I have a Servlets/JSP based traditional Java MVC web application on Tomcat server, I want to implement PKI certificate based authentication. In which user doesn't have to provide the login credentials. Here is the basic requirements:
Admin issues the PKI certificate to the client,
Admin sends the PKI certificate to the client and adds it to the PKI Cert Store,
Client adds the certificate to the browser, and
Whenever client clicks on Login button on the application, the application fetches the browser certificate and authenticate the client from the PKI Cert Store.
Please suggest how to proceed with this kind of requirement.
First you set up SSL/TLS at the Tomcat server level.
Then you use a security framework at the webapp level to enforce the SSL client certificate (X.509) authentication requirement on specific URL paths (or patterns of) such as the login URL. One such commonly used library which allows flexible configuration of client certificate authentication is Spring Security, with which you can use either a XML configuration file or Java annotations in your webapp to get what you want. On the documentation link about X.509 authentication, you also have the necessary SSL setup instructions for Tomcat.
You may find another way to do client certificate authentication natively in Tomcat using some configuration in the webapp deployment descriptor (web.xml) and in Tomcat realm configuration (e.g. tomcat-users.xml), but it is quite tedious and far less flexible.
Related
I'm working on a very simple REST API using the Quarkus framework. I'd like to use client authentication, but after a few tries I eventually found the what I'm trying to achieve doesn't seem possible out of the box.
The API is dockerized and published on an azure app service environment. Unfortunately, I can't get the azure load balancer to talk to my app via SSL. Azure App Services passes the client certificate as a base64 payload in a header field dubbed X-ARR-ClientCert.
Maybe I'm missing some very important piece of knowledge here. Is there any way to leverage the TrustStore and Trust / accept the client certificate straight from the header field?
Should I implement my own Security Identity Provider for doing so
extracting the Certificate from the header
create a Security Identity instance
I want to host REST APIs over https. REST web services will be written in java probably using spring framework.
These web services will be accessed by java clients (not web browsers), probably using org.apache.http lib.
I am not getting clear picture of working with SSL certificates.
My questions are -
What configurations will be required to host REST web services over "https"?
What configurations will be required at client side for accessing these "https" URIs?
Do I need to buy trusted SSL certificate for REST server or open java keygen will do?
Do I need the same/different certificate copy on REST client too?
No particular configuration, you just need https activated.
No particular configuration, you just need to take care to use libs that check the certificate.
If you write the client, you can use a self signed one, and customize the client to check if it's your certificate. If anybody can write a client, it's better to have a publicly trusted certificate. WARNING : the free let's encrypt certificate are NOT trusted by java !
Why do you want a certificate on your client ?
Side note: if your API is publicly accessible, I strongly advise you do NOT redirect http to HTTPS but instead makes HTTP systematically answer an error. If you don't do so, a developer that use by mistake the http will NOT see the error and that will create security risks.
Please explain what, why and how of kerberos authentication. I am using spring 3+.
Also please elaborate on how to implement it in my java spring project.
There's an official Kerberos extension for Spring Security: http://projects.spring.io/spring-security-kerberos/
First step is to configure Spring Security for your project. Try that with for example a temporary in-memory authentication configuration, with some hardcoded users - just to check that the rest of the configuration is O.K.
Then, proceed with adding a Kerberos authentication provider, configuring the Spnego configuration and etc (everything is described in the documentation).
Check out the example (uses Java-based configuration, but it's easy to translate that to XML config): https://github.com/spring-projects/spring-security-kerberos/blob/master/spring-security-kerberos-samples/
And the documentation: http://docs.spring.io/spring-security-kerberos/docs/1.0.0.RC2/reference/htmlsingle/
I have tried to explain the what and how part of the Kerberos protocol in my blog at: Kerberos. Please feel free to checkout. A summary of the same is as follows:
Kerberos is s a trusted third-party authentication protocol designed for TCP/IP networks which is based on symmetric cryptography.
Kerberos provides encrypted transport and authentication using security tokens and secure session keys, in order to secure the communication between the client and the server.
The kerberos model basically consists of a kerberos server which authenticates the client and provides security tokens in order to interact with a ticket granting service or the TGS. The TGS then is responsible for authenticating this client for access to the actual server.
I have tried to describe it in a pictorial and step by step way in my blog.
I have a SAAS which services multiple customers and I want to be able to use client certificate to authenticate the different customers (different certificate for different customers). My services runs on Jetty 9 (not embedded). How do I do that?
If I use <auth-method>CLIENT-CERT</auth-method> I am also required to provide the LoginService in the Jetty configuration, but that doesn't make sense to me because I need to be able to write the authentication code based on the certificate.
I want to stress that I need to do the client authentication per customers, so this needs to be on the application level and not the Jetty level using the SSL setup.
According to the documentation, it looks like the LoginService is what you should use on the application level for the authorisation step.
I am looking for a Java based REST server which support following authentication mechanism. Also please let me know the best resources for the REST based authentication
Token
Certificate
Kerberos
Oauth
Open Id
I am an architect from WSO2... so my reply could be biased...
You can use the open source WSO2 Application Server to deploy your RESTful services and WSO2 Identity server has the support for 2-legged OAuth...
Thanks...
Partial answer for method 2) Certificate:
If you're planning on using certificates for authentication, I must assume that the API will be consumed by a limited number of trusted client applications. I've recently developed and deployed a REST API for internal use within an organization, and we use server-client certificates for authentication. This solution delivers a really high level of security, but is very impractical to use in an externally exposed API. This post gives some information: Java HTTPS client certificate authentication.
Any Java container should support these with either:
Apache / IIS as a reverse proxy deployed for SSO (Single Sign On)
Authentication plugins