Database Reference
In-Depth Information
System.getProperty("os.name").startsWith("Windows")
)
{
// Using reflection
Class mNTS = Class.forName( "com.sun.security.auth.module.NTSystem" );
Method classMethod = mNTS.getMethod( "
getDomain
" );
String domain = ( String )classMethod.invoke( mNTS.newInstance() );
domain =
domain.toUpperCase()
;
classMethod = mNTS.getMethod( "getName" );
String name = ( String )classMethod.invoke( mNTS.newInstance() );
name =
name.toUpperCase()
;
System.out.println( "Domain: " + domain + ", Name: " + name );
if ( ( name != null ) && ( !name.equals( "" ) ) &&
( domain != null ) &&
domain.equalsIgnoreCase( expectedDomain )
)
{
rtrnString = name;
} else {
System.out.println( "Expecting domain = " + expectedDomain );
System.out.println( "User " + name + " must exist in Oracle" );
}
}
The
if
statement tests two properties of
System
to assure our OS architecture (
os.arch
system
property) and OS name (
os.name
system property) are consistent with a Windows client.
To see all the properties of
System
, you can uncomment the top line of code. Calling the
list()
method of a
Properties
object will “print” the properties to an output stream—
System.out
, in our case.
The Expected Domain
In our identity code in Listing 8-4, we also get the Windows domain name from the
NTSystem.getDomain()
method. This must match the
expectedDomain
that we have hard coded.
Assume that our application code needs to get to resources on our organizational network, like
Oracle databases; we should have a high threshold that client machines must cross before being allowed
access to our corporate network. We do this with a NAC system. Part of NAC supervision is assuring that
our clients are connected to our corporate domain services (Active Directory). The user would have to be
logged into our domain to get network access.
If our network is not protected by NAC that assures our domain, then another avenue of attempted
spoofing might be available. A hacker might set up her own domain with an imposter user identity (she
may be posing as one of us), and have our code get the spoofed ID from her domain by
NTSystem
.
We avoid that potential issue, even if we have NAC, by requiring that the client computer be
attached to our corporate domain. That is,
NTSystem
must return our expected domain name, or we don't
accept the claim of user identity.
Note
On a stand-alone system, the domain name may equal the system name alone.
