Pass username to Spring Security

3
votes

We are having a application which returns logged in username (Windows NTLM) and we normally pass to all other applications to check authentication part.

I would like to know is it possible to pass username from application which returns username and pass to our new web application which is developed using Spring 3? So that we could leverage the use of Spring Security features

If it is possible, how could I use this?

As we already have a application which returns Windows user, management discourages the usage of Kerberos and other SSO methods.

Any help or insight is highly helpful and beneficial.

Thanks

2
javaspringspring-securityntlm
A spring web app, or a spring stand-alone app? - DavidA
SPNEGO is the typical way of doing it, but that is basically a kerberos solution, which sound like it won't fly. I guess I've not heard of another way. - DavidA
If they will let you do kerberos, you can setup AD as a kerberosKDC and do something like this: blog.springsource.org/2009/09/28/spring-security-kerberos - DavidA
@DavidA Unfortunately Kerberos and SPNEGO are not into consideration now. - Jacob
Did you see the answer below? Was it helpful? - Michael

2 Answers

1
votes

The simplest way to solve your problem is the following:

1) Install Apache Web Server and configure to use NTLM authentication using modntlm

http://modntlm.sourceforge.net/ (Similar you can use Kerberos authentication using mod_auth_kerb using http://modauthkerb.sourceforge.net/)

2) Configure mod_jk to your Selvlet container (JBoss or Tomcat) http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html After the successful authentication Apache sends the REMOTE_USER header to the servlet container. The header (according the name) contains a user name of the authenticated user Ensure you configure tomcatAuthentication="false" to allow Apache to allow apache to send the REMOTE_USER header

3) Implement and configure in Spring Security your own PreAuthenticatedProcessingFilter: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167 It should be very similar to the Request-Header Authentication filter: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295 In addition, you should omit a domain name from the user name. The user name is sent in the REMOTE_USER header after NTLM or Kerberos authentication.

1
votes

You cab bind your username with application URL like "localhost:port/somename/j_spring_check?j_username=your username".