I have implemented a simple java web application with tomcat realm authentication(Custom FORM authentication). Now, I'm trying to add a second authentication page for the user(two-factor authentication, I'm using Google authenticator). As far as I have referred the Tomcat documentation, we can specify only one login-config.
I tried adding a filter and also tried managing whether the user has finished the Two-Factor authentication manually with session and tokens.
Is there a way to add the second authentication in the web.xml or the server.xml. So, tomcat should handle whether the user has finished both the authentication.
Thanks in advance.
Tomcat only starts one login process. That process may decide to ask the user for more than one credential but tomcat is not aware of it.
So, you should create a filter and/or login servlet that handles authentication for the tomcat container. That filter/servlet (combination) must prompt for all desired credentials.
If you do not use a framework for your application that already has an authentication layer, you are essentially writing your own 2FA implementation.
Related
I have multiple web applications running in different domains. Okta is the identity/auth provider for all these applications. After integrating with Okta in one of the application (following the Java example provided in Okta documentation), a new cookie (sid) is being created in Okta domain (https://developer.okta.com/docs/reference/api/sessions/).
How do I use this to SSO into other web application. What is the best approach to allow access to other application without prompting login credentials again?
Do I need to invoke getCurrentSession API in every application and redirect to login page only if the API response is 404 (as per doc, getCurrentSession will retrieve the current active session based on the Okta cookie).
Please share thoughts.
It all depends on how you integrate your apps: redirect to Okta or using Okta widget. If you do redirect it's pretty much guaranteed to have zero issues authenticating in your second app, as your redirect for second app will send sid cookie back to Okta, which was set while authenticating with your first app.
With widget things may become bit complicated, as it depends on 3rd party cookies. okta-auth-js GitHub repo has some examples on how you can check if session exists with okta, when you trying to authenticate a user. Check https://github.com/okta/okta-auth-js#third-party-cookies
I created an angular application that exposes a RESTful API and uses spring security (with LDAP) by using this post as reference and I managed to get it to work. The only problem is that if the server application (where the spring security is configured) is restarted all users are logged-out, but if the user leaves their browser page open they can navigate through the screens without a problem until they do something that would require access to the server.
So my question is: is there a way to automatically log-out the user or re-authenticate them when a server restart is detected (and how would one go about detecting such an event)?
to re-authenticate the user
you need stateless/sessionless API, consider using token based authentication, spring security OAuth has this. If you really need session, save it on the database not on your application server, spring session has this.
to automatically log-out
the easy way is that if you angular try to access the server and it receive 401 forbidden from the server, then redirect the user to login page or popup window login. The user is automatically logout when the server is restarted, is just the client/angular doesn't aware of it.
I managed to tackle this issue by implementing an interceptor as described in this post. I also implemented an $interval to detect that the user is unauthorised as soon as possible.
We are using Spring 3 framework and we have a SSO (Single sign on) provider which redirects to our app passing special tokens in the request to indicate the user is authenticated.
I would like to use Spring security to handle stuff like denying access to pages unless the user is authenticated, but I'd also like to be able to bypass this on my local machine while developing the application.
So in the production scenario, I expect the SSO to redirect to our app, specifically to a "/login.html" target which is supposed to somehow trigger a custom class I write to pull the expected login info from request and load up the user's info from our database and put it in session for the rest of the app to use.
Then in the development scenario I need to bypass SSO by just being able to create a session using a custom login page and then load the user's info from database just as above.
I am trying to figure out how to do it myself but I can't seem to wrap my head around all of it.
Any info on how to accomplish this even just high level kind of road map would be a huge help
If you write a custom AuthenticationProvider for Spring Security to authenticate with your SSO provider, then you could have two Spring Security configurations, one that wires up your custom AuthenticationProvider for production and one for development that uses a standard authentication provider.
I have a couple of Java-based web applications developed. Both the applications have separate Authentication logic based on some ActiveX directory implementation.
Now, I need to change this to Windows authentication so that whenever the user hits the URLs of my web applications, instead of redirecting him to login page I need to check his Windows credentials.
I do not want to store his windows credentials in URL.
Is there any good way to do this ?
Depending on the level of integration you want your web application to have, Spring Security should have you covered in just about all aspects of what you are after.
If redirecting to a login page and authenticating the entered credentials against an Active Directory server via LDAP is acceptable, then the LDAP extension is the way to go.
If you want more of a Single Sign On (SSO) flow and your users are already authenticated against the authoritative Active Directory server in question (eg. they are logged in to the domain), then the Kerberos plugin for Spring Security may be more appealing, since your users will simply have to go to the web application and won't have to go through any other authentication steps. The systems will take care of it behind the scenes.
You can also combine / layer these approaches if you which and try Kerberos-based authentication first and if that falls through, fall back to a login form and LDAP-based authentication.
If you need to go beyond that, Spring Security is flexible enough to allow you to use OpenID or in-app authentication as well if needed.
I'd recommending using Active Directory to expose it's windows authentication layer over LDAP, which can then be hit by something like Spring Security.
This would effectively force anyone using your application to use their windows login.
I'm trying to use a custom JAAS authentication module for a web based application hosted on JBoss 5.1.0.GA. So everything seems to be working fine, until the number of users increases and sessions (so it think) start getting mixed.
The reason i'm using the custom JAAS is because of a custom authentication backend and the need to pass back the password for futher usage in the application.
When i call request.getUserPrincipal in servlets i get an object of type SimplePrincipal instead on my custom principal. To get the user i'm using SecurityAssociation.getSubject().getPrincipals() and suspect that at this point i'm getting the incorrect principal.
Whats the correct way to implement a customing login module and retrieving the loggedin Principal on the web layer(Serlets) on JBoss?
EDIT:
The problem exists on the EJB layer, https://issues.jboss.org/browse/EJBTHREE-1756
Ref:
http://stuffthathappens.com/blog/2008/05/16/writing-a-custom-jaas-loginmodule/
http://community.jboss.org/wiki/SecurityJAASLoginModule
http://community.jboss.org/message/531986#531986
http://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/JAASLMDevGuide.html
http://community.jboss.org/thread/44388
http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/pdf/Security_Guide/JBoss_Enterprise_Application_Platform-5-Security_Guide-en-US.pdf
I couldn't get the LoginModule with my custom principal working. I created a Tomcat valve that encrypts and pushes the password to the HttpSession. Other servlets will retrieve and decrypt the password.