We are developing a Java based product. We need to make the authentication part to fit for major authentication services, like LDAP, OpenID, Oauth2, SAML. The idea is, when we deploying the product for a company who is having LDAP, our product should be able to cater it. If the company has OAuth2, then our product should be able to cater that as well.
I want to know, what are the better approaches and tools. I'm looking for a open source solution which support all these protocols in one place. Please share the knowledge.
I'd suggest Spring Security. It is completely independent to the Spring Core framework and with some simple configuration and some additional libraries (also developed by the same team), you can get a simple solution for most of the popular authentication methods.
With a couple of annotations, you can configure which methods or endpoints you want secured either.
You can create spring profiles, who decide which authentication method to be used.
Simple approach is to use an IAM (identity and access management) solution. Kecloak is a good open source one (and is written in java but you shouldn't mind).
By the way, your question is off-topic (recommending software or tools). Post it here
You need to separate out Identity repositories and Identity protocols.
LDAP and AD are repositories.
OpenID, OAuth2, SAML are protocols.
You need an IAM system that handles all the protocols and sits on top of the repositories.
For your product to talk to your IAM, you need a protocol stack in your product e.g. for SAML.
You then federate your IAM with other vendors e.g. if a vendor comes along and wants to authenticate with their AD, they would install ADFS and then ADFS federates with your IAM system.
So the logical flow goes:
User --> authenticate on their IAM --> trusted by your IAM --> access to your application granted.
You could also look at Identity as a Service e.g. Azure AD, Auth0, Okta etc.
Related
I am about to start developing a REST service and security is an important aspect of this project but I can't find some definitive information on how to implement it. My service will be consumed by an Android App at first, but could be used by other platforms later. Controlling user access is critical, so Authorization and Authentication control of the REST services is very important.
Although I can find topics on how to make a secure REST API, like here, here and this big one here, to my surprise, all of them fail to point to a famous standard or framework or time tested solution, which usually is the "way to go" in securing software applications, where we avoid as much as we can to "roll your own security solution".
So far on my research I think OAUTH 2.0 (or even OAUTH 1.0) is the best way to go, it's a public widely used protocol and supports Authorization and Authentication and we can control the lifetime of keys and even have a special refresh key allowing the client to not store password information for acquiring a new key if needed.
I also think Apache Shiro is the best framework for Security, Authorization and Authentication in java, so it comes to a surprize for me when I can't find any integrations between Shiro and OAUTH 2.0...ok there is one that's 5 years old, and doesn't inspire much trust to me.
Even more curious is the fact that Les Hazlewood, the Apache Shiro PMC Chair, owns (ok, owned, he just sold it to Okta) Stormpath, a company made for Identity and User Management, so I would expect him to have provided some easy integrations between OAUTH 2.0 and Shiro, unless this would disrupt Stormpath business plan too much I guess (which I don't believe, since the Apache Foundation won't allow this kind of behavior).
So the final questions are:
1 - Are there any easy integrations between Shiro and OAUTH 2.0 or will I have to code my own?
2 - Does everyone implement their own OAUTH 2.0 solution for dealing with REST APIs access control or am I missing something?
I know the Buji project uses Shiro and supports Oauth2. I haven't used it, but you can check it out.
You definately don't need to code your own. There's some great java libraries and apps that you can use for oauth2 and you can choose from a low level library that you use to build your own oauth2 server up to a full featured standalone openid connect server.
Spring security provides oauth2 that you can use to embed an oauth2 server in your application. A tutorial is available at http://www.baeldung.com/rest-api-spring-oauth2-angularjs.
There's mitreid openid connect https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server, which has a war overlay that you can use to add a user and client admin app into your webapp.
Keycloak (https://www.keycloak.org/) provides a full featured standalone openid connect server.
I have a Jersey based server that I want to secure with OAuth 2.0. There are two paths that I've seen as common:
Oltu - Is compatible with Jersey and seems to be supported, although not as well as Spring Security. This 2012 question seems to suggest this is the way to go, but I want confirmation on a 2016 context so I son't implement something not as well supported anymore.
Spring Security - It seems to be very popular, but this path implies changing the server into a Spring based MVC. I don't know if that is something recommendable based on the benefits of using something as widely supported as Spring and the cost of the refactoring.
With support I mean a project that is in continous development, well established community with tutorials, materials and some libraries for clients (web, mobile, server) already available.
Which one is a stronger option? Is there another option or options?
In any case. Is there a good reference material or tutorial to start implementing this?
UPDATE
After few hours of reading and understanding about both the OAuth Providers I had mentioned, I feel Apache Oltu's documentation did not guide me much as there are key components that aren't documented yet, but an example gave me a better picture on how Oltu must be implemented. On the other hand, going through Spring Security's material I got to know that it can still be built on a non-Spring MVC based java project. But there is a limited exposure of implementations/tutorials on Spring Security on a non-Spring based project.
Another approach:
I came up with an architecture that might be more stable and would not care about the implementation details of the inner server(the one already implemented using Jersey). Having a server that is dedicated for security purpose (authorizing, authenticating, storing tokens in its own database, etc) in the middle that acts like a gateway between the outside world and the inner server. It essentially acts a relay and routes the calls, back and forth and ensures that the client knows nothing about the inner server and both the entities communicate with the security server only. I feel this would be the path to move forward as
Replacing with another security provider just means plugging out the security server implemetation and adding the new one.
The security server cares nothing about the inner server implementation and the calls would still follow the RESTful standards.
I appreciate your suggestions or feedbacks on this approach.
Apache Oltu supports OpenID Connect but its architecture is bad. For example, OpenIdConnectResponse should not be a descendant of OAuthAccessTokenResponse because an OpenID Connect response does not always contain an access token. In addition, the library weirdly contains a GitHub-specific class, GitHubTokenResponse.
Spring Security is famous, but I'm afraid it will never be able to support OpenID Connect. See Issue 619 about the big hurdle for OpenID Connect support.
java-oauth-server and java-resource-server are good examples of Jersey + OAuth 2.0, but they use a commercial backend service, Authlete. (I'm the author of them.)
OpenAM, MITREid Connect, Gluu, Connect2id, and other OAuth 2.0 + OpenID Connect solutions are listed in Libraries, Products, and Tools page of OpenID Foundation.
**UPDATE** for the update of the question
RFC 6749 (The OAuth 2.0 Authorization Framework) distinguishes an authorization server from a resource server. In short, an authorization server is a server that issues an access token, and a resource server is a server that responds to requests which come along with an access token.
For a resource server, API Gateway is one of the recent design patterns. Amazon, CA Technologies, IBM, Oracle and other companies provide API Gateway solutions. API Gateway architecture may be close to your idea. Some API Gateway solutions verify access tokens in their own ways (because the solutions issue access tokens by themselves) and other solutions just delegate access token verification to an external server (because the solutions don't have a mechanism to issue access tokens). For example, Amazon API Gateway is an example that delegates access token verification to an external server, which Amazon has named custom authorizer. See the following for further information about custom authorizer.
Introducing custom authorizers in Amazon API Gateway (AWS Blog)
Enable Amazon API Gateway Custom Authorization (AWS Document)
Amazon API Gateway Custom Authorizer + OAuth (Authlete article)
If an authorization server provides an introspection API (such as RFC 7662) that you can use query information about an access token, your resource server implementation may be able to replace (plug-out and add) an authorization server to refer to comparatively easily.
For an athorization server, gateway-style solutions are rare. It's because such a solution must expose all the functionalities required to implement an authorization server as Web APIs. Authlete is such a solution but I don't know others.
I think, it's far simplier to use the oauth connectors that are implemented inside jersey itself!
Have you considered using jersey own OAuth (already linked inside jersey) server / client ?
https://eclipse-ee4j.github.io/jersey.github.io/documentation/latest/security.html#d0e13146
Please take a look to :
16.3.2. OAuth 2 Support
hope helped. :)
We have a Java web application (using struts and hibernate) and want the users to automatically log into the Google apps domain accounts.
We have set up the Google apps for Education domain accounts and created the users in it and we have the same users in our java web application also.
The requirement is that when the users log into our application portal, their is a link to go to Google apps, once they click on this link, it should log them in without asking for password.
We are using Tomcat 7 as our server for the web application. Which SSO tool should we use for doing this? Oracle's SSO is paid, Shiboleth doesn't work with Tomcat 7.
Any help highly appreciated? Is SSO the only option or another way to do this.
Thanks
Any SSO solution that supports the SAML2 protocol should work. Apart from the expensive solutions that Oracle, IBM, CA and others provide, you can find the following solutions that definitely work well with Tomcat7 and are open source :
Apereo (ex Jasig) CAS : Used quite a lot in the education community. Simple to setup but specific configurations (like an advanced authentication module) might require some programming effort. It supports Google Apps authentication, but none other SAML2 service. If you really want to only login to Google Apps, that's a great and simple solution.
Forgerock OpenAM : Formerly Sun OpenSSO, this is used in education and industry. Many more features, supports most of the SAML2 service providers out there including Google Apps, but more complex.
Note that if you already have a portal solution, you should check if that portal does not already support SAML2 federation and could act as the SSO server.
Note also that you will need to link the portal authentication and the SSO server authentication, to make sure that your users do not authenticate twice. This can be done in two ways :
Tell the SSO server to delegate the authentication to your portal solution. This might require some light custom coding depending on your portal.
The opposite : tell the portal to use the SSO as an authentication solution. Most portals support some kind of authentication delegation so it should only be configuration?
Lastly, if your authentication is setup on Tomcat itself (that is if your portal already delegates the authentication to the Tomcat container), then you can do the same for the SSO server.
I was trying to learn JAAS, then i came up with the terms SAML and Realm, and now I am confused.
In any of the basic tutorials of JAAS, we are pretty much configuring the basic that a normal Realm configuration is. If I read configuration of SAML then it looks similar as JAAS. I have absolutely no idea why different names. May be SAML is built on Realm and JAAS on SAML, not sure can any body please clearly state the difference.
Please a humble request if you share any link, Please define a bit of it, so that it help me when i am reading them.
I have successfully configured, JAAS's BASIC and FROM based authentication on both JBOSS and Glassfish. It helped me to protect my JSP and Servelets (Web Project). where to look if I want to protect an EJB as part of my application.
JAAS is a set of standard APIs for Java SE and EE which provide basic ways to achieve authentication and limited authorization. The typical use of JAAS for authentication is through LoginModules. Implementation of a LoginModule interface (javax.security.auth.spi.LoginModule) is able to authenticate user based on credentials provided by the caller in CallbackHandler. Most application servers allows you to plug-in your own LoginModules. Other key concepts of JAAS are Subject (a collection of information about a user) and Principal (a single attribute of a user - an ID, a password). Capabilities of JAAS for authorization are rather limited and are rarely used directly.
The standard authentication mechanism for Java web applications (like FORM, BASIC or DIGEST declared in your web.xml descriptor) typically delegate verification of the provided credentials to the configured JAAS LoginModules.
Realm is a concept used to denote separation of authentication and authorization policies for different applications/systems. E.g. if you want to authenticate users in application A using LDAP and applicaton B uses database table, you can put them into different security realms, so that their security requirments are isolated and correctly enforced. The typical system which uses this term is Tomcat, but you will find similarities in othe containers/application servers too. In most cases (e.g. when depoying a single application) you don't need to worry about Realms too much.
Java EE provides standard mechanisms for securing of EJBs using role based access control (RBAC). You first define which roles are applicable to your application, then define which users accessing your application belong to which roles. You can then use either declarative authorization (= annotate your methods with security annotations such as #RolesAllowed, #PermitAll, #DeclareRoles, or do the same using XML descriptors) or programmatic authorization (= test whether user belongs to a role by calling isCallerInRole on EJBContext directly in your code). A basic tutorial can be found here http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html
SAML is a very different beast from the previous ones. In a very simplistic way you can see SAML WebSSO as an authentication method. Generally SAML is a standard which defines an XML-based protocol used to transfer information about users, their authentication events and security attributes between remote systems in a secure way. Apart from the protocol itself SAML standard defines typical use-cases for the protocol, the most common being Web Single Sign-On (a possibility to authenticate user externally from the application at an entity called Identity Provider and login to an application - Service Provider without revealing user's credentials to it). In these use-cases SAML is similar to OpenID or OAuth 2.0 authentication you can see provided by Facebook or Google to 3rd party developers.
Hope this helps,
Vladimir Schafer
See if this helps you. A realm is a area where a specific configuration is in place. JAAS and SAML are both authentication modules that can be configured to handle authentication on that reaml. SAML is an authentication scheme. http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
To add to the other answers, I found the following explanation from this article to be helpful:
In reality, SAML and JAAS are two distinct security frameworks. SAML is an XML framework for exchanging authentication and authorization information. SAML provides a standard XML schema for specifying authentication, attribute, and authorization decision statements, and it additionally specifies a Web services-based request/reply protocol for exchanging these statements.
JAAS, on the other hand, through implementation-specific login modules receives information about the user, authenticates the user, and verifies that they are a valid subject.
So as I understand it, JAAS can be used to implement custom authentication and authorization for your app, and there are many possible ways to do this, some of which involve SAML. For example, you could use SAML to get the user's identity and role/group information; this would be stored in XML tokens that your JAAS module would need to parse.
What I am looking for is a Java servlet implementation of an OpenId provider for LDAP ... something I can plug into TomCat, point it at an LDAP directory server, and provide OpenId style authentication from those user accounts in the directory server.
I have been using OpenID4Java for years and it works fine, but it is just an API, and does not provide the user interface required for a complete OpenID provider.
I want to be able to write a large number of small web-based utilities, and allow people SSO access to all of them using OpenID, but these people already have accounts in the directory server, and I do not want to make them create a new password. They should use the same old password they are used to.
I tried OpenID-LDAP, but it is based on PHP. I am looking for one I can install into TomCat and manage consistently with other JSP based applications. I looked at JOIDS which seems to have capability to register and manage users, but nothing to link to LDAP. This excellent Wiki Page lists other options, like Atlassian Crowd, but I need open source.
I am asking at this time to see if I have missed anything. If there is nothing, I will probably write one.
You may try using WSO2 Identity Server which provides OpenID provider that can be plug in with LDAP and provides UI as well.