Talking to the Windows Security Account Manager (SAM) in Java?

[gbulla]

Hello!

We have an application that runs under Tomcat and JSPs. We want to
authenticate the users' username and password against the Windows
platform's accounts. This is to prevent an outside web user from
changing program preferences (they can view, just not change)

For example, if a local computer (the one hosting the pages) with
Windows XP in standalone mode (no domain connection) has three
accounts, and two of those have Administrator priviledges, we want to
make sure that the person using the application has permission to
change preferences. The login page on the browser would accept their
username and password and check it against the local computer's
Security Account Manager (SAM). If they have an account and the
password is correct and they are an Administrator, allow the changes.

We found a Java library that will talk to the Windows 2000 SAM called
Tagish, but that library does not work with any other version of
Windows. Note that we do not want to impose a domain controller
requirement.

Does anyone know how to talk to the Windows SAM, for example, Windows
XP's, using Java?

Thanks!
GB
(e-mail address removed)

 

[Brandon McCombs]

Hello!

We have an application that runs under Tomcat and JSPs. We want to
authenticate the users' username and password against the Windows
platform's accounts. This is to prevent an outside web user from
changing program preferences (they can view, just not change)

For example, if a local computer (the one hosting the pages) with
Windows XP in standalone mode (no domain connection) has three
accounts, and two of those have Administrator priviledges, we want to
make sure that the person using the application has permission to
change preferences. The login page on the browser would accept their
username and password and check it against the local computer's
Security Account Manager (SAM). If they have an account and the
password is correct and they are an Administrator, allow the changes.

We found a Java library that will talk to the Windows 2000 SAM called
Tagish, but that library does not work with any other version of
Windows. Note that we do not want to impose a domain controller
requirement.

Does anyone know how to talk to the Windows SAM, for example, Windows
XP's, using Java?

Thanks!
GB
(e-mail address removed)

I don't think this is possible using the default Java packages (would be
easy with JNDI, Kerberos, and Active Directory) however take a look at
this to get some possibilities:
http://forum.java.sun.com/thread.jspa?threadID=765011&messageID=4367881

You do realize that by authenticating against a seemingly unknown system
(the user's very own workstation) you aren't making this very secure?
How can you trust their workstation? How do you know they didn't get
the admin password and create their own account with admin rights or
modify their existing account to have admin rights? Obviously grabbing
the admin password is possible even when using a Windows domain but it
is harder I think when compared to a single workstation. It also means
the user can only login (change privilege or not) from whatever
computers they have a local account on. That is a big limitation in my mind.


hope this helps

 

[Luc The Perverse]

I don't think this is possible using the default Java packages (would be
easy with JNDI, Kerberos, and Active Directory) however take a look at
this to get some possibilities:
http://forum.java.sun.com/thread.jspa?threadID=765011&messageID=4367881

You do realize that by authenticating against a seemingly unknown system
(the user's very own workstation) you aren't making this very secure? How
can you trust their workstation? How do you know they didn't get the admin
password and create their own account with admin rights or modify their
existing account to have admin rights? Obviously grabbing the admin
password is possible even when using a Windows domain but it is harder I
think when compared to a single workstation. It also means the user can
only login (change privilege or not) from whatever computers they have a
local account on. That is a big limitation in my mind.


hope this helps

Not to mention I would be furious if I thought an application was extracting
my password. (Even if it wasn't) That is functionality for viruses, not
legitimate applications. As far as I am concerned any system which takes a
password should be as closed box as possible.

Many novice and unconcerned users (those who do not share a computer) have
no password at all on their windows accounts - you would need special case
for that.

 

[gbulla]

Hey fellows - Thanks for the feedback. I agree that it's easier w/ the
Domain Controller/AD and Kerberos. But we prefer not to impose this
requirement on the server, and we must also get accreditation for our
system - DC accreditation is much, much harder to get as it turns out.

After considering all the options (which are few), it appears that the
only sure way to do so is call the Windows32 function LogonUser. We've
found code in both C# and Visual Basic that does it (the VB example is
at http://support.microsoft.com/default.aspx?scid=kb;en-us;841699). The
example lacks the priviledge level but we can add that. We can either
generate a command-line app in one of these languages and call it from
Java or try to call the Windows API function directly from Java: not
sure if doing the later will be a problem or not within Java. We'll
probably go with the former.

Brandon, I am not completely sure what you mean by authenticating
against a seemingly unknown system ? If you're saying it might be
unwise to let a remote user have Admin rights on a server, just to use
the app, but at the same time allowing them full access rights on that
computer can lead to mischief ? If so, you have a point! Luc, you also
have a point. I'm not super familiar with security stuff, but I know
that there's crackers for Windows hashed password. Note that not many
folks will have Admin rights, but still, it's a concern... Perhaps we
will create a new user level and use that for the systems instead.

Thanks for the tips!