如何使用 Windows 登录进行单点登录和桌面 Java 应用程序的 Active Directory 条目?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/545667/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to use Windows login for single-sign-on and for Active Directory entries for Desktop Java application?
提问by Touko
I'd like to have my desktop Java application to have single sign on related to Active Directory users. In two steps, I'd like to:
我想让我的桌面 Java 应用程序具有与 Active Directory 用户相关的单点登录。分两步,我想:
- Be sure that the particular user has logged in to Windows with some user entry.
- Check out some setup information for that user from the Active Directory
- 确保特定用户已使用某些用户条目登录到 Windows。
- 从 Active Directory 查看该用户的一些设置信息
With Java: Programatic Way to Determine Current Windows UserI can get the name of the current Windows user but can I rely to that? I think the
使用Java:确定当前 Windows 用户的编程方式我可以获得当前 Windows 用户的名称,但我可以依赖它吗?我觉得
System.getProperty("user.name")
won't be secure enough? ("user.name" seems to be got from environment variables, so I can't rely on that, I think?)
会不会不够安全?(“user.name”似乎是从环境变量中获取的,所以我认为不能依赖它?)
Question Authenticating against Active Directory with Java on Linuxprovides me the authentication for given name+pass but I'd like to authenticate based on the Windows logon?
问题在 Linux 上使用 Java 对 Active Directory 进行身份验证为我提供了给定名称+通行证的身份验证,但我想根据 Windows 登录进行身份验证?
For the Active Directory access, LDAP would probably be the choice?
对于 Active Directory 访问,LDAP 可能是首选?
采纳答案by Alan Kent
It is not supported. Java 6 has improvements, but not enough yet.
不支持。Java 6 有改进,但还不够。
Java has its own GSS stack. The problem is for single sign-on, you need to get the Kerberos ticket from the OS (not the Java stack). Otherwise the user has to authenticate a second time (defeating the purpose of single sign-on).
Java 有自己的 GSS 堆栈。问题在于单点登录,您需要从操作系统(而不是 Java 堆栈)获取 Kerberos 票证。否则,用户必须再次进行身份验证(违背单点登录的目的)。
Look at http://java.sun.com/developer/technicalArticles/J2SE/security/. Look down for "Access Native GSS-API" and it talks about a new system property sun.security.jgss.native which when set to true causes Java to use the underlying OS GSS implementation, giving access to the OS level authentication. Perfect!.... except its only supported for Solaris and Linux, not Microsoft Windows.
查看http://java.sun.com/developer/technicalArticles/J2SE/security/。查看“访问本机 GSS-API”,它谈到了一个新的系统属性 sun.security.jgss.native,当设置为 true 时,Java 会使用底层操作系统 GSS 实现,从而可以访问操作系统级别的身份验证。完美!...除了它仅支持 Solaris 和 Linux,不支持 Microsoft Windows。
Java 6 however does appear to have enough support for acting as a serverreceiving SPNEGO authentication requests from IE and then authenticating that user against Active Directory. Its just the desktop client support that is still incomplete.
然而,Java 6 似乎有足够的支持作为服务器接收来自 IE 的 SPNEGO 身份验证请求,然后根据 Active Directory 对该用户进行身份验证。它只是仍然不完整的桌面客户端支持。
回答by aldrinleal
Check jCifs at http://jcifs.samba.org/
在http://jcifs.samba.org/检查 jCifs
Other than that, stick with LDAP (actually, it should be my first try, but...)
除此之外,坚持使用 LDAP(实际上,这应该是我的第一次尝试,但是...)
回答by guyumu
Have you considered using the JNA api (allows you to do native calls to the operating system easy)?
您是否考虑过使用 JNA api(允许您轻松地对操作系统进行本地调用)?
You can call the win32 metod GetCurrentUserMSDN documentation at http://msdn.microsoft.com/en-us/library/ms724432(VS.85).aspx. It's located inside Advapi32.dll.
您可以GetCurrentUser在http://msdn.microsoft.com/en-us/library/ms724432(VS.85).aspx 上调用 win32 方法MSDN 文档。它位于 Advapi32.dll 中。
It also has a unicode version, GetCurrentUserW if needed.
如果需要,它还有一个 unicode 版本,GetCurrentUserW。
And you are right. It does seem that the environment variable can be changed, so that can be misleading to use.
你是对的。环境变量似乎确实可以更改,因此可能会误导使用。
I'm not sure about cross platform implications over 32/64bit windows. If you need the solution in code, I'm sure I could write something up for it.
我不确定 32/64 位窗口上的跨平台影响。如果您需要代码中的解决方案,我相信我可以为它写一些东西。
But yea, just an idea :)
但是,是的,只是一个想法:)
回答by James Schek
Use JAASwith an LDAP LoginModule. This will allow you to plug-into the underlying Java security infrastructure.
将JAAS与LDAP LoginModule 一起使用。这将允许您插入底层 Java 安全基础设施。
When you need to take the app offline or "debug" the app, you can easily swap-out the LDAP module for a dummy module. This allows you to continue testing your "security", without depending on Active Directory. Highly testable, decoupled, and you can the authentication scheme at a later time with almost no grief.
当您需要使应用程序脱机或“调试”应用程序时,您可以轻松地将 LDAP 模块换成虚拟模块。这允许您继续测试您的“安全性”,而无需依赖 Active Directory。高度可测试、解耦,您可以在以后几乎没有悲伤的情况下使用身份验证方案。
回答by Bogdan
You will probably get most flexibility by using Spring Security. You can use it with both JAAS and LDAP authentication.
您可能会通过使用Spring Security获得最大的灵活性。您可以将它与 JAAS 和 LDAP 身份验证一起使用。
