I have an Apache server that handles authentication and authorization before forwarding requests to a second server.
Users accessing the server from a browser are authenticating with LDAP and the authorization checks to see that username is present within a defined file.
I also have a Java application that can access the server (at a different endpoint), which currently hardcodes a username and a password into a request URL and leverages Basic Authentication over SSL.
Rather than use Basic Authentication, is it possible to configure Apache to accept a keystore/truststore from the Java application and authenticate/authorize on the certificate's CN and a password? If so, can anyone cite an example?
You can configure Apache to request client certificate authentication and use +FakeBasicAuth SSLOption in order to preserve compatibility with your current setup.
If the Java application can be restrained to certain URLs then you can require certificate authentication, otherwise make it optional as you do not want your other clients to have to authenticate with certificates.
There are good examples of this in the SSL/TLS - How-To in the Apache documentation.
Related
We have a Springboot application (with embedded tomcat) which exposes certain API's. There are two major access points for these API's. (1) Users (2) Machines
The users needs to access these API's using basic authentication (username & password) on TLS while the Machines need to access these API's using Client Certificates (two-way SSL mutual authentication). I have added the following settings in application.properties
server.ssl.key-alias=server
server.ssl.key-store=classpath:server.jks
server.ssl.key-store-password=mypass
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS
server.ssl.client-auth=want
But this is still not allowing access through basic credentials. How do I solve this?
I have installed CAS server and on the login screen I could see the below message when the client application is on HTTPS:
HTTPS and IMAPS This service definition authorized all application
urls that support HTTPS and IMAPS protocols.
But I need to enable HTTP client application. For this, when I change the client to HTTP, the login screen is showing the below error message:
Application Not Authorized to Use CAS The application you attempted to
authenticate to is not authorized to use CAS.
Do you know how to enable CAS clients over HTTP?
It mostly depends on the CAS version and configuration. In the deployerConfigContext.xml file or in the JSON files (in src/main/resources/services directory), you should be able to set the serviceId to some regular expressions allowing HTTP, like "serviceId" : "^https?://.*".
Each application allowed to login with CAS should have its own appropriate definition (in XML or JSON).
I have a web application running on Tomcat 7 and it is configured with a custom JNDIRealm and my login-config auth-method in my web.xml is set to "FORM".
I am trying to find a way to add the ability to authenticate users through the same LDAP with a smart card, if presented.
I have changed my server.xml to have clientAuth=want, but want to know if there is a way to authenticate the user when a certificate is presented via the LDAP and then re-direct them past the login form. Is this possible?
EDIT: Michael-O below was marked as the right answer because I was able to achieve this by creating a custom class that extends FormAuthenticator and then registering that in Tomcat's authenticator.properties. This allowed me to check for a x509cert from the client in the request. If the cert is present and valid, authenticate and forward the user to the secured resources page. If not present or invalid, forward the user to the form login.
You obviously do not now what you want or what technologies you are actually using. Smartcard authentication is mutual SSL authentication. So you first need to configure Tomcat to accept SSL-based authentication. Your realm will receive the X509 certs and will try find your DN in your data store. The store can be anything, database, files, directory, etc.
We are having a application which returns logged in username (Windows NTLM) and we normally pass to all other applications to check authentication part.
I would like to know is it possible to pass username from application which returns username
and pass to our new web application which is developed using Spring 3? So that we could leverage the use of Spring Security features
If it is possible, how could I use this?
As we already have a application which returns Windows user, management discourages the usage of Kerberos and other SSO methods.
Any help or insight is highly helpful and beneficial.
Thanks
The simplest way to solve your problem is the following:
1) Install Apache Web Server and configure to use NTLM authentication using modntlm
http://modntlm.sourceforge.net/
(Similar you can use Kerberos authentication using mod_auth_kerb using http://modauthkerb.sourceforge.net/)
2) Configure mod_jk to your Selvlet container (JBoss or Tomcat)
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
After the successful authentication Apache sends the REMOTE_USER header to the servlet container.
The header (according the name) contains a user name of the authenticated user
Ensure you configure tomcatAuthentication="false" to allow Apache to allow apache to send the REMOTE_USER header
3) Implement and configure in Spring Security your own PreAuthenticatedProcessingFilter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167
It should be very similar to the Request-Header Authentication filter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295
In addition, you should omit a domain name from the user name.
The user name is sent in the REMOTE_USER header after NTLM or Kerberos authentication.
You cab bind your username with application URL like "localhost:port/somename/j_spring_check?j_username=your username".
Reading the Java EE security docs, where they define a security realm to be:
An access channel for the application server to storage containing user's authentication and grouping information.
What do they mean by "access channel"? Is this a port number, or some sort of networking term? And what do they mean by "authentication/grouping information"? Permissions?
I'm just looking for some concrete (non-vague) examples here! Thanks in advance!
A realm is a credential store that enables identity or role based access control.
http://docs.oracle.com/javaee/5/tutorial/doc/bnbxj.html#bnbxm
What is a realm?
For a web application, a realm is a complete database of users and groups that identify valid users of a web application (or a set of web applications) and are controlled by the same authentication policy.
The Java EE server authentication service can govern users in multiple realms. In this release of the Application Server, the file, admin-realm, and certificate realms come preconfigured for the Application Server.
In the file realm, the server stores user credentials locally in a file named keyfile. You can use the Admin Console to manage users in the file realm.
When using the file realm, the server authentication service verifies user identity by checking the file realm. This realm is used for the authentication of all clients except for web browser clients that use the HTTPS protocol and certificates.
In the certificate realm, the server stores user credentials in a certificate database. When using the certificate realm, the server uses certificates with the HTTPS protocol to authenticate web clients. To verify the identity of a user in the certificate realm, the authentication service verifies an X.509 certificate. For step-by-step instructions for creating this type of certificate, see Working with Digital Certificates. The common name field of the X.509 certificate is used as the principal name.
The admin-realm is also a FileRealm and stores administrator user credentials locally in a file named admin-keyfile. You can use the Admin Console to manage users in this realm in the same way you manage users in the file realm. For more information, see Managing Users and Groups on the Application Server.