Use Windows Authentication credentials with JavaEE JBoss - jboss

I have a task:
My JavaEE app (uses JBoss) has to speak with Azure DevOps(ADO) via NTLM. So if I know user's credentials it's very easy to do, but I need to use Windows Server host credentials and problem is that app will not know exact username, password, domain etc. So I need use Windows Authentication to use credentials of user under which the application (Jboss server) is running but I can't find the solution. Found something like JBOSS should be configured to LDAP (Active Directory), but what next? Jboss will provide current user credentials to my app or what?

Related

Possible to do Shibboleth authentication on local dev environment?

I have a Java/Spring application that is running on a Tomcat server. The application uses Shibboleth/SAML for getting user access and it works fine.
However I would like to run/debug the application on my local dev environment(on local Tomcat). I wonder if it is possible to set up something and get prompted by the same service provider so that I can log into the application like it is on the production environment.
From https://stackoverflow.com/a/28061252/1534925
[samltest.id][1] is good way to test shibboleth.
You cannot use localhost as SP to connect to remote IDp, that
iDp won't find any SP to return to because localhost means it's own
system so IDp would go in it's local system and find your given SP's
entity ID. It won't find that entity ID so it would give such error.
These two approach may help you
Give your machine some public IP and try connect to IDp with that SP.
If you cannot make public IP, make both SP and IDp in your local system. My [this][2] answer may help you.
[1]: https://samltest.id/ [2]:
https://stackoverflow.com/a/21278524/1534925
and https://stackoverflow.com/a/21278524/1534925
Yes you sure can.
Download and install SP and idP in that machine, configure metadata
for both to communicate to localhost or for better ease use two
domains for SP and idP,
C:\Windows\System32\drivers\etc here add two domains localhost-sp
and localhost-idp to the hosts file.
So you have now two differet domains for sp and idp.

A question about using KeyTab files to authenticate an Active Directory user to a Linux WEB Server (or any other App running on Linux)

Can someone please help me with the following
Assume I have an AD Domain and a 'standalone Linux host' which is not joined to the AD domain and there is no trust relationship in place between the AD and Linux of any kind.
Next I have a Kerberos aware application running on the Linux Server (WEB Server for example or other app) which is .
In order to an AD user to authenticate to the Linux hosted WEB/App using a KeyTab file
(created in Windows and setup on Linux). Does the Linux host need to be AD-Joined, in order to keyTab (single sign one) authentication to work?
Meaning if the Linux server was never joined to any domain of any kind (standalone), Would I still be able to user a KeyTab file to authenticate a user coming in from an AD Domain?
Thanks all
Charlie

How can I authenticate with the machine account during SPNego authentication?

My goal is to create a HTTPS REST service that (in concept) allows a machine account to authenticate using the less- than documented machine$ account.
I have a REST endpoint for an AD connected intranet application. Right now IIS simply echoes the thread CurrentPrincipal when I navigate using Internet Explorer.
Now I'm using the HTTPClient , using default authentication, running a my username, and that also works.
My new goal is to send the AD Connected machineAccount (that ends in the dollar sign $) so that IIS responds with the kerberos name Domain\TestServer$
I attempted creating a Windows Desktop service, running as NetworkService or LocalSystem, and I'm not clear if HttpClientHandler.UseDefaultCredentials is sufficient for running in this (unusual) context or if a different approach is needed to authenticate using the machine account.
Is a PInvoke needed? Is there anything in logonuser32 that needs to be done?

Application user validation with LDAP

My web application is currently configured to connect to LDAP for user validation without relying on application server settings. In other words, my applications utilizes naming params to connect to LDAP hence its agnostic to application server ie. JBoss or Websphere.
Naming params used are as follows:
ldapURL
ldapPrincipal (bind user)
ldapCredentials (bind user's password)
ldapAuthentication
ldapSearchBase
The requirement now is to allow encrypted password in the ldapCredentials naming param. I have a way out of this situation is using custom SecurityLoginModule to encrypt password and supply it to application using naming param. My application would then decrypt it and then proceed with LDAP user validation. However, this results into additional application installation step.
So I was wondering if there is a way to use application server security domain (or some other way) to store the user credentials in secured fashion on application server and later application would pick it up at the time of user validation with LDAP without writing server specific code in my application. I know that we can use security domain to perform data source connection without writing server specific code. But if I do this for LDAP then I make server talk to LDAP which is not what am looking. Basically may still continue to use Federated users instead of LDAP.
Any decent application server (including JBoss and WebSphere) have server provided LDAP registry, which you can configure and use without any application specific code, and I'd strongly suggest to utilize that instead of writing your own ldap connection code.
Regarding encryption:
for WebSphere traditional, you can plug in your own class into server infrastructure to encrypt passwords see - Plug point for custom password encryption
for WebSphere Liberty - you have out of the box support for aes and hash.
for JBoss first link in Google showed me this How do I encrypt the bindCredential password in Wildfly, but maybe JBoss experts will guide you to something different.

GWT RPC Java server with remote Windows authentication

I have the following setup with my GWT Client - Server application:
GWT Client -(RPC)- Server - MSSQL db.
The client is running on various platforms & devices (web application, mobile phones etc..). The java server (and web application files) are hosted on Jetty. MSSQL Database is running on a different server on a different domain.
I need to find a way for the user to authenticate on the domain of the MSSQL DB after which I can allow the client to access to rest of the servers services.
I can pass the username & password pair encrypted to the server but how do I continue from there on? I spent a lot of time figuring that out today, but I just got more and more confused. I did manage to check local authentication with Kerberos on the server, but I need to authenticate remotely to a different domain. Is it even possible without setting up service for that on the remote domain, which I'm trying to avoid?