Solved

authenticating user in Java

Posted on 2010-11-28
9
594 Views
Last Modified: 2012-08-13
I have a java program running as a server on a remote host.  I can connect to it remotely from my local machine with my java client program.  In order to protect the server from unwanted intrusion I have a couple of options, one is set up a firewall only allowing connections from certain locations ie my local computer.  The other option is to have a username and password set up to authenticate the user.  Is it possible to authenticate through the operating system.  I so that I can use the same username and password as I would to remotely log in to the OS using the OSs password database to do the authentication instead of worrying about setting up another password file.
0
Comment
Question by:robthewolf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 16

Expert Comment

by:Valeri
ID: 34224983
>>  The other option is to have a username and password set up to authenticate the user.
I think that it's the most appropriate solution. What kind of communication you are using? http?
0
 
LVL 8

Author Comment

by:robthewolf
ID: 34225086
>>I think that it's the most appropriate solution.
I actually plan on using both.

>>What kind of communication you are using? http?
I currently use tcp sockets through the java.net.Socket class.
I guess I should use ssl to send the passwords to avoid sending plain text.

my current system is all local so I dont bother with passwords or ssl for the moment.  Any suggestions?
0
 
LVL 16

Accepted Solution

by:
Valeri earned 300 total points
ID: 34225503
>> I guess I should use ssl to send the passwords to avoid sending plain text.
I agree with you. Using ssl will provide the security you need
Here is an example. The client implementation is also there.
http://www.exampledepot.com/egs/javax.net.ssl/Server.html

Another option is to encript somehow your password on the client side and to compare the encripted password on the server side, if both of encriptions are the same, it will mean the user has entered the right password, otherwise the user has entered wrong password.
But I think that ssl is the better solution.
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 8

Author Comment

by:robthewolf
ID: 34225525
i had thought of that second solution, but if someone were listening and intercepted the encrypted password then could just send that which would then pass the comparison on the server side.  I am going to check out this example and let you know how it goes.
0
 
LVL 10

Assisted Solution

by:gordon_vt02
gordon_vt02 earned 200 total points
ID: 34232389
You could also try setting up two-way SSL (client and server authentication), even if you only use user-generated certs and not completely signed certs.  You would just need to maintain a list of the authorized certs on the server side and compare the cert presented by the client.
0
 
LVL 8

Author Comment

by:robthewolf
ID: 34233407
gordon
if i understand you correctly using ssl properly the client is authenticated by the certificate and there is no need for usernames and passwords.
0
 
LVL 10

Assisted Solution

by:gordon_vt02
gordon_vt02 earned 200 total points
ID: 34233550
yep.  The client would be issued a cert identifying them, either signed by a known authority (VeriSign is one) or generated by them with keytool, then signed by a local authority you stand up.  Your server would need to have a list of authorized users, likely using the DN of the cert, and you would need to validate their cert's authenticity then ensure that the DN was on the allowed users list.
0
 
LVL 10

Expert Comment

by:gordon_vt02
ID: 34233576
If you're already using a web container, I'm pretty sure almost all of them provide support out-of-the-box for two-way authentication.  If you're rolling your own server, I'm not sure exactly how to implement it, but I think there are methods available using JSSE and possibly the base java.net libraries.
0
 
LVL 8

Author Comment

by:robthewolf
ID: 34345812
I havent had time to test the suggested solution yet.  When I do (hopefully this week) i will close the question.
sorry for the delay
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
Suggested Courses

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question