Solved

authenticating user in Java

Posted on 2010-11-28
9
588 Views
Last Modified: 2012-08-13
I have a java program running as a server on a remote host.  I can connect to it remotely from my local machine with my java client program.  In order to protect the server from unwanted intrusion I have a couple of options, one is set up a firewall only allowing connections from certain locations ie my local computer.  The other option is to have a username and password set up to authenticate the user.  Is it possible to authenticate through the operating system.  I so that I can use the same username and password as I would to remotely log in to the OS using the OSs password database to do the authentication instead of worrying about setting up another password file.
0
Comment
Question by:robthewolf
  • 4
  • 3
  • 2
9 Comments
 
LVL 16

Expert Comment

by:Valeri
ID: 34224983
>>  The other option is to have a username and password set up to authenticate the user.
I think that it's the most appropriate solution. What kind of communication you are using? http?
0
 
LVL 8

Author Comment

by:robthewolf
ID: 34225086
>>I think that it's the most appropriate solution.
I actually plan on using both.

>>What kind of communication you are using? http?
I currently use tcp sockets through the java.net.Socket class.
I guess I should use ssl to send the passwords to avoid sending plain text.

my current system is all local so I dont bother with passwords or ssl for the moment.  Any suggestions?
0
 
LVL 16

Accepted Solution

by:
Valeri earned 300 total points
ID: 34225503
>> I guess I should use ssl to send the passwords to avoid sending plain text.
I agree with you. Using ssl will provide the security you need
Here is an example. The client implementation is also there.
http://www.exampledepot.com/egs/javax.net.ssl/Server.html

Another option is to encript somehow your password on the client side and to compare the encripted password on the server side, if both of encriptions are the same, it will mean the user has entered the right password, otherwise the user has entered wrong password.
But I think that ssl is the better solution.
0
 
LVL 8

Author Comment

by:robthewolf
ID: 34225525
i had thought of that second solution, but if someone were listening and intercepted the encrypted password then could just send that which would then pass the comparison on the server side.  I am going to check out this example and let you know how it goes.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 10

Assisted Solution

by:gordon_vt02
gordon_vt02 earned 200 total points
ID: 34232389
You could also try setting up two-way SSL (client and server authentication), even if you only use user-generated certs and not completely signed certs.  You would just need to maintain a list of the authorized certs on the server side and compare the cert presented by the client.
0
 
LVL 8

Author Comment

by:robthewolf
ID: 34233407
gordon
if i understand you correctly using ssl properly the client is authenticated by the certificate and there is no need for usernames and passwords.
0
 
LVL 10

Assisted Solution

by:gordon_vt02
gordon_vt02 earned 200 total points
ID: 34233550
yep.  The client would be issued a cert identifying them, either signed by a known authority (VeriSign is one) or generated by them with keytool, then signed by a local authority you stand up.  Your server would need to have a list of authorized users, likely using the DN of the cert, and you would need to validate their cert's authenticity then ensure that the DN was on the allowed users list.
0
 
LVL 10

Expert Comment

by:gordon_vt02
ID: 34233576
If you're already using a web container, I'm pretty sure almost all of them provide support out-of-the-box for two-way authentication.  If you're rolling your own server, I'm not sure exactly how to implement it, but I think there are methods available using JSSE and possibly the base java.net libraries.
0
 
LVL 8

Author Comment

by:robthewolf
ID: 34345812
I havent had time to test the suggested solution yet.  When I do (hopefully this week) i will close the question.
sorry for the delay
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
The viewer will learn how to implement Singleton Design Pattern in Java.
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now