Java 客户端调用 Windows 集成身份验证 Web 服务
我正在编写一个 Java 1.5+ 客户端,需要从 IIS 托管的 Web 服务获取数据。我在 Eclipse 中创建了一个新的 Web 服务客户端,并在生成客户端代理时使用了 Java 代理客户端类型和 Apache Axis2 Web 服务运行时。 Web 服务本身在 Windows 2003 上运行,并且安全性设置为仅使用 Windows 集成身份验证。我在网上找到了许多文章,展示了如何从 Java 客户端成功连接到此 IIS 服务,但我所看到的所有内容似乎都要求我将用户名和密码放在 Java 客户端代码中的某个位置。
我的 Java 客户端将在 Windows 计算机上运行,该计算机与 IIS 服务位于同一 Active Directory 网络上(即我每天登录的帐户可以访问该服务)。我希望我的 Java 客户端在登录用户的上下文中运行,而无需在代码中输入登录凭据。这是我当前的代码,它可以工作,但需要我在代码中输入用户名和密码:
final NTCredentials nt = new NTCredentials("my_username", "my_password", "", "my_domain");
final CredentialsProvider myCredentialsProvider = new CredentialsProvider() {
public Credentials getCredentials(final AuthScheme scheme, final String host, int port, boolean proxy) throws CredentialsNotAvailableException {
return nt;
}
};
DefaultHttpParams.getDefaultParams().setParameter("http.authentication.credential-provider", myCredentialsProvider);
但我真的不想在代码中输入用户名和密码 - 我希望它使用运行 Java 客户端的登录 Windows 用户的凭据。
我应该使用什么代码,以便它可以与登录用户的凭据连接,而无需指定用户名和密码?这可能吗?
I am writing a Java 1.5+ client that needs to fetch data from an IIS-hosted web service. I created a new web service client in Eclipse and used the Java Proxy client type and Apache Axis2 web service runtime when generating the client proxy. The web service itself runs on Windows 2003 and security is set to use only Windows Integrated Authentication. I have found many articles online that show how to connect successfully from a Java client to this IIS service, but everything I have seen seems to require that I put the username and password in my Java client code somewhere.
My Java client will run on a Windows machine that is on the same Active Directory network that the IIS service is on (i.e. the account I log in with each day can access the service). I want my Java client to run in the context of the logged-in user without me needing to put in my login credentials in the code. Here is my current code, which works, yet requires me to put a user name and password in the code:
final NTCredentials nt = new NTCredentials("my_username", "my_password", "", "my_domain");
final CredentialsProvider myCredentialsProvider = new CredentialsProvider() {
public Credentials getCredentials(final AuthScheme scheme, final String host, int port, boolean proxy) throws CredentialsNotAvailableException {
return nt;
}
};
DefaultHttpParams.getDefaultParams().setParameter("http.authentication.credential-provider", myCredentialsProvider);
But I really don't want to have to put the username and password in the code--I want it to run using the credentials of the logged-in Windows user that is running the Java client.
What code should I use so it will connect with the logged-in user's credentials without needing to specify the user name and password? Is this possible?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我已经使用 Axis 几年了 - 然后,Axis 依赖于 Apache commons httpclient 3。通过阅读一些邮件列表,它看起来像 情况仍然如此。 (如果没有,最后一段应该会带来一些受欢迎的缓解。)
Apache commons httpclient 3 不支持 HTTP 上的“集成 Windows 身份验证”(又名与 Kerberos 协商身份验证机制,又名“SPNEGO”。)事实上,它不支持不支持 NTLMv2,仅支持 NTLMv1,这意味着您将无法在不进行修改的情况下对许多需要 NTLMv2 的 IIS 服务器进行身份验证。
虽然无可否认这是一个严厉的解决方案,但我认为最好的选择是创建一个新的 AuthScheme 来调用 Windows SSPI 库来进行身份验证。不幸的是,您需要使用 JNI 来执行此操作。幸运的是,AuthScheme 已准备好执行基于会话的质询-响应身份验证模式(SPNEGO 在这方面与 NTLM 类似,后者已受支持。)基本上,您会将输入和输出字节缓冲区进行 Base64 编码到本机 InitializeSecurityContext 调用。我承认,写起来很乏味,但我可以确认它确实允许您对 IIS 服务器执行集成 Windows 身份验证。
(不幸的是,如果您需要客户端是跨平台的,您还需要在 Unix 上编写必要的 GSSAPI 代码。)
另一种选择是编写一个使用 Java 的 Kerberos 库 (JAAS) 的新 AuthScheme。老实说,我对这些了解不多,因为它需要与系统 kerberos 库分开配置。即,在 Windows 上,您必须编写一些指向 Active Directory 服务器的 kerberos 配置文件。在我看来,这听起来并不是那么“集成”。如果您将软件分发给客户并且他们希望它“正常工作”,那么这可能不适合您。另外,虽然 JAAS 已经存在了一段时间,但我相信早期版本缺乏一些与 Active Directory 通信所需的身份验证机制,因此我认为您将需要 Java 6 运行时。
现在,如果我错了,您可以将 Axis2 与新的 Apache http-components httpclient 4 一起使用,那么您的状态就会好得多。 httpclient 4 使用 Java 的 Kerberos 库支持 SPNEGO,这意味着一旦您不必编写自己的 AuthScheme,您只需配置 C:\WINDOWS\KRB5.INI,就可以利用集成 Windows 身份验证。但是,为了避免必须配置 JAAS 的手动步骤,您仍然需要调用本机 SSPI 方法。
It's been a few years since I've used Axis - then, Axis depended on Apache commons httpclient 3. From reading some mailing lists, it looks like this is still the case. (If not, the last paragraph should provide some welcome relief.)
Apache commons httpclient 3 has no support for "Integrated Windows Authentication" over HTTP (aka the Negotiate authentication mechanism with Kerberos, aka "SPNEGO".) In fact, it doesn't support NTLMv2, only NTLMv1, which means that you'll not be able to authenticate to many IIS servers that require NTLMv2 without modifications.
Although admittedly a heavy-handed solution, I think that your best bet would be to create a new AuthScheme that calls the Windows SSPI libraries to do authentication. Unfortunately, you'll need to use JNI to do this. Fortunately, AuthScheme is prepared to do a session-based challenge-response authentication pattern (SPNEGO is similar in that regard to NTLM, which is already supported.) Basically, you'll base64 encode the input and output byte buffers to the native InitializeSecurityContext call. It's tedious to write, I admit, but I can confirm that it does let you perform Integrated Windows Authentication to an IIS server.
(Unfortunately, if you need your client to be cross-platform, you'll also need to write the necessary GSSAPI code on Unix.)
Another option is to write a new AuthScheme that uses Java's Kerberos libraries (JAAS). I don't know much about these, to be honest, because it requires separate configuration from your system kerberos libraries. Ie, on Windows you'll have to write some kerberos configuration files that point to your Active Directory server. Which, in my opinion, doesn't really sound all that "integrated". If you're distributing your software to customers and they expect it to "just work", this may not work out for you. Plus, although JAAS has been around for a while, I believe that early versions lacked some authentication mechanisms that were required to talk to Active Directory, so I think you'll require a Java 6 runtime.
Now, if I'm mistaken and you can use Axis2 with the new Apache http-components httpclient 4, then you're in much better shape. httpclient 4 supports SPNEGO using Java's Kerberos libraries, which means that once you don't have to write your own AuthScheme, you just need to configure your C:\WINDOWS\KRB5.INI and you should be able to take advantage of Integrated Windows Authentication. However, to avoid that manual step of having to configure JAAS, you'll still need to call the native SSPI methods.
您所描述的功能不是操作系统的功能,而是 Internet Explorer 的功能。您可能应该更好地了解“Windows 身份验证”的实际工作原理(又名 NLTM HTTP 身份验证)。 JCIFS 正在删除为 servlet 容器提供此功能的 ServletFilter。不过,他们的NTLM HTTP 身份验证如何工作的基本描述很有帮助。
一旦您了解了身份验证的工作方式,您就可以实现某种 Axis 插件来提供该功能。
The functionality that you are describing is not a feature of the OS, but of Internet Explorer. You should probably gain a better understanding of how "Windows Authentication" really works (aka NLTM HTTP Authentication). JCIFS is removing the ServletFilter that provides this functionality to servlet containers. However, their basic description of how NTLM HTTP Authentication works is helpful.
Once you understand the way the authentication works, you might be able to implement some sort of Axis plugin to provide the functionality.