when using a JDBC realm for authorization I usally have this tables:
User table
Role table
Group table
When I now login with username, password the security module makes a lookup in the table: give me all roles for user: username.
Can I somehow hook into the process and add another attribute? E.g.
give me all roles for user: username where UserTable.X = Y ?
Note: I must use pure Java EE
There are some possibilities to achieve the desired behavior.
The easiest solution would not be to customize the login process, but to use a manual lookup using perhaps a #WebFilter or some similar approach.
If you need or want to customize the login process itself have a look at JASPIC (relatively new). In the version 1.1 it is quite usable, but its support depends on the application server you are using. The idea is to write an own login process and pass a custom Principal back to Java EE. Here is a nice collection of links: Zeef
An older approach to customize the login process is to create an application server specific security realm. In other words you are writing or extending the JDBC Realm that is currently used by your application server. You can then also pass a custom security principal back to Java EE.
Related
Good day community:
I am currently developing projects with MyBatis, Spring Security and JSF 2.2.
I've done with these frameworks, 3 projects. These projects have three different database developed in SQL Server 2008.
Then, users of each database are the same, but they are in a Users table each, ie there is a table users per database.
What we have asked is that there can be only one single sign, and thus a user only has a single username and password.
How could make for these three systems are unified into single login?
My current solution in which also I have problems is:
Create a view in SQL Server 2008 users to bring me a central database and from there access is obtained.
Create an authentication module, which at login, can see only those systems where the user has access; in this case, clicking on one of these systems, automatically enter without again login. I was thinking to login to web services.
I hope I can help with ideas or ways of solutions.
All users are retrieved from a database and systems can continue to increase, but henceforth depend on the database.
Greetings and thanks.
Have you come across the Spring SAML module before? This is Spring's implementation of SAML 2.0 authentication, designed specifically with single sign-on in mind.
One of your servers can act as the identity provider, which you can think of as the main system that the users access. They will enter their username and password into this system. The other two systems will need to be setup as service providers - when a user tries to access one of them, they do not enter their username and password. Instead, a request gets sent to your identity provider (main system), which receives and validates the request, and will then allow access if the user is signed in to the identity provider already. If they are not signed in already, it will re-direct them to the login page for the identity provider from which they can login, and will then be re-directed to the system they were attempting to access.
Sorry if that is confusing at all. Head over to here for more information about the Spring SAML module. I implemented SSO for one of my clients using this, and I can highly recommend it for ease of configuration and implementation.
I need to create an application with authentication and authorization using Java EE 6 (Glassfish Server). I read a lot about Java EE 6 security and just wanted to ask if my concept is correct:
Every user in the company has an account according to "X123456". I want to use this for LDAP Authentication:
Application ---> LDAP
So, I can use the company's infrastructure to authorize the user.
However I want to be in control of the roles in my application. So, I want to define my own roles using JACC. Therefore I will create a database with a user-to-role mapping,
Example: "X123456 -> ADMIN".
The benefits would be:
I don't need to store any password
I can create a kind of admin panel in my application where I can set the existing roles to users dynamically
Do you think this would be technically possible and good practice?
Alternative: Would it be possible to define the roles (Admin, User) in Active Directory and query it via LDAP? So I could outsource my user-to-role mapping into active directory.
Update:
For authentication I currently use a LDAP-Realm (user, password).
For authorization I want to use a database (rolename, user). However I don't know how to tell my application to use the database for authorization. If I would use a JDBC-Realm, I could specify the Group/Role table and column. Is there a way to tell my application to just use the JDBC-Realm for authorization?
I want to have authorization in my Java EE application.
Online it describes how you should define the roles in sun-web.xml. However I would like to have all my roles, and groups defined in a database table.
That means, when I access a method for my application, the request needs to be intercepted to see if the user is allowed in the role.
Do I need to
create some kind of interceptor class that checks auth as user makes call to my web service method
create a custom Login Module that fishes out the group and role data from the database when a user first logs on
Any pointers would be really helpful.
First of all: I would strongly suggest using standard authorization mechanisms.
But for your use-case these standard mechanisms won't work, see this post: dynamic roles on a Java EE server
Roles have to be declared in the web.xml or sun-web.xml.
Frameworks
The next thing I would look into are frameworks, that could help you with that. The link will provide you with two suggested frameworks.
Building your own
If you don't need it for productive purposes, I would suggest the following:
use Filters to check for authorization and authentication: Filters a fairly easy to use ,very powerful and often used for security purposes: See http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html for more information about filter.
For the login, you could probably just stick with the standard form-based login.
I'm looking for a java package/spring user management package that is similar to django's auth application, which provides the database models such as User and Group out-of-the-box.
I have a standard spring/hibernate application (based on Spring ROO), and I would like to use an existing User/Group/Role implementation instead of reinventing it (the actual authentication can use spring's mechanism, but I'd like to save the time implementing the user management part).
Thanks for the help
The Emmet project may be of interest to you. Emmet includes a custom SpringSecurity UserDetailsStore and a webapp for user account management. Out of the box functionality includes basic user account details, roles, support for multiple identities, support password aging, self registration and password reset. You can use it in conjunction with SpringSecurity based authentication and access control, or (at a pinch) with other "stacks".
(Emmet also provides some custom SpringSecurity authentication components, and potted wirings, but you can ignore that aspect if you like.)
Disclaimer: I'm the lead developer for Emmet.
Spring Security is a full-featured and widely-used Java auth module. While it doesn't have data models right out of the box, there is documentation provided that gives you the DDL to create the most basic tables you'd need:
Spring Security Database Schema
in this period I've created a new Open Source project related the RBAC and a generic solution for the user management:
microservice-rbac-user-management
You can find an RBAC apis and model here ready to use and with all the documentation. Ready to be used also with Docker.
I hope this will help you.
Is there any way to extend the authentication operation which connects a client application to an EJB, using standard JAAS/container-based security? I'm looking for a way to use more than just a username to authenticate the user (in this case a domain name is also needed). Ideally I'd like to be able to use the SessionContext.getCallerPrincipal() to get access to both the username and the domain name in the EJB.
I'm using Glassfish, if that influences the answer at all. Do I need to create a custom login module/custom realm and what should it do?
Adding authentication mechanisms to an EJB Container is usually a vendor specific task. I don't believe there is a standard way to do it. For Glassfish though, I believe this article will help you set up a SAM (Serve Auth Module) that can handle the authentication in any way you need. http://blogs.oracle.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
Keep in mind this is Glassfish specific.