如何使用 Windows 登录进行单点登录和桌面 Java 应用程序的 Active Directory 条目? [英] How to use Windows login for single-sign-on and for Active Directory entries for Desktop Java application?

问题描述

我想让我的桌面 Java 应用程序具有与以下内容相关的单点登录活动目录用户.我想分两步:

I'd like to have my desktop Java application to have single sign on related to Active Directory users. In two steps, I'd like to:

1. 确保特定用户已使用某些用户条目登录到 Windows.
2. 从 Active Directory 中查看该用户的一些设置信息

使用 Java:确定当前 Windows 用户的编程方式 我可以获得当前 Windows 用户的名称，但我可以依赖它吗?我认为

With Java: Programatic Way to Determine Current Windows User I can get the name of the current Windows user but can I rely to that? I think the

System.getProperty("user.name")

不够安全?(user.name"似乎是从环境变量中获取的，所以我认为不能依赖它?)

won't be secure enough? ("user.name" seems to be got from environment variables, so I can't rely on that, I think?)

问题 在 Linux 上使用 Java 对 Active Directory 进行身份验证为我提供了给定名称+通行证的身份验证，但我想根据 Windows 登录进行身份验证?

Question Authenticating against Active Directory with Java on Linux provides me the authentication for given name+pass but I'd like to authenticate based on the Windows logon?

对于 Active Directory 访问，LDAP 可能是首选?

For the Active Directory access, LDAP would probably be the choice?

推荐答案

不支持.Java 6 有改进，但还不够.

It is not supported. Java 6 has improvements, but not enough yet.

Java 有自己的 GSS 堆栈.问题在于单点登录，您需要从操作系统(而不是 Java 堆栈)获取 Kerberos 票证.否则，用户必须再次进行身份验证(违背单点登录的目的).

Java has its own GSS stack. The problem is for single sign-on, you need to get the Kerberos ticket from the OS (not the Java stack). Otherwise the user has to authenticate a second time (defeating the purpose of single sign-on).

查看http://java.sun.com/developer/technicalArticles/J2SE/安全/.查看访问本机 GSS-API"，它谈到了一个新的系统属性 sun.security.jgss.native，当设置为 true 时，Java 会使用底层操作系统 GSS 实现，从而可以访问操作系统级别的身份验证.完美！...除了它仅支持 Solaris 和 Linux，不支持 Microsoft Windows.

Look at http://java.sun.com/developer/technicalArticles/J2SE/security/. Look down for "Access Native GSS-API" and it talks about a new system property sun.security.jgss.native which when set to true causes Java to use the underlying OS GSS implementation, giving access to the OS level authentication. Perfect!.... except its only supported for Solaris and Linux, not Microsoft Windows.

然而，Java 6 似乎有足够的支持作为服务器从 IE 接收 SPNEGO 身份验证请求，然后根据 Active Directory 对该用户进行身份验证.只是桌面客户端支持还不完善.

Java 6 however does appear to have enough support for acting as a server receiving SPNEGO authentication requests from IE and then authenticating that user against Active Directory. Its just the desktop client support that is still incomplete.

这篇关于如何使用 Windows 登录进行单点登录和桌面 Java 应用程序的 Active Directory 条目?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！