Monday, 1 September 2008

Automatic logon on Intranet Sites from Java Web Application

We can have Microsoft Internet Explorer providing information of the current logged in user when accessing intranet sites. Then we can use NTLM to retrieve such information as discussed in this article.

Note that Kerberos is more secure than NTLM.

Configure Internet Explorer for Windows Native Authentication

The following article is an abstract from: http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b15995/odip_actdir.htm#i1010999

Configure Internet Explorer to use Windows Native Authentication. How you do this depends on which version you have.

  • Internet Explorer 5.0 and Later
  • Internet Explorer 6.0 Only

Internet Explorer 5.0 and Later

To configure Internet Explorer 5.0 and later, perform the following steps:

  1. From the menu bar, select Tools, then, from the Tools menu, select Internet Options.
  2. In the Internet Options dialog box, select the Security tab.
  3. On the Security tab page, select Local Intranet, then select Sites.
  4. In the Local intranet dialog box, select Include all sites that bypass the proxy server; then click Advanced.
  5. In the advanced version of the Local intranet dialog box, enter the URL of the middle tier server.
  6. Click OK to exit the Local intranet dialog boxes.
  7. In the Internet Options dialog box, select the Security tab; then choose Local intranet; then choose Custom Level.
  8. In the Security Settings dialog box, scroll down to the User Authentication section and then select Automatic logon only in Intranet zone.
  9. Click OK to exit the Security Settings dialog box.

Internet Explorer 6.0 Only

If you are using Internet Explorer 6.0, perform the above steps in "Internet Explorer 5.0 and Later" then perform the following steps:

  1. From the menu bar, select Tools, then, from the Tools menu, select Internet Options.
  2. In the Internet Options dialog box, select the Advanced tab.
  3. On the Advanced tab page, scroll down to the Security section.
  4. Select Enable Integrated Windows Authentication (requires restart).

The above setting can be applied using Group Policy Objects. Please refer to: http://support.microsoft.com/kb/274846 for further information about this.

Retrieve username from Java Servlet

The following code is also available at: http://www.rgagnon.com/javadetails/java-0441.html

The method doIt (within a Servlet) gets the authorisation from the request header if it is available.


protected void doIt(HttpServletRequest request,
     HttpServletResponse response) throws IOException {

 String auth = request.getHeader("Authorization");
 if (auth == null) {
  response.setStatus(response.SC_UNAUTHORIZED);
  response.setHeader("WWW-Authenticate", "NTLM");
  response.flushBuffer();
  return;
 }

 if (auth.startsWith("NTLM ")) {
  byte[] msg =
   new sun.misc.BASE64Decoder()
        .decodeBuffer(auth.substring(5));
  int off = 0, length, offset;
  if (msg[8] == 1) {
   byte z = 0;
   byte[] msg1 =
   { (byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S',
     (byte)'S', (byte)'P', z, (byte)2, z, z, z, z, z, z, z,
     (byte)40, z, z, z, (byte)1, (byte)130, z, z, z, (byte)2,
     (byte)2, (byte)2, z, z, z, z, z, z, z, z, z, z, z, z };
   response.setHeader("WWW-Authenticate",
          "NTLM " 
          + new sun.misc.BASE64Encoder().encodeBuffer(msg1));
   response.sendError(response.SC_UNAUTHORIZED);
   return;
  } else if (msg[8] == 3) {
   off = 30;

   length = msg[off + 17] * 256 + msg[off + 16];
   offset = msg[off + 19] * 256 + msg[off + 18];
   String remoteHost = new String(msg, offset, length);

   length = msg[off + 1] * 256 + msg[off];
   offset = msg[off + 3] * 256 + msg[off + 2];
   String domain = new String(msg, offset, length);

   length = msg[off + 9] * 256 + msg[off + 8];
   offset = msg[off + 11] * 256 + msg[off + 10];
   String username = new String(msg, offset, length);

   PrintWriter out = response.getWriter();
   out.println("Username: " + username);
   out.println("RemoteHost: " + remoteHost);
   out.println("Domain: " + domain);
  }
 }
}

No comments:

Post a comment