrote:
>>>
>>>  Hey,
 I cannot look for it in Microsoft, since the Java is of SUN, and the
 implementation is on the Java side, not the SQL Microsoft side.


>>> Microsoft may have a jdbc driver you could use, though.
>>>
>>>
>>> D
>>>
>>>
>>>
>>>  Option no' 1 :]
 User and password should not exist in clear text in the xml file.

 2011/3/7 André Warnier

  הילה wrote:

>
>  I'm using Microsoft SQL Server 2008, latest SP.
>
>> the use of domain user is used with the jtds package, which allows the
>> tomcat service to authenticate to the DB with the presence of native
>> SSPI
>> DLL called ntlmauth.dll
>> However, it generated a memory leak in the server. So I'm looking for
>> alternatives.
>>
>>  So, the problem now, correctly stated, is :
>>
>>
> - does there exist a Java driver for SQL Server 2008, which allows for
> NTLM
> authentication with SQL Server, and does not have a memory leak ?
>
> (and I would think that Microsoft would be the place to look first)
>
>
> But it is still a bad solution with respect to security, agreed ?
>
> It would still be interesting to know in what exact terms you were
> given
> this task.
> Did they tell you
> - that the userid and password should in no circumstances be stored in
> clear in any file on the Tomcat server (even if this file cannot be
> accessed
> by anyone) ?
> - or did they tell you : our security scanner found a file containing a
> user-id and password; this is not acceptable ?
> - or some other formulation ?
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>

>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat NTLM Authentication

[הילה]

Yeah, ha :]
Since I'm desperate, I'll try it out.
Do I need to change the connectionURL or DriverClassName in the XML
configuration file of tomcat, in order for this to work?


2011/3/7 André Warnier 

> הילה wrote:
>
>> I read that JTDS (jtds-1.2.5.jar) is more stable and less buggy than JDBC
>> of
>> Microsoft. So I don't want to add more logs to the fire.. :]
>>
>
> That's a funny thing to say, considering that it has a memory leak, and
> that nobody is answering your calls for help on the jTDS list.
> What about this one :
>
> http://msdn.microsoft.com/en-us/sqlserver/aa937724
>
>
>
>
>
>>
>> 2011/3/7 David kerber 
>>
>>  On 3/7/2011 8:10 AM, הילה wrote:
>>>
>>>  Hey,
 I cannot look for it in Microsoft, since the Java is of SUN, and the
 implementation is on the Java side, not the SQL Microsoft side.

  Microsoft may have a jdbc driver you could use, though.
>>>
>>>
>>> D
>>>
>>>
>>>
>>>  Option no' 1 :]
 User and password should not exist in clear text in the xml file.

 2011/3/7 André Warnier

  הילה wrote:

>  I'm using Microsoft SQL Server 2008, latest SP.
>
>> the use of domain user is used with the jtds package, which allows the
>> tomcat service to authenticate to the DB with the presence of native
>> SSPI
>> DLL called ntlmauth.dll
>> However, it generated a memory leak in the server. So I'm looking for
>> alternatives.
>>
>>  So, the problem now, correctly stated, is :
>>
>>  - does there exist a Java driver for SQL Server 2008, which allows
> for
> NTLM
> authentication with SQL Server, and does not have a memory leak ?
>
> (and I would think that Microsoft would be the place to look first)
>
>
> But it is still a bad solution with respect to security, agreed ?
>
> It would still be interesting to know in what exact terms you were
> given
> this task.
> Did they tell you
> - that the userid and password should in no circumstances be stored in
> clear in any file on the Tomcat server (even if this file cannot be
> accessed
> by anyone) ?
> - or did they tell you : our security scanner found a file containing a
> user-id and password; this is not acceptable ?
> - or some other formulation ?
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>  -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat NTLM Authentication

[David kerber]

On 3/7/2011 8:27 AM, הילה wrote:

I read that JTDS (jtds-1.2.5.jar) is more stable and less buggy than JDBC of
Microsoft. So I don't want to add more logs to the fire.. :]


As Andre says, the one you're using now seems to be rather buggy.  We 
have been using the Microsoft driver for a few months now with no 
trouble, though we're not using NTLM authentication with it, and the SQL 
we're using isn't very demanding.





2011/3/7 David kerber


On 3/7/2011 8:10 AM, הילה wrote:


Hey,
I cannot look for it in Microsoft, since the Java is of SUN, and the
implementation is on the Java side, not the SQL Microsoft side.



Microsoft may have a jdbc driver you could use, though.


D




Option no' 1 :]
User and password should not exist in clear text in the xml file.

2011/3/7 André Warnier

  הילה wrote:


  I'm using Microsoft SQL Server 2008, latest SP.

the use of domain user is used with the jtds package, which allows the
tomcat service to authenticate to the DB with the presence of native
SSPI
DLL called ntlmauth.dll
However, it generated a memory leak in the server. So I'm looking for
alternatives.

  So, the problem now, correctly stated, is :



- does there exist a Java driver for SQL Server 2008, which allows for
NTLM
authentication with SQL Server, and does not have a memory leak ?

(and I would think that Microsoft would be the place to look first)


But it is still a bad solution with respect to security, agreed ?

It would still be interesting to know in what exact terms you were given
this task.
Did they tell you
- that the userid and password should in no circumstances be stored in
clear in any file on the Tomcat server (even if this file cannot be
accessed
by anyone) ?
- or did they tell you : our security scanner found a file containing a
user-id and password; this is not acceptable ?
- or some other formulation ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat NTLM Authentication

[André Warnier]

הילה wrote:

I read that JTDS (jtds-1.2.5.jar) is more stable and less buggy than JDBC of
Microsoft. So I don't want to add more logs to the fire.. :]


That's a funny thing to say, considering that it has a memory leak, and that nobody is 
answering your calls for help on the jTDS list.

What about this one :

http://msdn.microsoft.com/en-us/sqlserver/aa937724






2011/3/7 David kerber 


On 3/7/2011 8:10 AM, הילה wrote:


Hey,
I cannot look for it in Microsoft, since the Java is of SUN, and the
implementation is on the Java side, not the SQL Microsoft side.


Microsoft may have a jdbc driver you could use, though.


D




Option no' 1 :]
User and password should not exist in clear text in the xml file.

2011/3/7 André Warnier

 הילה wrote:

 I'm using Microsoft SQL Server 2008, latest SP.

the use of domain user is used with the jtds package, which allows the
tomcat service to authenticate to the DB with the presence of native
SSPI
DLL called ntlmauth.dll
However, it generated a memory leak in the server. So I'm looking for
alternatives.

 So, the problem now, correctly stated, is :


- does there exist a Java driver for SQL Server 2008, which allows for
NTLM
authentication with SQL Server, and does not have a memory leak ?

(and I would think that Microsoft would be the place to look first)


But it is still a bad solution with respect to security, agreed ?

It would still be interesting to know in what exact terms you were given
this task.
Did they tell you
- that the userid and password should in no circumstances be stored in
clear in any file on the Tomcat server (even if this file cannot be
accessed
by anyone) ?
- or did they tell you : our security scanner found a file containing a
user-id and password; this is not acceptable ?
- or some other formulation ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat NTLM Authentication

[הילה]

I read that JTDS (jtds-1.2.5.jar) is more stable and less buggy than JDBC of
Microsoft. So I don't want to add more logs to the fire.. :]


2011/3/7 David kerber 

> On 3/7/2011 8:10 AM, הילה wrote:
>
>> Hey,
>> I cannot look for it in Microsoft, since the Java is of SUN, and the
>> implementation is on the Java side, not the SQL Microsoft side.
>>
>
> Microsoft may have a jdbc driver you could use, though.
>
>
> D
>
>
>
>> Option no' 1 :]
>> User and password should not exist in clear text in the xml file.
>>
>> 2011/3/7 André Warnier
>>
>>  הילה wrote:
>>>
>>>  I'm using Microsoft SQL Server 2008, latest SP.
 the use of domain user is used with the jtds package, which allows the
 tomcat service to authenticate to the DB with the presence of native
 SSPI
 DLL called ntlmauth.dll
 However, it generated a memory leak in the server. So I'm looking for
 alternatives.

  So, the problem now, correctly stated, is :

>>>
>>> - does there exist a Java driver for SQL Server 2008, which allows for
>>> NTLM
>>> authentication with SQL Server, and does not have a memory leak ?
>>>
>>> (and I would think that Microsoft would be the place to look first)
>>>
>>>
>>> But it is still a bad solution with respect to security, agreed ?
>>>
>>> It would still be interesting to know in what exact terms you were given
>>> this task.
>>> Did they tell you
>>> - that the userid and password should in no circumstances be stored in
>>> clear in any file on the Tomcat server (even if this file cannot be
>>> accessed
>>> by anyone) ?
>>> - or did they tell you : our security scanner found a file containing a
>>> user-id and password; this is not acceptable ?
>>> - or some other formulation ?
>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat NTLM Authentication

[David kerber]

On 3/7/2011 8:10 AM, הילה wrote:

Hey,
I cannot look for it in Microsoft, since the Java is of SUN, and the
implementation is on the Java side, not the SQL Microsoft side.


Microsoft may have a jdbc driver you could use, though.

D




Option no' 1 :]
User and password should not exist in clear text in the xml file.

2011/3/7 André Warnier


הילה wrote:


I'm using Microsoft SQL Server 2008, latest SP.
the use of domain user is used with the jtds package, which allows the
tomcat service to authenticate to the DB with the presence of native SSPI
DLL called ntlmauth.dll
However, it generated a memory leak in the server. So I'm looking for
alternatives.

  So, the problem now, correctly stated, is :


- does there exist a Java driver for SQL Server 2008, which allows for NTLM
authentication with SQL Server, and does not have a memory leak ?

(and I would think that Microsoft would be the place to look first)


But it is still a bad solution with respect to security, agreed ?

It would still be interesting to know in what exact terms you were given
this task.
Did they tell you
- that the userid and password should in no circumstances be stored in
clear in any file on the Tomcat server (even if this file cannot be accessed
by anyone) ?
- or did they tell you : our security scanner found a file containing a
user-id and password; this is not acceptable ?
- or some other formulation ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat NTLM Authentication

[הילה]

Hey,
I cannot look for it in Microsoft, since the Java is of SUN, and the
implementation is on the Java side, not the SQL Microsoft side.

Option no' 1 :]
User and password should not exist in clear text in the xml file.

2011/3/7 André Warnier 

> הילה wrote:
>
>> I'm using Microsoft SQL Server 2008, latest SP.
>> the use of domain user is used with the jtds package, which allows the
>> tomcat service to authenticate to the DB with the presence of native SSPI
>> DLL called ntlmauth.dll
>> However, it generated a memory leak in the server. So I'm looking for
>> alternatives.
>>
>>  So, the problem now, correctly stated, is :
>
> - does there exist a Java driver for SQL Server 2008, which allows for NTLM
> authentication with SQL Server, and does not have a memory leak ?
>
> (and I would think that Microsoft would be the place to look first)
>
>
> But it is still a bad solution with respect to security, agreed ?
>
> It would still be interesting to know in what exact terms you were given
> this task.
> Did they tell you
> - that the userid and password should in no circumstances be stored in
> clear in any file on the Tomcat server (even if this file cannot be accessed
> by anyone) ?
> - or did they tell you : our security scanner found a file containing a
> user-id and password; this is not acceptable ?
> - or some other formulation ?
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat NTLM Authentication

[André Warnier]

הילה wrote:

I'm using Microsoft SQL Server 2008, latest SP.
the use of domain user is used with the jtds package, which allows the
tomcat service to authenticate to the DB with the presence of native SSPI
DLL called ntlmauth.dll
However, it generated a memory leak in the server. So I'm looking for
alternatives.


So, the problem now, correctly stated, is :

- does there exist a Java driver for SQL Server 2008, which allows for NTLM authentication 
with SQL Server, and does not have a memory leak ?


(and I would think that Microsoft would be the place to look first)


But it is still a bad solution with respect to security, agreed ?

It would still be interesting to know in what exact terms you were given this 
task.
Did they tell you
- that the userid and password should in no circumstances be stored in clear in any file 
on the Tomcat server (even if this file cannot be accessed by anyone) ?
- or did they tell you : our security scanner found a file containing a user-id and 
password; this is not acceptable ?

- or some other formulation ?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat NTLM Authentication

[הילה]

I'm using Microsoft SQL Server 2008, latest SP.
the use of domain user is used with the jtds package, which allows the
tomcat service to authenticate to the DB with the presence of native SSPI
DLL called ntlmauth.dll
However, it generated a memory leak in the server. So I'm looking for
alternatives.

Thanks
Hila

2011/3/7 Borut Hadžialić 

> Yes Andre you are right, I misunderstood the OP - Hila wants to access
> the database as a single domain user.
>
> How to implement this is probably database specific. For example
> Oracle jdbc driver requires you to either:
> A) be running the process which makes the database connections as the
> domain user which can access the database.
> B) somehow get an instance of javax.security.auth.Subject representing
> such an user, for example by using a kerberos keytab file.
>
> There are code examples for A) (connectWithDefaultUser())  and B)
> (connectWithSpecificUser()) on the page i linked in the last mail.
>
> The problem after that is how to get connection pooling (you might
> need to implement you own).
>
> Hila, what database are you using?
>
>
> On Mon, Mar 7, 2011 at 11:59 AM, André Warnier  wrote:
> > Borut,
> >
> > thanks. I think that this is very helpful.
> > It does not do what the OP wanted to do, but it does what he /should/ be
> > doing (in my view).
> >
> > הילה,
> > if the users connect to Tomcat, and the connections to the database are
> all
> > done under the "Tomcat" user-id, then basically you are putting all the
> > users into one big pot, and the database does not know who is really
> > connecting to it.
> > That means that now any of the users can do in the database anything that
> > this "Tomcat" user-id can do, and you can never find out afterwards who
> did
> > it.
> > And because this "Tomcat" user needs to be able to do in the database
> > anything that any user could do, it needs to have very broad rights to
> the
> > database (the sum of all the users rights).
> > In the scheme below, that is not true : each user connects to the
> database
> > under his own user-id, so the database can decide who is allowed to do
> what,
> > and can also keep track of who did what.
> >
> >
> > Borut Hadžialić wrote:
> >>
> >> Hi Hila,
> >>
> >> I have a similar requirement in my current project. End users (using
> >> browsers and java desktop apps) which work on windows workstations
> >> which are in a domain, must be able to log in the application without
> >> needing to type in username and password (using their windows
> >> credentials). Additionaly, the connection to the underlying database
> >> must also be done using those user credentials.
> >>
> >> My steps while implementing this were:
> >> 1. Implement authentication (browser->server, desktop app -> server)
> >> which uses kerberos
> >> 2. Enable credential delegation so your app server can impersonate
> >> client when connecting to the database
> >> 3. Connect to the database as the client from within app server
> >> code/process (this is database-specific)
> >>
> >> This is how I solved it:
> >> I use SPNEGO for browser/webapp scenario authentication. These
> >> materials helped me come up with a working server side SPNEGO
> >> implementation:
> >>
> >> This is what I ended up using for reading a SPNEGO token:
> >> http://blog.springsource.com/2009/09/28/spring-security-kerberos/
> >>
> >> Some general information about kerberos from msdn:
> >> http://msdn.microsoft.com/en-us/library/ms995329.aspx
> >> http://msdn.microsoft.com/en-us/library/ms995330.aspx
> >>
> >> Very nice articles about credentials delegation (you need that so your
> >> app server can impersonate clients when it connects to the database)
> >>
> >>
> http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java
> >> http://spnego.sourceforge.net/credential_delegation.html
> >>
> >> I also had some java desktop apps which needed to authenticate in a
> >> similar way, which use Spring HttpInvoker as a remoting protocol, so I
> >> decided to make HttpInvoker pass some SPNEGO headers as well, and it
> >> seems to work:
> >> https://jira.springsource.org/browse/SES-11
> >>
> >>
> >> We use Oracle as the database and some materials that were helpfull were
> >> these:
> >> Oracle Jdbc connection with kerberos
> >>
> >>
> http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7
> >>
> >>
> http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html
> >>
> >> Some general info on Oracle Advanced Security
> >>
> >>
> http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG
> >>
> >> If you also use Oracle I can send you a complete code example for this
> >> - I have the whole thing working for simple tests..I should have a
> >> more complete implementation in few weeks.
> >>
> >> Cheers.
> >>
> >> 2011/3/7 הילה :
> >>>
> >>> Hey,
> >>>
> >>> The tomcat is running on windows server 2008 R2 STD
> >>> I don't now if usin

Re: Tomcat NTLM Authentication

[Borut Hadžialić]

Yes Andre you are right, I misunderstood the OP - Hila wants to access
the database as a single domain user.

How to implement this is probably database specific. For example
Oracle jdbc driver requires you to either:
A) be running the process which makes the database connections as the
domain user which can access the database.
B) somehow get an instance of javax.security.auth.Subject representing
such an user, for example by using a kerberos keytab file.

There are code examples for A) (connectWithDefaultUser())  and B)
(connectWithSpecificUser()) on the page i linked in the last mail.

The problem after that is how to get connection pooling (you might
need to implement you own).

Hila, what database are you using?


On Mon, Mar 7, 2011 at 11:59 AM, André Warnier  wrote:
> Borut,
>
> thanks. I think that this is very helpful.
> It does not do what the OP wanted to do, but it does what he /should/ be
> doing (in my view).
>
> הילה,
> if the users connect to Tomcat, and the connections to the database are all
> done under the "Tomcat" user-id, then basically you are putting all the
> users into one big pot, and the database does not know who is really
> connecting to it.
> That means that now any of the users can do in the database anything that
> this "Tomcat" user-id can do, and you can never find out afterwards who did
> it.
> And because this "Tomcat" user needs to be able to do in the database
> anything that any user could do, it needs to have very broad rights to the
> database (the sum of all the users rights).
> In the scheme below, that is not true : each user connects to the database
> under his own user-id, so the database can decide who is allowed to do what,
> and can also keep track of who did what.
>
>
> Borut Hadžialić wrote:
>>
>> Hi Hila,
>>
>> I have a similar requirement in my current project. End users (using
>> browsers and java desktop apps) which work on windows workstations
>> which are in a domain, must be able to log in the application without
>> needing to type in username and password (using their windows
>> credentials). Additionaly, the connection to the underlying database
>> must also be done using those user credentials.
>>
>> My steps while implementing this were:
>> 1. Implement authentication (browser->server, desktop app -> server)
>> which uses kerberos
>> 2. Enable credential delegation so your app server can impersonate
>> client when connecting to the database
>> 3. Connect to the database as the client from within app server
>> code/process (this is database-specific)
>>
>> This is how I solved it:
>> I use SPNEGO for browser/webapp scenario authentication. These
>> materials helped me come up with a working server side SPNEGO
>> implementation:
>>
>> This is what I ended up using for reading a SPNEGO token:
>> http://blog.springsource.com/2009/09/28/spring-security-kerberos/
>>
>> Some general information about kerberos from msdn:
>> http://msdn.microsoft.com/en-us/library/ms995329.aspx
>> http://msdn.microsoft.com/en-us/library/ms995330.aspx
>>
>> Very nice articles about credentials delegation (you need that so your
>> app server can impersonate clients when it connects to the database)
>>
>> http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java
>> http://spnego.sourceforge.net/credential_delegation.html
>>
>> I also had some java desktop apps which needed to authenticate in a
>> similar way, which use Spring HttpInvoker as a remoting protocol, so I
>> decided to make HttpInvoker pass some SPNEGO headers as well, and it
>> seems to work:
>> https://jira.springsource.org/browse/SES-11
>>
>>
>> We use Oracle as the database and some materials that were helpfull were
>> these:
>> Oracle Jdbc connection with kerberos
>>
>> http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7
>>
>> http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html
>>
>> Some general info on Oracle Advanced Security
>>
>> http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG
>>
>> If you also use Oracle I can send you a complete code example for this
>> - I have the whole thing working for simple tests..I should have a
>> more complete implementation in few weeks.
>>
>> Cheers.
>>
>> 2011/3/7 הילה :
>>>
>>> Hey,
>>>
>>> The tomcat is running on windows server 2008 R2 STD
>>> I don't now if using windows authentication is less secure and affects
>>> all
>>> network's security, since this user have permissions only on the DB. you
>>> can't even perform login to servers with this user.
>>> anyway, I appreciate your comments and discussion of why it's less secure
>>> or
>>> not, but I need to perform this (task I've been given from guys in high
>>> above positions), so please help with what I'm trying to do :]
>>>
>>> If I can't use spnego and other stuff of the list i've found, what can I
>>> do?
>>>
>>> Thanks
>>> Hila
>>>
>>>
>>> 2011/3/6 André Warnier 
>>>

Re: Tomcat NTLM Authentication

[André Warnier]

Borut,

thanks. I think that this is very helpful.
It does not do what the OP wanted to do, but it does what he /should/ be doing 
(in my view).

הילה,
if the users connect to Tomcat, and the connections to the database are all done under the 
"Tomcat" user-id, then basically you are putting all the users into one big pot, and the 
database does not know who is really connecting to it.
That means that now any of the users can do in the database anything that this "Tomcat" 
user-id can do, and you can never find out afterwards who did it.
And because this "Tomcat" user needs to be able to do in the database anything that any 
user could do, it needs to have very broad rights to the database (the sum of all the 
users rights).
In the scheme below, that is not true : each user connects to the database under his own 
user-id, so the database can decide who is allowed to do what, and can also keep track of 
who did what.



Borut Hadžialić wrote:

Hi Hila,

I have a similar requirement in my current project. End users (using
browsers and java desktop apps) which work on windows workstations
which are in a domain, must be able to log in the application without
needing to type in username and password (using their windows
credentials). Additionaly, the connection to the underlying database
must also be done using those user credentials.

My steps while implementing this were:
1. Implement authentication (browser->server, desktop app -> server)
which uses kerberos
2. Enable credential delegation so your app server can impersonate
client when connecting to the database
3. Connect to the database as the client from within app server
code/process (this is database-specific)

This is how I solved it:
I use SPNEGO for browser/webapp scenario authentication. These
materials helped me come up with a working server side SPNEGO
implementation:

This is what I ended up using for reading a SPNEGO token:
http://blog.springsource.com/2009/09/28/spring-security-kerberos/

Some general information about kerberos from msdn:
http://msdn.microsoft.com/en-us/library/ms995329.aspx
http://msdn.microsoft.com/en-us/library/ms995330.aspx

Very nice articles about credentials delegation (you need that so your
app server can impersonate clients when it connects to the database)
http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java
http://spnego.sourceforge.net/credential_delegation.html

I also had some java desktop apps which needed to authenticate in a
similar way, which use Spring HttpInvoker as a remoting protocol, so I
decided to make HttpInvoker pass some SPNEGO headers as well, and it
seems to work:
https://jira.springsource.org/browse/SES-11


We use Oracle as the database and some materials that were helpfull were these:
Oracle Jdbc connection with kerberos
http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7
http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html

Some general info on Oracle Advanced Security
http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG

If you also use Oracle I can send you a complete code example for this
- I have the whole thing working for simple tests..I should have a
more complete implementation in few weeks.

Cheers.

2011/3/7 הילה :

Hey,

The tomcat is running on windows server 2008 R2 STD
I don't now if using windows authentication is less secure and affects all
network's security, since this user have permissions only on the DB. you
can't even perform login to servers with this user.
anyway, I appreciate your comments and discussion of why it's less secure or
not, but I need to perform this (task I've been given from guys in high
above positions), so please help with what I'm trying to do :]

If I can't use spnego and other stuff of the list i've found, what can I do?

Thanks
Hila


2011/3/6 André Warnier 


 wrote:


Hey,

I want to change the way that tomcat authenticates to the DB of our
application, from SQL authentication to Windows authentication.
We use Tomcat 6.0.29 , and the user and password to connect to the DB is
specified in clear text in the xml configuration file under the folder
conf/catalina/localhost.
My goal is to remove the user and password from the xml file, and letting
the tomcat windows service run with a domain user that has permissions to
the DB.

when I searched for a solutions for what i'm trying to do, i got to this
page-
http://wiki.apache.org/tomcat/FAQ/Windows#Q4

Which suggest these methods:
-Waffle/JNA
-Tomcat SPNEGO
-SPNEGO SF
-Jespa (commercial)
-Tomcat IIS Connector
-Samba JCIFs (obsolete, no NTLMv2)

Are one of these methods suit for what I'm trying to do?
When reading about Tomcat SPNEGO, it says that users working on a windows
client OS and IE or Firefox, can be silently authenticated (SSO) to a
Tomcat
running on a windows server via NTLM or kerberos. It doesn't seem to be
what
I aim for, since tomcat users are n

Re: Tomcat NTLM Authentication

[Borut Hadžialić]

One of the links I sent you was broken, the right link is:

Oracle Jdbc connection with kerberos
http://download.oracle.com/docs/cd/B28359_01/java.111/b31224/clntsec.htm#CIHCIDHF

Or just google for 'oracle jdbc kerberos' if they move the content again.

On Mon, Mar 7, 2011 at 10:55 AM, Borut Hadžialić
 wrote:
> Hi Hila,
>
> I have a similar requirement in my current project. End users (using
> browsers and java desktop apps) which work on windows workstations
> which are in a domain, must be able to log in the application without
> needing to type in username and password (using their windows
> credentials). Additionaly, the connection to the underlying database
> must also be done using those user credentials.
>
> My steps while implementing this were:
> 1. Implement authentication (browser->server, desktop app -> server)
> which uses kerberos
> 2. Enable credential delegation so your app server can impersonate
> client when connecting to the database
> 3. Connect to the database as the client from within app server
> code/process (this is database-specific)
>
> This is how I solved it:
> I use SPNEGO for browser/webapp scenario authentication. These
> materials helped me come up with a working server side SPNEGO
> implementation:
>
> This is what I ended up using for reading a SPNEGO token:
> http://blog.springsource.com/2009/09/28/spring-security-kerberos/
>
> Some general information about kerberos from msdn:
> http://msdn.microsoft.com/en-us/library/ms995329.aspx
> http://msdn.microsoft.com/en-us/library/ms995330.aspx
>
> Very nice articles about credentials delegation (you need that so your
> app server can impersonate clients when it connects to the database)
> http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java
> http://spnego.sourceforge.net/credential_delegation.html
>
> I also had some java desktop apps which needed to authenticate in a
> similar way, which use Spring HttpInvoker as a remoting protocol, so I
> decided to make HttpInvoker pass some SPNEGO headers as well, and it
> seems to work:
> https://jira.springsource.org/browse/SES-11
>
>
> We use Oracle as the database and some materials that were helpfull were 
> these:
> Oracle Jdbc connection with kerberos
> http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7
> http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html
>
> Some general info on Oracle Advanced Security
> http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG
>
> If you also use Oracle I can send you a complete code example for this
> - I have the whole thing working for simple tests..I should have a
> more complete implementation in few weeks.
>
> Cheers.
>
> 2011/3/7 הילה :
>> Hey,
>>
>> The tomcat is running on windows server 2008 R2 STD
>> I don't now if using windows authentication is less secure and affects all
>> network's security, since this user have permissions only on the DB. you
>> can't even perform login to servers with this user.
>> anyway, I appreciate your comments and discussion of why it's less secure or
>> not, but I need to perform this (task I've been given from guys in high
>> above positions), so please help with what I'm trying to do :]
>>
>> If I can't use spnego and other stuff of the list i've found, what can I do?
>>
>> Thanks
>> Hila
>>
>>
>> 2011/3/6 André Warnier 
>>
>>>  wrote:
>>>
 Hey,

 I want to change the way that tomcat authenticates to the DB of our
 application, from SQL authentication to Windows authentication.
 We use Tomcat 6.0.29 , and the user and password to connect to the DB is
 specified in clear text in the xml configuration file under the folder
 conf/catalina/localhost.
 My goal is to remove the user and password from the xml file, and letting
 the tomcat windows service run with a domain user that has permissions to
 the DB.

 when I searched for a solutions for what i'm trying to do, i got to this
 page-
 http://wiki.apache.org/tomcat/FAQ/Windows#Q4

 Which suggest these methods:
 -Waffle/JNA
 -Tomcat SPNEGO
 -SPNEGO SF
 -Jespa (commercial)
 -Tomcat IIS Connector
 -Samba JCIFs (obsolete, no NTLMv2)

 Are one of these methods suit for what I'm trying to do?
 When reading about Tomcat SPNEGO, it says that users working on a windows
 client OS and IE or Firefox, can be silently authenticated (SSO) to a
 Tomcat
 running on a windows server via NTLM or kerberos. It doesn't seem to be
 what
 I aim for, since tomcat users are not interest me, only the tomcat windows
 service and how it connects to the DB

  Exactly. Now you have the issue correctly framed.
>>> And you are right above : all these methods indeed identify/authenticate
>>> the client of the Tomcat application to Tomcat, not Tomcat itself to
>>> something else. (**)
>>>
>>> The one thing missi

Re: Tomcat NTLM Authentication

[Borut Hadžialić]

Hi Hila,

I have a similar requirement in my current project. End users (using
browsers and java desktop apps) which work on windows workstations
which are in a domain, must be able to log in the application without
needing to type in username and password (using their windows
credentials). Additionaly, the connection to the underlying database
must also be done using those user credentials.

My steps while implementing this were:
1. Implement authentication (browser->server, desktop app -> server)
which uses kerberos
2. Enable credential delegation so your app server can impersonate
client when connecting to the database
3. Connect to the database as the client from within app server
code/process (this is database-specific)

This is how I solved it:
I use SPNEGO for browser/webapp scenario authentication. These
materials helped me come up with a working server side SPNEGO
implementation:

This is what I ended up using for reading a SPNEGO token:
http://blog.springsource.com/2009/09/28/spring-security-kerberos/

Some general information about kerberos from msdn:
http://msdn.microsoft.com/en-us/library/ms995329.aspx
http://msdn.microsoft.com/en-us/library/ms995330.aspx

Very nice articles about credentials delegation (you need that so your
app server can impersonate clients when it connects to the database)
http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java
http://spnego.sourceforge.net/credential_delegation.html

I also had some java desktop apps which needed to authenticate in a
similar way, which use Spring HttpInvoker as a remoting protocol, so I
decided to make HttpInvoker pass some SPNEGO headers as well, and it
seems to work:
https://jira.springsource.org/browse/SES-11


We use Oracle as the database and some materials that were helpfull were these:
Oracle Jdbc connection with kerberos
http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7
http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html

Some general info on Oracle Advanced Security
http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG

If you also use Oracle I can send you a complete code example for this
- I have the whole thing working for simple tests..I should have a
more complete implementation in few weeks.

Cheers.

2011/3/7 הילה :
> Hey,
>
> The tomcat is running on windows server 2008 R2 STD
> I don't now if using windows authentication is less secure and affects all
> network's security, since this user have permissions only on the DB. you
> can't even perform login to servers with this user.
> anyway, I appreciate your comments and discussion of why it's less secure or
> not, but I need to perform this (task I've been given from guys in high
> above positions), so please help with what I'm trying to do :]
>
> If I can't use spnego and other stuff of the list i've found, what can I do?
>
> Thanks
> Hila
>
>
> 2011/3/6 André Warnier 
>
>>  wrote:
>>
>>> Hey,
>>>
>>> I want to change the way that tomcat authenticates to the DB of our
>>> application, from SQL authentication to Windows authentication.
>>> We use Tomcat 6.0.29 , and the user and password to connect to the DB is
>>> specified in clear text in the xml configuration file under the folder
>>> conf/catalina/localhost.
>>> My goal is to remove the user and password from the xml file, and letting
>>> the tomcat windows service run with a domain user that has permissions to
>>> the DB.
>>>
>>> when I searched for a solutions for what i'm trying to do, i got to this
>>> page-
>>> http://wiki.apache.org/tomcat/FAQ/Windows#Q4
>>>
>>> Which suggest these methods:
>>> -Waffle/JNA
>>> -Tomcat SPNEGO
>>> -SPNEGO SF
>>> -Jespa (commercial)
>>> -Tomcat IIS Connector
>>> -Samba JCIFs (obsolete, no NTLMv2)
>>>
>>> Are one of these methods suit for what I'm trying to do?
>>> When reading about Tomcat SPNEGO, it says that users working on a windows
>>> client OS and IE or Firefox, can be silently authenticated (SSO) to a
>>> Tomcat
>>> running on a windows server via NTLM or kerberos. It doesn't seem to be
>>> what
>>> I aim for, since tomcat users are not interest me, only the tomcat windows
>>> service and how it connects to the DB
>>>
>>>  Exactly. Now you have the issue correctly framed.
>> And you are right above : all these methods indeed identify/authenticate
>> the client of the Tomcat application to Tomcat, not Tomcat itself to
>> something else. (**)
>>
>> The one thing missing in your description above, is that your Tomcat server
>> is running on a Windows machine.
>> And also that your back-end database system is able itself to perform user
>> authentication either in clear-text (user-id + password), or via Windows
>> NTLM authentication.
>>
>> (And, if the back-end database server is set to do NTLM authentication,
>> then it can only do so for Domain user-id's; NTLM authentication will not
>> work with a "server-local" user-id).
>>
>>

Re: Tomcat NTLM Authentication

[הילה]

Hey,

The tomcat is running on windows server 2008 R2 STD
I don't now if using windows authentication is less secure and affects all
network's security, since this user have permissions only on the DB. you
can't even perform login to servers with this user.
anyway, I appreciate your comments and discussion of why it's less secure or
not, but I need to perform this (task I've been given from guys in high
above positions), so please help with what I'm trying to do :]

If I can't use spnego and other stuff of the list i've found, what can I do?

Thanks
Hila


2011/3/6 André Warnier 

>  wrote:
>
>> Hey,
>>
>> I want to change the way that tomcat authenticates to the DB of our
>> application, from SQL authentication to Windows authentication.
>> We use Tomcat 6.0.29 , and the user and password to connect to the DB is
>> specified in clear text in the xml configuration file under the folder
>> conf/catalina/localhost.
>> My goal is to remove the user and password from the xml file, and letting
>> the tomcat windows service run with a domain user that has permissions to
>> the DB.
>>
>> when I searched for a solutions for what i'm trying to do, i got to this
>> page-
>> http://wiki.apache.org/tomcat/FAQ/Windows#Q4
>>
>> Which suggest these methods:
>> -Waffle/JNA
>> -Tomcat SPNEGO
>> -SPNEGO SF
>> -Jespa (commercial)
>> -Tomcat IIS Connector
>> -Samba JCIFs (obsolete, no NTLMv2)
>>
>> Are one of these methods suit for what I'm trying to do?
>> When reading about Tomcat SPNEGO, it says that users working on a windows
>> client OS and IE or Firefox, can be silently authenticated (SSO) to a
>> Tomcat
>> running on a windows server via NTLM or kerberos. It doesn't seem to be
>> what
>> I aim for, since tomcat users are not interest me, only the tomcat windows
>> service and how it connects to the DB
>>
>>  Exactly. Now you have the issue correctly framed.
> And you are right above : all these methods indeed identify/authenticate
> the client of the Tomcat application to Tomcat, not Tomcat itself to
> something else. (**)
>
> The one thing missing in your description above, is that your Tomcat server
> is running on a Windows machine.
> And also that your back-end database system is able itself to perform user
> authentication either in clear-text (user-id + password), or via Windows
> NTLM authentication.
>
> (And, if the back-end database server is set to do NTLM authentication,
> then it can only do so for Domain user-id's; NTLM authentication will not
> work with a "server-local" user-id).
>
>
> So now you have to make one additional effort of thinking rationally, and
> answer the following fundamental question : why ?
>
> I mean, what exactly is the problem with having a user-id and a password
> for the database, in clear in a Tomcat configuration file ?  Are there users
> that can connect to the Tomcat server, and read those configuration files,
> and which should not be able to do so ?
>
> And if that is the case, can you not do something like :
>
> a) either block these users from accessing the Tomcat server (the best
> solution)
> OR
> b)
> - start Tomcat under some Windows user-id (with password)
> - set the permissions of the Tomcat configuration files, so that *only*
> this user-id can read them ?
>
>
> Various people have previously tried to point out different aspects which
> remain true, among which :
> 1) encrypting something is often a chicken-and-egg kind of problem : if you
> encrypt something, then you need to decrypt it somewhere else; and the key
> to decrypt it has to be stored somewhere also. And so on..
> 2) in terms of security, it is much better to run Tomcat under a "server
> local" user-id than as a Domain user-id.  That is because the local user-id
> only gives access to the local machine, while a domain user-id gives access
> to the whole domain.
> By running Tomcat as a domain user, you decrease the security of the whole
> network.
> 3) security is always a matter of multiple layers of defense.  In this
> case, your first line is to prevent unauthorised people to access the Tomcat
> configuration files.
> Because if they can do that, then they can break through any other security
> that you would put in place.  Think about it : no matter how, Tomcat needs
> access to the DB. If Tomcat has access to the the DB, then any user who can
> control Tomcat can access the DB. (*)
> 4) your second line of defense, would be that the DB server only accepts
> connections from Tomcat.  This way, if someone can get hold of the user-id
> of Tomcat, at least they cannot use it to access the DB directly.
>
>
> (*) Suppose Tomcat runs under domain user-id XYZ, with a very secret
> password.
> If I can get access to the Tomcat configuration files, then I can also
> install any Tomcat application somewhere, and make Tomcat run it.
> And this application will run under the Tomcat user-id, even if I do not
> know what this user-id is.  So this application could for example dump the
> whole database in so

Re: Tomcat NTLM Authentication

[André Warnier]

 wrote:

Hey,

I want to change the way that tomcat authenticates to the DB of our
application, from SQL authentication to Windows authentication.
We use Tomcat 6.0.29 , and the user and password to connect to the DB is
specified in clear text in the xml configuration file under the folder
conf/catalina/localhost.
My goal is to remove the user and password from the xml file, and letting
the tomcat windows service run with a domain user that has permissions to
the DB.

when I searched for a solutions for what i'm trying to do, i got to this
page-
http://wiki.apache.org/tomcat/FAQ/Windows#Q4

Which suggest these methods:
-Waffle/JNA
-Tomcat SPNEGO
-SPNEGO SF
-Jespa (commercial)
-Tomcat IIS Connector
-Samba JCIFs (obsolete, no NTLMv2)

Are one of these methods suit for what I'm trying to do?
When reading about Tomcat SPNEGO, it says that users working on a windows
client OS and IE or Firefox, can be silently authenticated (SSO) to a Tomcat
running on a windows server via NTLM or kerberos. It doesn't seem to be what
I aim for, since tomcat users are not interest me, only the tomcat windows
service and how it connects to the DB


Exactly. Now you have the issue correctly framed.
And you are right above : all these methods indeed identify/authenticate the client of the 
Tomcat application to Tomcat, not Tomcat itself to something else. (**)


The one thing missing in your description above, is that your Tomcat server is running on 
a Windows machine.
And also that your back-end database system is able itself to perform user authentication 
either in clear-text (user-id + password), or via Windows NTLM authentication.


(And, if the back-end database server is set to do NTLM authentication, then it can only 
do so for Domain user-id's; NTLM authentication will not work with a "server-local" user-id).



So now you have to make one additional effort of thinking rationally, and answer the 
following fundamental question : why ?


I mean, what exactly is the problem with having a user-id and a password for the database, 
in clear in a Tomcat configuration file ?  Are there users that can connect to the Tomcat 
server, and read those configuration files, and which should not be able to do so ?


And if that is the case, can you not do something like :

a) either block these users from accessing the Tomcat server (the best solution)
OR
b)
- start Tomcat under some Windows user-id (with password)
- set the permissions of the Tomcat configuration files, so that *only* this user-id can 
read them ?



Various people have previously tried to point out different aspects which remain true, 
among which :
1) encrypting something is often a chicken-and-egg kind of problem : if you encrypt 
something, then you need to decrypt it somewhere else; and the key to decrypt it has to be 
stored somewhere also. And so on..
2) in terms of security, it is much better to run Tomcat under a "server local" user-id 
than as a Domain user-id.  That is because the local user-id only gives access to the 
local machine, while a domain user-id gives access to the whole domain.

By running Tomcat as a domain user, you decrease the security of the whole 
network.
3) security is always a matter of multiple layers of defense.  In this case, your first 
line is to prevent unauthorised people to access the Tomcat configuration files.
Because if they can do that, then they can break through any other security that you would 
put in place.  Think about it : no matter how, Tomcat needs access to the DB. If Tomcat 
has access to the the DB, then any user who can control Tomcat can access the DB. (*)
4) your second line of defense, would be that the DB server only accepts connections from 
Tomcat.  This way, if someone can get hold of the user-id of Tomcat, at least they cannot 
use it to access the DB directly.



(*) Suppose Tomcat runs under domain user-id XYZ, with a very secret password.
If I can get access to the Tomcat configuration files, then I can also install any Tomcat 
application somewhere, and make Tomcat run it.
And this application will run under the Tomcat user-id, even if I do not know what this 
user-id is.  So this application could for example dump the whole database in some network 
directory of my choice (and then, if I am really a bad guy, delete the database too).



(**) unless you want real security of access to the DB, and have the Tomcat application 
make its own connection to the DB, and authenticate to the DB as the final user of the 
application.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat NTLM Authentication

[הילה]

Hey,

I want to change the way that tomcat authenticates to the DB of our
application, from SQL authentication to Windows authentication.
We use Tomcat 6.0.29 , and the user and password to connect to the DB is
specified in clear text in the xml configuration file under the folder
conf/catalina/localhost.
My goal is to remove the user and password from the xml file, and letting
the tomcat windows service run with a domain user that has permissions to
the DB.

when I searched for a solutions for what i'm trying to do, i got to this
page-
http://wiki.apache.org/tomcat/FAQ/Windows#Q4

Which suggest these methods:
-Waffle/JNA
-Tomcat SPNEGO
-SPNEGO SF
-Jespa (commercial)
-Tomcat IIS Connector
-Samba JCIFs (obsolete, no NTLMv2)

Are one of these methods suit for what I'm trying to do?
When reading about Tomcat SPNEGO, it says that users working on a windows
client OS and IE or Firefox, can be silently authenticated (SSO) to a Tomcat
running on a windows server via NTLM or kerberos. It doesn't seem to be what
I aim for, since tomcat users are not interest me, only the tomcat windows
service and how it connects to the DB

Your help would be appreciated :]

Thanks
Hila

Re: Tomcat NTLM authentication

[Mark Thomas]

On 20/05/2010 15:11, dB. wrote:
> You have my explicit +1 to take this code and use/include it in Tomcat.

Cheers. Looking at this is on my todo list. There is also another
enhancement in BZ that covers SPNEGO. I'm not sure either solution is
exactly what I am looking for since my (maybe impossible) ideal is to do
this with not much more than a couple of Java classes. I'll see how
feasible that is when I get around to looking at this. I suspect I'll
end up borrowing heavily from both proposals.

It it does end up that the only solution is one that requires a handful
of extra JARs then it will probably become a Tomcat module.

Thanks again,

Mark

> 
> dB. @ dblock.org 
> Moscow|Geneva|Seattle|New York
> 
> 
> 
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org] 
> Sent: Thursday, May 20, 2010 9:29 AM
> To: Tomcat Users List
> Subject: Re: Tomcat NTLM authentication
> 
> On 20/05/2010 13:48, dB. wrote:
>> Eclipse Public License
>> http://waffle.codeplex.com/license
>>
>> I am happy to attach another license to this if there're any real issues 
>> with it.
> 
> There are. Sort of. The ASF can't include source code that is EPL
> licensed in Apache products.
> 
> However, the bugzilla issue:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49318
> 
> when read with the terms of creating a bugzilla account:
> https://issues.apache.org/bugzilla/createaccount.cgi
> 
> and section 5 of the Apache License:
> http://www.apache.org/licenses/LICENSE-2.0.html
> 
> is legally sufficient for us to include this code in Tomcat.
> 
> Despite that, we (the ASF) would rather an explicit "Yes we're fine with
> you doing that" rather than relying on the legalese since we don't want
> to do do something you don't like, even if legally we could.
> 
> If you are happy for this to be included then a "+1" here is all that is
> required.
> 
> Mark
> 
> 
>>
>> dB. @ dblock.org 
>> Moscow|Geneva|Seattle|New York
>>
>>
>>
>> -Original Message-
>> From: Jason Pyeron [mailto:jpye...@pdinc.us] 
>> Sent: Thursday, May 20, 2010 8:50 AM
>> To: 'Tomcat Users List'
>> Subject: RE: Tomcat NTLM authentication
>>
>>> -Original Message-
>>> From: dB. 
>>> Sent: Thursday, May 20, 2010 8:42
>>> Subject: Tomcat NTLM authentication
>>>
>>> Forgive me for shameless advertising. This should be useful 
>>> to lots of people.
>>>
>>> We've published a free Tomcat 6 Negotiate authenticator based 
>>
>> Apache License?
>>
>>
>>> on JNA  that supports the Negotiate protocol, including 
>>> Kerberos and the much requested NTLM. This is equivalent to 
>>> checking the Integrated Authentication box in IIS, enabling 
>>> single sign-on for windows servers that are both joined or 
>>> not to an Active Directory domain. The authenticator is part 
>>> of project Waffle.
>>>
>>> Tutorial: http://code.dblock.org/ShowPost.aspx?id=103
>>> Download Waffle: http://waffle.codeplex.com/
>>>
>>> Hope this helps, your feedback is much appreciated,
>>>
>>> -dB.
>>> dB. @ dblock.org<http://www.dblock.org/>
>>> Moscow|Geneva|Seattle|New York
>>>
>>>
>>>
>>
>> --
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>> -   -
>> - Jason Pyeron  PD Inc. http://www.pdinc.us -
>> - Principal Consultant  10 West 24th Street #100-
>> - +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
>> -   -
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>> This message is copyright PD Inc, subject to license 20080407P00.
>>
>>  
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com 
>> Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 
>> 14:26:00
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 
> 
> 
>

RE: Tomcat NTLM authentication

[dB .]

You have my explicit +1 to take this code and use/include it in Tomcat. 

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York



-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, May 20, 2010 9:29 AM
To: Tomcat Users List
Subject: Re: Tomcat NTLM authentication

On 20/05/2010 13:48, dB. wrote:
> Eclipse Public License
> http://waffle.codeplex.com/license
> 
> I am happy to attach another license to this if there're any real issues with 
> it.

There are. Sort of. The ASF can't include source code that is EPL
licensed in Apache products.

However, the bugzilla issue:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49318

when read with the terms of creating a bugzilla account:
https://issues.apache.org/bugzilla/createaccount.cgi

and section 5 of the Apache License:
http://www.apache.org/licenses/LICENSE-2.0.html

is legally sufficient for us to include this code in Tomcat.

Despite that, we (the ASF) would rather an explicit "Yes we're fine with
you doing that" rather than relying on the legalese since we don't want
to do do something you don't like, even if legally we could.

If you are happy for this to be included then a "+1" here is all that is
required.

Mark


> 
> dB. @ dblock.org 
> Moscow|Geneva|Seattle|New York
> 
> 
> 
> -Original Message-
> From: Jason Pyeron [mailto:jpye...@pdinc.us] 
> Sent: Thursday, May 20, 2010 8:50 AM
> To: 'Tomcat Users List'
> Subject: RE: Tomcat NTLM authentication
> 
>> -Original Message-
>> From: dB. 
>> Sent: Thursday, May 20, 2010 8:42
>> Subject: Tomcat NTLM authentication
>>
>> Forgive me for shameless advertising. This should be useful 
>> to lots of people.
>>
>> We've published a free Tomcat 6 Negotiate authenticator based 
> 
> Apache License?
> 
> 
>> on JNA  that supports the Negotiate protocol, including 
>> Kerberos and the much requested NTLM. This is equivalent to 
>> checking the Integrated Authentication box in IIS, enabling 
>> single sign-on for windows servers that are both joined or 
>> not to an Active Directory domain. The authenticator is part 
>> of project Waffle.
>>
>> Tutorial: http://code.dblock.org/ShowPost.aspx?id=103
>> Download Waffle: http://waffle.codeplex.com/
>>
>> Hope this helps, your feedback is much appreciated,
>>
>> -dB.
>> dB. @ dblock.org<http://www.dblock.org/>
>> Moscow|Geneva|Seattle|New York
>>
>>
>>
> 
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> -   -
> - Jason Pyeron  PD Inc. http://www.pdinc.us -
> - Principal Consultant  10 West 24th Street #100-
> - +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
> -   -
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> This message is copyright PD Inc, subject to license 20080407P00.
> 
>  
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 
> 14:26:00
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.819 / Virus Database: 271.1.1/2885 - Release Date: 05/20/10 
02:26:00

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat NTLM authentication

[Mark Thomas]

On 20/05/2010 13:48, dB. wrote:
> Eclipse Public License
> http://waffle.codeplex.com/license
> 
> I am happy to attach another license to this if there're any real issues with 
> it.

There are. Sort of. The ASF can't include source code that is EPL
licensed in Apache products.

However, the bugzilla issue:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49318

when read with the terms of creating a bugzilla account:
https://issues.apache.org/bugzilla/createaccount.cgi

and section 5 of the Apache License:
http://www.apache.org/licenses/LICENSE-2.0.html

is legally sufficient for us to include this code in Tomcat.

Despite that, we (the ASF) would rather an explicit "Yes we're fine with
you doing that" rather than relying on the legalese since we don't want
to do do something you don't like, even if legally we could.

If you are happy for this to be included then a "+1" here is all that is
required.

Mark


> 
> dB. @ dblock.org 
> Moscow|Geneva|Seattle|New York
> 
> 
> 
> -Original Message-
> From: Jason Pyeron [mailto:jpye...@pdinc.us] 
> Sent: Thursday, May 20, 2010 8:50 AM
> To: 'Tomcat Users List'
> Subject: RE: Tomcat NTLM authentication
> 
>> -Original Message-
>> From: dB. 
>> Sent: Thursday, May 20, 2010 8:42
>> Subject: Tomcat NTLM authentication
>>
>> Forgive me for shameless advertising. This should be useful 
>> to lots of people.
>>
>> We've published a free Tomcat 6 Negotiate authenticator based 
> 
> Apache License?
> 
> 
>> on JNA  that supports the Negotiate protocol, including 
>> Kerberos and the much requested NTLM. This is equivalent to 
>> checking the Integrated Authentication box in IIS, enabling 
>> single sign-on for windows servers that are both joined or 
>> not to an Active Directory domain. The authenticator is part 
>> of project Waffle.
>>
>> Tutorial: http://code.dblock.org/ShowPost.aspx?id=103
>> Download Waffle: http://waffle.codeplex.com/
>>
>> Hope this helps, your feedback is much appreciated,
>>
>> -dB.
>> dB. @ dblock.org<http://www.dblock.org/>
>> Moscow|Geneva|Seattle|New York
>>
>>
>>
> 
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> -   -
> - Jason Pyeron  PD Inc. http://www.pdinc.us -
> - Principal Consultant  10 West 24th Street #100-
> - +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
> -   -
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> This message is copyright PD Inc, subject to license 20080407P00.
> 
>  
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 
> 14:26:00
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat NTLM authentication

[dB .]

Eclipse Public License
http://waffle.codeplex.com/license

I am happy to attach another license to this if there're any real issues with 
it.

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York



-Original Message-
From: Jason Pyeron [mailto:jpye...@pdinc.us] 
Sent: Thursday, May 20, 2010 8:50 AM
To: 'Tomcat Users List'
Subject: RE: Tomcat NTLM authentication

> -Original Message-
> From: dB. 
> Sent: Thursday, May 20, 2010 8:42
> Subject: Tomcat NTLM authentication
> 
> Forgive me for shameless advertising. This should be useful 
> to lots of people.
> 
> We've published a free Tomcat 6 Negotiate authenticator based 

Apache License?


> on JNA  that supports the Negotiate protocol, including 
> Kerberos and the much requested NTLM. This is equivalent to 
> checking the Integrated Authentication box in IIS, enabling 
> single sign-on for windows servers that are both joined or 
> not to an Active Directory domain. The authenticator is part 
> of project Waffle.
> 
> Tutorial: http://code.dblock.org/ShowPost.aspx?id=103
> Download Waffle: http://waffle.codeplex.com/
> 
> Hope this helps, your feedback is much appreciated,
> 
> -dB.
> dB. @ dblock.org<http://www.dblock.org/>
> Moscow|Geneva|Seattle|New York
> 
> 
> 

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 
14:26:00

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat NTLM authentication

[Jason Pyeron]

> -Original Message-
> From: dB. 
> Sent: Thursday, May 20, 2010 8:42
> Subject: Tomcat NTLM authentication
> 
> Forgive me for shameless advertising. This should be useful 
> to lots of people.
> 
> We've published a free Tomcat 6 Negotiate authenticator based 

Apache License?


> on JNA  that supports the Negotiate protocol, including 
> Kerberos and the much requested NTLM. This is equivalent to 
> checking the Integrated Authentication box in IIS, enabling 
> single sign-on for windows servers that are both joined or 
> not to an Active Directory domain. The authenticator is part 
> of project Waffle.
> 
> Tutorial: http://code.dblock.org/ShowPost.aspx?id=103
> Download Waffle: http://waffle.codeplex.com/
> 
> Hope this helps, your feedback is much appreciated,
> 
> -dB.
> dB. @ dblock.org<http://www.dblock.org/>
> Moscow|Geneva|Seattle|New York
> 
> 
> 

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat NTLM authentication

[dB .]

Forgive me for shameless advertising. This should be useful to lots of people.

We've published a free Tomcat 6 Negotiate authenticator based on JNA  that 
supports the Negotiate protocol, including Kerberos and the much requested 
NTLM. This is equivalent to checking the Integrated Authentication box in IIS, 
enabling single sign-on for windows servers that are both joined or not to an 
Active Directory domain. The authenticator is part of project Waffle.

Tutorial: http://code.dblock.org/ShowPost.aspx?id=103
Download Waffle: http://waffle.codeplex.com/

Hope this helps, your feedback is much appreciated,

-dB.
dB. @ dblock.org
Moscow|Geneva|Seattle|New York

FW: Tomcat NTLM authentication

[Camil Bojneag]

 

 

In my previous email I missed the HTTP 401 error, but the question still
stands.

Any idea?  Thanks in advance.

 

 

 



From: Camil Bojneag 
Sent: Wednesday, December 21, 2005 12:24 PM
To: 'users@tomcat.apache.org'
Subject: Tomcat NTLM authentication

 

Hello Everybody,

 

I have implemented the Samba solution to authenticate MSIE clients
against a windows domain controller and, 

If the credentials are correct, then they are authenticated and the user
is authorized to see a particular page. 

So everything is good. 

 

Now, if I insert wrong credentials then a blank/white page is returned
to my browser.

 

I would like to add an error message to this page so the user will be
noticed that his credentials have not been accepted. 

 

I have added the following  tags in my conf/web.xml file
with no results. 

 



404

/404.jsp



 



401

/401.jsp



 

 



500

/500.jsp



 



 
java.lang.Throwable

/all_errors.jsp



 

 

Is there any way to get a solution to this problem?   I appreciate your
feedback.

 

Thank you,

 

-Camil

 

 

 

 

 

 

 

 

 

Tomcat NTLM authentication

[Camil Bojneag]

Hello Everybody,

 

I have implemented the Samba solution to authenticate MSIE clients
against a windows domain controller and, 

If the credentials are correct, then they are authenticated and the user
is authorized to see a particular page. 

So everything is good. 

 

Now, if I insert wrong credentials then a blank/white page is returned
to my browser.

 

I would like to add an error message to this page so the user will be
noticed that his credentials have not been accepted. 

 

I have added the following  tags in my conf/web.xml file
with no results. 

 



404

/404.jsp



 



500

/500.jsp



 



 
java.lang.Throwable

/all_errors.jsp



 

 

Is there any way to get a solution to this problem?   I appreciate your
feedback.

 

Thank you,

 

-Camil