I am trying to create a java servlet application that requires client certificate authentication, but only on specific pages. I would like to have a landing page that doesn't require any sort of authentication which will have a link/button to go to a page that does require authentication. Is there a way to do this?
I am using OpenLiberty as the servlet container. I am familiar with using ClientAuthenticationSupported="true" (in server.xml), but I do not want the user prompted to select a certificate until they reach a certain page. I have also looked at HttpServletRequest, but don't see a way to force a specific type of authentication with the available methods.
I want the user to be prompted like they would be visiting prod.idrix.eu/secure. Is there a way to set a servlet's authentication type programmatically to accomplish this? Any help would be appreciated. I think this can be done using two different applications (one that does not require authentication and one that does), but I would like to keep it all as one.
Thanks.
In web.xml you can specify security-constraints that will include URL patterns for the pages that should be protected. You can also configure <login-config> to use CLIENT-CERT authentication method.
In the server.xml then you configure your user registry and mapping between cert and user. More details here - https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-ldap-certificate-map-mode
Related
I have a web application running on Tomcat 7 and it is configured with a custom JNDIRealm and my login-config auth-method in my web.xml is set to "FORM".
I am trying to find a way to add the ability to authenticate users through the same LDAP with a smart card, if presented.
I have changed my server.xml to have clientAuth=want, but want to know if there is a way to authenticate the user when a certificate is presented via the LDAP and then re-direct them past the login form. Is this possible?
EDIT: Michael-O below was marked as the right answer because I was able to achieve this by creating a custom class that extends FormAuthenticator and then registering that in Tomcat's authenticator.properties. This allowed me to check for a x509cert from the client in the request. If the cert is present and valid, authenticate and forward the user to the secured resources page. If not present or invalid, forward the user to the form login.
You obviously do not now what you want or what technologies you are actually using. Smartcard authentication is mutual SSL authentication. So you first need to configure Tomcat to accept SSL-based authentication. Your realm will receive the X509 certs and will try find your DN in your data store. The store can be anything, database, files, directory, etc.
I have a java web application running on tomcat, and will use single sign on (against an Active Directory) for authentication.
What I want to accomplish is, that only certain pages in the web app are allowed to be the first "landing page" in the site.
The use case is that one may point the browser to index.jsp, and then be authenticated behind the scenes, and then be forwarded to some_content.jsp.
However, if I point the browser directly to some_content.jsp, I want the request to be denied, somehow, and NOT authenticated behind the scenes.
To rephrase, if I go to some_content.jsp first, without already being authenticated, I do not want authentication to happen, eventhough I have SSO set up.
Is it a matter of some fairly simple security-constraint, or what could a solution be? I am looking for a solution that can be configured, rather than adding code.
Thanks a lot!
This won't work with container managed security. The only method to have a concrete login-entry-point with container-manager auth like in Tomcat is FORM auth. I use SPNEGO auth myself and Tomcat will perform it on any URL if it is denoted as protected. So a routing login page is not possible unless you write a custom authenticator.
We've configured Liferay to use CAS. However, it only works when you click the sign in link in the top right. The standard login portlet where you enter your username/password does not go against CAS. We would like to have this portlet use CAS, which I'm assuming would be via the proxy method.
Any ideas on how to accomplish this? I figured this would be an out-of-the-box sort of functionality once you enable CAS within Liferay, but it appears to not be.
Thanks!
One of the main advantages for using any SSO solution (like CAS) is that the single applications don't ever get access to your password - it's solely in the realm of the SSO solution to handle this.
My advice is to remove the standard login portlet from the page instead of changing it to go to CAS. You can add a link to the CAS login page if you want, but you don't need the login portlet for that.
I have a service on Tomcat available at the following domains:
sub1.domain1.com
sub2.domain1.com
sub1.domain2.com
sub2.domain2.com
Now I need transparent authorization (Spring Security) for domain1. If user logs in to the sub1.domain1.com he is authorized on sub2.domain1.com too.
This can be done with Tomcat's setting
sessionCookieDomain=".domain1.com"
But now authorization on sub1.domain2.com doesn't work at all because all JSESSIONID cookie domain is always set to ".domain1.com".
How could I make tomcat use only second level of current domain for the cookies?
The simple answer is that there is no simple answer. Essentially you need a primary login site, and scheme whereby secondary sites get to set cookies for their domain that clone the primary site's session token. Implementing this is complicated.
Two possible SSO technologies are Shibboleth and JASIG CAS.
For more details, refer to the answers to Single Sign On across multiple domains
What if I somehow overload cookie creation and set .domain1.com and .domain2.com where required?
If foo.domain1.com tries to set a cookie with path .domain2.com or anything.domain2.com, the browser will ignore it for security reasons. You have to go through a complex dance of redirections to set the cookies on both domains. Read the question / answers I linked to (above) for more details.
My web app has a secure area which users log in to via a JSP. The JSP posts the user name and password to a servlet, which then checks to see if the users credentials are valid. If they are valid then the user is directed to the secure resource. How can I ensure that users can't just navigate to the secure resource without validating first?
A common approach is to set a token in the user's session i.e.,
session.setAttribute("loggedIn", "true");
or even
session.setAttribute("loggedInUser", "someUserName");
and check that on any page that should be secured. A good strategy is to perform the check using a servlet filter that you attach to any page to be secured. If they don't pass the check, the filter can redirect to the login page. Also see here: http://java.sun.com/products/servlet/Filters.html
This is a good article on using filters for authentication also: http://www.developer.com/java/ent/article.php/3467801
What bout using the security-contraint in your web.xml :
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
Make sure people always access your app through a single servlet, where the servlet dispataches the request to a JSP, and returns the resulting response to the browser. This way you will always be in control of what happens because there is a single entry point.
A different approach is to have a session variable (server side, or even in a cookie) which gets checked by each and every JSP which requires authentication.
Security is really hard to get right. Much more than you would usually think. The use of a framework (Acegi comes to mind), or the standard "" section of web.xml as LenW pointed out is a must ! At least use a filter to handle the authorization part of your security.
I dont really like the solution of using a single point of entry (as suggested by Rolf). It seems to me like an artificial constraint put on your architecture. And there is a lot of good reasons to have multiple servlet in a webapp.
Whatever you do, dont use a technique where you rely on manual code on every page (like : every JSP begining with "if user_authentified ..."). You will forget to put it somewhere ...