A customer wants to reach a section (where a process with a wizard take place) of our app from their portal. It means, from their app (.Net) they want to have a link in order to reach a particular section of our app BUT! without having to go through the login process. Our app is a java app (GWT) and it uses FORM based authentication. I did an implementation with oAuth but they don't want login. I have not idea how to deal with this problem, I don't know if there is an alternative to get logged in by following the way they are looking for.
You probalbly need Single Sign On.
If you choose to go the SSO way, there are some libraries that might help like JCIFS (useful for auth using NTLM) , Jespa. There is also Waffle, but this one works just on Windows server.
This article explore many options for JBoss:
https://dzone.com/articles/choosing-sso-your-jboss
Related
I have a java (Spring boot) web service which does not have any UI.
I want to send a dynamic Email (created using Thymeleaf and injecting values from a database) using my web service on a daily Cron schedule, using Microsoft Graph and O365 APIs.
Right now I use SMTP to send emails, but I cannot use it anymore as that is no longer going to be supported by the O365 account that I am using.
I found the SendMail APIs on the Graph Documentation which looks pretty straightforward.
But, using the Graph AIPs requires you to create an Azure AD project first and use their Microsoft Identity platform - which I created.
Now, the problem is that most of the flows also require a user to manually login from a login window.
This is where things get complicated.
I do not have a place to show a Login window to any user from my web service, because it is just a backend service there is no UI. I intend to use a service account for sending the emails through the Application.
I found a Daemon support as well, but it seems to only support Python or .Net code.
Migrating my code from Java to either of those platforms just to be able to send emails
does not feel like a good solution.
And, I'm not even sure if they even offer similar capabilities of sending dynamic emails like Java+Thylemeaf do?
Is there a way to be able to continue doing this using my existing code in Java?
If not, then as the worst case scenario, are there any libraries in Python which can allow me to send dynamic emails like thymeleaf does in Java?
As you don't want to manually login from a login window, you can use the client credential flow.
Here is the guide regarding how to access graph api without user.
Reference:
msgraph-sdk-java-auth (You can choose to use Client credential provider)
I'm attempting to create an application for both PC (Java) and Android that utilizes Google Drive. I've been messing around with the examples to figure out how OAuth 2.0 works, and I can't find a good method of automatically returning the authorization code to my program once the user has allowed the application to access their data. The Google Drive Quickstart example uses a simple copy/paste mechanism that requires user input, but this is not convenient for the user.
It seems there are several suggested ways to retrieve the authorization code without bothering the user (running a local web server, monitoring the browser window launched for authentication, etc...), but Google doesn't strongly recommend any solution nor do they provide examples of how these solutions would work beyond basic descriptions. The following guide gives a few suggestions in Section 4 (Note: I tried to quote the section but SO wouldn't let me with the number of links/images present):
https://developers.google.com/youtube/v3/guides/authentication#installed-apps
Has anybody implemented something similar in the past, or are there best practices to do this? If possible I'd prefer a solution that would work on multiple platforms (i.e. not using any platform specific libraries).
I suppose it's not a huge deal if the user had to do this once (as I'll be storing a refresh token and using that from then on), but it'd be good to have a way around it.
In Oauth2 protocol, you have two ways of getting the authorization code : via a redirect to an url you have control over (could be pointing to a serve you own or localhost) or via copy pasting.
The first way is what you want, presumably with localhost as redirect uri, as you lauch the flow from you desktop app on the user's machine. You'll have no choice but to make your app spawn a little http server that can handle the code url parameter. However, you'll have to be hackish : how do you launch a web browser from your app, for any OS it can run on ? how do you the case where the user's machine is configured to refuse inbound http connection ?
IMO, best course of action is to go for the copy pasting : user knows what happen
I just implemented an oAuth2 solution for Google Drive. I ended up creating a service account via Google App Engine. Here is a good link to get started:
https://developers.google.com/drive/service-accounts
There is a Dr. Edit example that will work you through editing drive objects like spreadsheets.
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setServiceAccountId(SERVICE_ACCOUNT_EMAIL)
.setServiceAccountScopes(scopes)
.setServiceAccountPrivateKeyFromP12File(pk12)
.setServiceAccountUser(ACCESS_DOMAIN_IMPERSONATE) // <-- set user email here
.build();
There are a few things you need to do in your Google domain admin console/cpanel for your domain.
Check the following SO answer I posted a day or so ago:
OAuth Google API for Java unable to impersonate user
I have a web PHP web application that has a link to a java web application. The php application has a login page, and a link to the the java application, but not every user has permission to access the java web application. What I was trying to do is send user credentials from the php application to the java application, and then the java application checks the credentials and if correct logs in the user. I was thinking of using http headers to do this.
So my question is what is how to send user credentials from a PHP application to a java application?
If it helps I am using a Java web framework called Vaadin.
Do a normal POST request from the PHP application to the java application. This can be done as simply as having a normal HTML form in the PHP application, set the form's method to "POST" and action to the java application's URL. If you want to catch HTTP parameters in a Vaadin application, you can do it by using request handlers (https://vaadin.com/book/vaadin7/-/page/advanced.requesthandler.html).
Then a few words of advice or something to at least consider. If your login page is in the PHP application and your "admin" application is the Vaadin application, then I discourage you from doing the credential checking in the Vaadin application. This is because when you enter the Vaadin application, a new application instance is created. This means that your UI will be initialized and whatever else you do in the UI's init method. What you probably want to do, is to hinder the user from entering the Vaadin application unless she is logged in - which means that you need to do the credential checking somewhere else - for example, have a separate servlet whose only responsibility is to log in the user. If login is granted, then give access to the Vaadin application, if access is denied, forward the user to the PHP login screen. The next question is, how do you hinder the user from accessing the Vaadin application until she is logged in? Typically, this is done using servlet filters.
I highly encourage you to use a 3rd party framework for doing the authentication and authorization. Take a look at http://shiro.apache.org/, it's easy to install and seems to work nicely together with Vaadin. All you need to do is to configure it and implement a login screen, the framework will take care of the rest.
If I understood your question, you want to be able to provide an "auto-login-link" to some specific users that are logged in to the PHP application. This link should automatically login the user to the java application, right?
Without knowing any details about this case, like are both apps running on the same domain or do they use the same database (same user credentials in both apps), etc., I would propose the following solution:
Create an action (link) on the java application, which receives the necessary parameters (as GET) needed for creating the session (probably userId is sufficient), timestamp and a signature of all parameters. For example:
http://javaapp.example.com/autologin?userId=123&timeStamp=123456789&sign=hj23kh4j234jk324h
Where the signature is calculated with some strong encryption algorithm. Then you verify that the signature is correct at the receiving end (java app). If it is correct, you create the session. Signature calculation could be something like:
$signature = sha1($userId . $timeStamp . 'some salt' . $sharedSecretBetweenBothApps);
With the timeStamp you are able to check that an old link is not used. For example not allow older than 15 min old links and store used links in the java app to make sure they are never re-used. You do not have to keep history of links older than the expiration time.
Another idea, as discussed in the comments, is creating an API on the java side, which is able to provide a one-time link.
The sha1 algorithm is probably not strong enough, but shows the idea and is simple to implement.
Does this answer your question?
I have a web base email client that uses a java app to connect to IMAP and POP3 servers to download email. There is an issue that if a user usually logs in form the US that the java app will not have access to collect emails until that user logs in from the same county the java app is running.
I was told to overcome this to use google oAuth in order for the account user to give permission to my app to collect emails. Is this correct? Once this has been accomplished I would also like to the the API to import contacts, but for now authorization/authentication is sufficient.
The problem I am facing is that after trying to make heads a or tails of the google oAuth api documentation im really confused and did not yet manage to make a working example. Documentation often has links to a depreciated API and there is no example with a dowload link to both the API needed and exaple source code, as a result I think im using incorrect libraries for my examples.
Its also not clear to me what/how to accomplish what is needed do I use client authentication via javascript to create a popup whereby the user grants access?
Or do I use installed app client with a token and secret, this is what I tried but the 'command line' example I tried requires Java EE and this is a native app so I dont see why and I dont want to import all Java EE libraries to my small email downloader app.
Where can I find more intuitive documentation and working examples on this?
If you stay away from OpenID 2 and OAuth 1, I think the docs are pretty orderly these days. The best place to start is https://developers.google.com/accounts/docs/OAuth2
This question is more towards Design and Architecture and I want to know SO Readers think on my scenario.
I have a requirement where in my Application should provide other application interface when the user logs in to my application.
For example, lets say my application is www.gmail.com and other application is www.stackoverflow.com so what am trying to accomplish is that when the user log's in gmail account he should see his home page of stackoverflow and a particular questions.
From technology point of view, we have to use Java and so am not sure of what design and architecture consideration would go in to implement the requirement.
One Approach, am thinking on is that when the user logs in to gmail than I will populate the request object with all the login credential parameters for stackoverflow website and also question_id which would be passed in as parameter and then on Stackoverflow side, I would parse the request object and authenticate the user credentials and depending upon request parameter, I would render the question_id which I received from request.
I want to know what would be best approach and issues encountered in designing such an system.
Edit
After seeing all the answer, I would like to add little update to my question. What I am looking for is to get the feel of issues and challenges what I would have to face while trying to accomplish my task, also I am using Java and am not sure how can I accomplish my goal using Java as we do not have something like OLE which we have in Microsoft Technology stack to achieve the task.
Hope I am making some sense here.
I can think of three ways you could solve this.
Implement single sing-on. You log-in to all enterprise applications, and once logged all of them use the same authentication credentials (I think this is the best option. you don't need a full-fledge SSO, at least for these two application you could use the same credential validation mechanism)
You could also do what your are proposing creating the authentication credential for the user (i.e a cookie) and then do a redirect. Keep in mind that both application will need to be in the same sub-domain in order to work.
As mentioned before, you could also expose through your application the data/services you want to consume from the other application.
In my company we have what we call "Graphical Services", which are managed by a central server which also do credential validation, if the credentials are right it display a user interface for the user (generally in a Pop-up or an iframe).
Hope it helps.
You can't definitely do that at client side or java script as it will lead to cross site scripting issues. Or you can use iframes (which isdeprecated).
The other way of doing it would be to have your own interface/UI for the application and use only the service layer from your back end (java/j2ee in your case) which you may end up duplicating all the front end again (on the positive side, you will get your own branding of the site).
Regarding credentialing all most all the sites now used "OAuth" or similar and it should not be that difficult for authorizing
If both applications are web-based in-house applications, you could write a master login component, independent of either application, that will perform the user authentication, load any useful data it can at login time, and send the user's browser to the correct URL, making sure to pass any relevant information to the target app (as part of the forwarding request or behind the scenes in some distributed shared memory). Just a thought.