开发者

usernames in windows domain

开发者 https://www.devze.com 2023-03-26 20:03 出处:网络
I\'m working on a app that uses Jespa to do transparent SSO.I\'m using the NtlmSecurityProvider.In my code, when I get the username looks like this:\"DOMAINNAME\\username\"

I'm working on a app that uses Jespa to do transparent SSO. I'm using the NtlmSecurityProvider. In my code, when I get the username looks like this: "DOMAINNAME\username"

e.g.

<% out.println(request.getRemoteUser()); %>

prints this: MYDOMAIN\myusername

Here's my question:

Will it always look like that, with the domain name and the username? or is it just the way our user accounts in our开发者_高级运维 domain are set up? Like, if I switched to a different windows domain, could I potentially get just the username without the domain and the backslash?

Thanks!


I asked this question over on serverfault.com. I got a really good answer from Squillman. (Thank you!) Here it is:

"This is probably more a support question for the Jespa folks. The output is reliant on the behavior of their API.

In general, though, best practice for Windows is to always use DOMAIN\username format or username@domain format.

If you're worried about the format changing then I would suggest you write a class / method / utility that knows how to parse the results of getRemoteUser() and returns the parts to your app as you deem necessary. Then if it ever does change you only have to change on piece of code to fix your app."

I wrote a method to parse the results of getRemoteUser() like he suggested and it's working well so far.


This is highly configurable. See the account.canonicalForm property in The NtlmSecurityProvider Properties section in the Jespa Operator's Manual. You can make the username like BUSICORP\sbackus or sbackus@busicorp.local or just sbackus or whatever the browser supplied (no canonicalization).

For example, if you want getRemoteUser to return only the username and not the domain set jespa.account.canonicalForm = 2 in the HttpSecurityService properties file. But in a multi-domain environment it might be rather important to use a qualified account name!

0

精彩评论

暂无评论...
验证码 换一张
取 消