Java Web project SSO practice

Preface

No need to say what SSO is-single-point logon.

There is currently a small web project that uses a domain account to control permissions. The corresponding functions are simple.

Use a browser to access a machine,

If this machine is logged on with a domain account, go to the page;

If you do not use a domain account to log on, use the user name and password to log on.

Solution 1: Compare Account Logon

This solution is not recommended, but it was previously used by the system.

The idea of this solution is:

1. The system has a set of user information tables (user name, domain account name, and password)

2. Obtain the domain username of the Client Login machine.

3. Check whether the domain user name exists in the System user information table. If yes, log on to the system.

For details about how to obtain the domain username of the Client Login machine, refer:

How to obtain client machine information in a java web project

The applet can obtain the login domain users, but it is slightly complicated to use the applet.

The NTLM method can also be used. However, if it is firefox, a dialog box for entering the domain account username and password will pop up. However, if you enter another user's account, there will be serious security problems.

To use the account comparison method, you cannot enter an account as a user, because the password of the domain account is not verified at all.

Solution 2: jcifs Verification

To ensure high security, you must verify that the domain account and password are correct.

Jcifs is an open-source package.

1. Download jcifs

Download the latest jar file to the http://jcifs.samba.org/src/, the latest version is jcifs-1.3.17.jar

2. Export the jar file to the project's web-inf/lib directory.

3. modify web. xml

   
       
  
   NtlmHttpFilter
        
  
   jcifs.http.NtlmHttpFilter
      
         
   
    jcifs.http.domainController
           
   
    ADHost
       
      
          
   
    jcifs.smb.client.username
           
   
    user
       
      
          
   
    jcifs.smb.client.password
           
   
    password
       
      
          
   
    jcifs.util.loglevel
           
   
    2
       
     
    
         
  
   NtlmHttpFilter
          
  
   /*
     
 

Filter is nothing to say.

Jcifs. http. domainController -- configure the Domain Server

Jcifs. smb. client. username-view the Domain Server user name

Jcifs. smb. client. password-view the password of the Domain Server

Others

If you use a domain account to log on to the client,

When IE is used, Chrome does not pop up a dialog box for entering the domain account and password, because it automatically transmits the information to the server.

However, if you use firefox, the enter domain account and password dialog box is always displayed. You can set it as follows.

1. Enter "about: config" in the Firefox address bar.
2. Enter NTLM in the filter.
3. Double-click network. automatic-ntlm-auth.trusted-uris,
4. Enter localhost in the input value (set according to the actual situation)
5. Close Firefox and open it again.