I've got an Java EE application running with Apache Shiro to secure and authenticate to the website.
However I want to implement Single Sign on with Picketlink.
Is it possible to implement it "on top" or do I have to disable Shiro and do the whole authentication with Picketlink?
On the web I couldn't find any reference.
Related
Using the webapp, which uses corda-webserver, how to implement authentication mechanism for RPC Users?
RPC Users mentioned in the configuration file.
And perform role based actions(Only accessible flows).
I could only find detail about authenticating RPC Users through ClientRPCOps, but couldn't find anything about web based authentication.
Web authentication is not directly related to Corda. Connecting to a node via rpc requires authentication. Anything past that is not Corda's problem.
If you want to setup web authentication, then you should look into how frameworks like Spring or Ktor handle these scenarios. Corda is not web based by default and requires integration into a "web server" application to be web-enabled.
I am working on a web application which is rest client and uses rest services(APIs) to perform any action. I have integrated apache shiro to perform authentication using jdbc realm which is working fine.
Now I am looking for a solution to perform authentication using apacheDS LDAP. I am planning to use kerberos authentication, but I got no luck to find any useful article or example to implement kerberos authentication using apache shiro.
I found apache shiro's official web site having support of kerberos.
https://shiro.apache.org/authorization-features.html
But I found no realm which can directly be used or provide me enough information to implement custom realm for kerberos authentication.
Please provide me a way to implement this or if not possible with kerberos then any other solutions for SSO(Single Sign On) which is capable enough to provide security implementation for my web application.
Thanks in advance.
As you can see from comments elsewhere, and the associated change to the Shiro documentation you linked, there is as yet no official Shiro Kerberos realm. I, too, have been searching for ideas on this topic, and I recently came across Apache Aurora's version, which seems like a good starting point.
We have a Java web application (using struts and hibernate) and want the users to automatically log into the Google apps domain accounts.
We have set up the Google apps for Education domain accounts and created the users in it and we have the same users in our java web application also.
The requirement is that when the users log into our application portal, their is a link to go to Google apps, once they click on this link, it should log them in without asking for password.
We are using Tomcat 7 as our server for the web application. Which SSO tool should we use for doing this? Oracle's SSO is paid, Shiboleth doesn't work with Tomcat 7.
Any help highly appreciated? Is SSO the only option or another way to do this.
Thanks
Any SSO solution that supports the SAML2 protocol should work. Apart from the expensive solutions that Oracle, IBM, CA and others provide, you can find the following solutions that definitely work well with Tomcat7 and are open source :
Apereo (ex Jasig) CAS : Used quite a lot in the education community. Simple to setup but specific configurations (like an advanced authentication module) might require some programming effort. It supports Google Apps authentication, but none other SAML2 service. If you really want to only login to Google Apps, that's a great and simple solution.
Forgerock OpenAM : Formerly Sun OpenSSO, this is used in education and industry. Many more features, supports most of the SAML2 service providers out there including Google Apps, but more complex.
Note that if you already have a portal solution, you should check if that portal does not already support SAML2 federation and could act as the SSO server.
Note also that you will need to link the portal authentication and the SSO server authentication, to make sure that your users do not authenticate twice. This can be done in two ways :
Tell the SSO server to delegate the authentication to your portal solution. This might require some light custom coding depending on your portal.
The opposite : tell the portal to use the SSO as an authentication solution. Most portals support some kind of authentication delegation so it should only be configuration?
Lastly, if your authentication is setup on Tomcat itself (that is if your portal already delegates the authentication to the Tomcat container), then you can do the same for the SSO server.
We have over a dozen legacy web applications (each with their own app contexts) that use Tomcat's container managed security for simple form-based authentication. We currently use Tomcat's single sign on valve to allow authenticated users to jump between web apps without the need of re-authenticating. We are also developing new web applications using the Spring Security framework.
Is it possible to get users who are authenticated via the new Spring Security apps to also be able to jump to the older legacy (non-Spring) apps without the need of re-authenticating? Is their a way to bridge Spring Security with the Tomcat SSO valve?
I prefer to avoid making any changes to the legacy web apps, but understand if it doesn't seem possible.
You will be able to do it using J2eePreAuthenticatedProcessingFilter:
http://static.springsource.org/spring-security/site/docs/3.2.x/reference/htmlsingle/#d4e2766
Please note:
When Tomcat SSO is configured it provides Java EE authentication for a web application.
It means that for an application is transparent if it was authenticated by form authentication or for Tomcat SSO. Finally it is Java EE authentication.
So, you need to use J2eePreAuthenticatedProcessingFilter to be able to use Java EE authentication provided by Tomcat.
Has anyone had any success integrating the Spring Social framework ( http://www.springsource.org/spring-social ) into the JASIG CAS single sign on solution ( http://www.jasig.org/cas )?
I am trying to implement Facebook / Twitter login and after consideration of various implementation solutions (ie. custom OAuth authentication, Scribe, etc) I have decided to go with Spring Social as CAS already heavily uses the Spring Framework.
The CAS server codebase has just accepted a module that adds support for the OAuth protocol. You should be able to leverage that functionality to be able to authN into relevant services that support OAuth.
See here for more info: https://github.com/Jasig/cas/tree/master/cas-server-support-oauth