Single Sign On in UIX applications

3

In my current project I was asked to investigate the possibility of implementing a Single Sign On solution for a couple of Oracle UIX web applications I am implementing. A little investigation showed that all users login to their PCs using a “domain\user” username and a password. Our customer would like to use those credentials for logging into the UIX applications without getting a popup. My colleague Lucas Jellema recently posted about an NtlmHttpFilter class provided by the jCIFS project and I decided to try that out.

Using the NtlmHttpFilter proved to be extremely easy. The jCIFS NTLM HTTP Authentication documentation gives a few examples of how the filter can be incorporated into a web application. Using the Explicit Domain Controller web.xml Example I got it up and running in no time. The example only contains four configuration parameters and finding out the correct values for these parameters proved to be the most difficult exercise.

After having found them out I fired up OC4J from within JDeveloper on my laptop and gave the customer instructions on how to add my laptop IP address to the Trusted Sites list in Internet Explorer on his laptop and asked him to browse to my NTLM enabled web app. He was greeted by a page stating his Windows username in the form “domain\user”. The Windows username is available from the HttpRequest via the getRemoteUser() method. The password isn’t! So users who worry about their passwords can stop worrying

 

 

 

About Author

Wouter is Java consultant at AMIS

3 Comments

  1. Wouter van Reeven on

    Sure.
    There are two ways to do authentication on Windows, which are via WINS and via a Domain Controller. Using the “ipconfig /all” command from the command prompt reveiled the IP address of the Primary WINS Server. Using this IP address with the jcifs.netbios.wins parameter, I tried to authenticate a user.
    The other three parameters are a username and password of a user and the domain the user is in. The domain is mandatory, the username and password not. The latter two are needed in case the WINS server or Domain Controller need an authenticated user to respond to queries.
    So, I simply used a test account for the username and password and also the domain all users (including the test account) are in. This didn’t work properly. For some reason, the first user to login logged in very quickly, but once another user attempted to login all logins went very very slowly.
    So, I discussed this with the customer and I decided to use the jcifs.http.domainController parameter instead of the jcifs.netbios.wins. After making this modification, all logins happen almost instantaneously.