Our team has a REST server and a web application developed using Jersey. Currently we support only authentication in our application using OpenID [1]. We're planning to introduce authorization. In my research I found that role based authorization is one way we can implement this. This approach is to have our own tables like user, privileges and user_privileges and we assign users the required privileges (one to many mapping).
I have the following questions:
Since we have a web application and a REST server. Should the authorization be implemented “inside” the REST server, or in the Web Application Server.
Would like to understand the benefit of using Java's security frameworks like JAAS, Apache Shiro, OACC, Java security annotations [2] (#RolesAllowed) apart from code reuse ability, easy implementation.
Would also like to receive recommendations on which framework to choose from the above mentioned (JAAS, Apache Shiro, OACC, Java security annotations) if suggested.
Thank you.
[1] https://en.wikipedia.org/wiki/OpenID
[2] https://docs.oracle.com/javaee/7/tutorial/security-javaee002.htm
As to your question: "Should the authorization be implemented “inside” the REST server, or in the Web Application Server": My recommendation is to implement it in neither! Instead, implement security inside the services that are called by your REST layer. In other words security is implemented in the very heart of your services, and is enforced regardless of how the service is called.
As for the security frameworks you mentioned, I am biased/partial to OACC. OACC provides a fully implemented API, uses an innovative design to seamlessly integrate with your application, supports a number of database back-ends to persist the security data, and is extensively tested with 1000+ integration tests.
This is a good article that discusses the OACC security model: https://dzone.com/articles/a-different-kind-of-java-security-framework
(Disclosure: I am the creator/chief architect of the OACC framework)
We intend to develop an authorization/authentication service based on Spring Security OAuth2 implementation. One of the thing we are concerned about is the ability to scale the service if needed : does anyone know or had a good experience having multiple instances of a Spring Security OAuth2 service behind an HAProxy or any other frontal proxy for example ?
Any issues related to concurrency ?
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?
I was trying to learn JAAS, then i came up with the terms SAML and Realm, and now I am confused.
In any of the basic tutorials of JAAS, we are pretty much configuring the basic that a normal Realm configuration is. If I read configuration of SAML then it looks similar as JAAS. I have absolutely no idea why different names. May be SAML is built on Realm and JAAS on SAML, not sure can any body please clearly state the difference.
Please a humble request if you share any link, Please define a bit of it, so that it help me when i am reading them.
I have successfully configured, JAAS's BASIC and FROM based authentication on both JBOSS and Glassfish. It helped me to protect my JSP and Servelets (Web Project). where to look if I want to protect an EJB as part of my application.
JAAS is a set of standard APIs for Java SE and EE which provide basic ways to achieve authentication and limited authorization. The typical use of JAAS for authentication is through LoginModules. Implementation of a LoginModule interface (javax.security.auth.spi.LoginModule) is able to authenticate user based on credentials provided by the caller in CallbackHandler. Most application servers allows you to plug-in your own LoginModules. Other key concepts of JAAS are Subject (a collection of information about a user) and Principal (a single attribute of a user - an ID, a password). Capabilities of JAAS for authorization are rather limited and are rarely used directly.
The standard authentication mechanism for Java web applications (like FORM, BASIC or DIGEST declared in your web.xml descriptor) typically delegate verification of the provided credentials to the configured JAAS LoginModules.
Realm is a concept used to denote separation of authentication and authorization policies for different applications/systems. E.g. if you want to authenticate users in application A using LDAP and applicaton B uses database table, you can put them into different security realms, so that their security requirments are isolated and correctly enforced. The typical system which uses this term is Tomcat, but you will find similarities in othe containers/application servers too. In most cases (e.g. when depoying a single application) you don't need to worry about Realms too much.
Java EE provides standard mechanisms for securing of EJBs using role based access control (RBAC). You first define which roles are applicable to your application, then define which users accessing your application belong to which roles. You can then use either declarative authorization (= annotate your methods with security annotations such as #RolesAllowed, #PermitAll, #DeclareRoles, or do the same using XML descriptors) or programmatic authorization (= test whether user belongs to a role by calling isCallerInRole on EJBContext directly in your code). A basic tutorial can be found here http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html
SAML is a very different beast from the previous ones. In a very simplistic way you can see SAML WebSSO as an authentication method. Generally SAML is a standard which defines an XML-based protocol used to transfer information about users, their authentication events and security attributes between remote systems in a secure way. Apart from the protocol itself SAML standard defines typical use-cases for the protocol, the most common being Web Single Sign-On (a possibility to authenticate user externally from the application at an entity called Identity Provider and login to an application - Service Provider without revealing user's credentials to it). In these use-cases SAML is similar to OpenID or OAuth 2.0 authentication you can see provided by Facebook or Google to 3rd party developers.
Hope this helps,
Vladimir Schafer
See if this helps you. A realm is a area where a specific configuration is in place. JAAS and SAML are both authentication modules that can be configured to handle authentication on that reaml. SAML is an authentication scheme. http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
To add to the other answers, I found the following explanation from this article to be helpful:
In reality, SAML and JAAS are two distinct security frameworks. SAML is an XML framework for exchanging authentication and authorization information. SAML provides a standard XML schema for specifying authentication, attribute, and authorization decision statements, and it additionally specifies a Web services-based request/reply protocol for exchanging these statements.
JAAS, on the other hand, through implementation-specific login modules receives information about the user, authenticates the user, and verifies that they are a valid subject.
So as I understand it, JAAS can be used to implement custom authentication and authorization for your app, and there are many possible ways to do this, some of which involve SAML. For example, you could use SAML to get the user's identity and role/group information; this would be stored in XML tokens that your JAAS module would need to parse.
I've been tasked with creating a Security Proxy service. The idea is that if the backend security provider changes there is no impact on the main application. This ideally is what the backend security provider is for, but I have been tasked with creating a seperate service which will affectively be a proxy to the backend security provider.
I don't want to have to write a complete security module to do something that is already done by a dozen services. I want to be able to set up a service that can be updated if needs be.
I am wondering if anyone knows of a solution which can take care of this with minimal coding/configuration?
Any help would be useful, if you want more information please comment and I'll try and enrich as best I can.
[Front end is Tomcat Web Application written in Java (and GWT), Spring Security is preferable]
[Backend is SiteMinder (at the moment)] http://www.ca.com/us/internet-access-control.aspx
[I have been looking at CAS but wanted to ask a learned community before deciding how best to proceed]