Hello stackoverflow'ers
we are currently faced with the task to support Single Sign On in our Java based web service.
The setup is like this: Linux server running Apache as a proxy -> Jetty -> Java web service.
All of this in a Windows Domain with Windows workstations as clients accessing the web service through their browser (mainly IE, some firefox).
The SSO will go through the Windows AD DC utilizing Kerberos through SPNEGO.
From what I have gathered it would be possible to implement the SSO either step of the way, in Apache, in Jetty or in the Java Code itself.
What I haven't been able to figure out so far is which approach makes the most sense in the given environment.
We obviously need to access the REMOTE_USER one way or another later on to perform further authorization in our application, but this is the only real requirement we have.
So what are the actual pro's and con's of implementing the SSO / SPNEGO on the Apache level vs. the Jetty level vs. in our own software - if there are any ?
Any help would be greatly appreciated!
Enjoy your day,
Tom
https://github.com/michael-o/mod_spnego/ for Apache Web Server and you are done.
Related
I have a java application running on windows, which I need to authenticate to java application (servlet container) running on linux. I'm unfamiliar of this issue, so tried googling and experminted with different technologies, here are some things I found - all weren't right for me:
Waffle - waffle works only for Windows server. I thought redirecting the incoming requests to a Windows server for the login process, but that just adds new servers which I will need to support.
Spengo - I doesn't say if it works linux, but I think it is meant for Windows server. (I mean this OS implementation - http://spnego.sourceforge.net/)
I'm using tomcat, but we are migrating to different servers, so I don't want a specific "tomcat" solution, but rather one that I can use in pure java, if possible (or a servlet filter solution, which can run on any standard serlvet container).
There are lots of patterns available. You haven't mentioned how is the communication between your Java application and the server.
You can easily get ServletFilter model to work if the communication between your applications and server is over http.
If the communication is over RMI, you can intercept RMI requests on the server and perform authentication/authorisation before completing the request.
Take a look at Spring security : http://docs.spring.io/spring-security/site/docs/3.0.x/reference/springsecurity.html
I recently did a quick mock up of a web service using C# on IIS. All users are using Windows so, in the web service, I was able to get the current user via NTLM.
Now I have to migrate this to a Java web service running on Tomcat or WebSphere.
What authentication options are open to me? I see that Apache HttpComponents has an NTLM feature but I can only find instructions on how to use it on the client side. Can I use it in my web service to determine the current user? (Remember, all users will be Windows users)
Just to clarify: this is for use in a company intranet and all users will be logged in to Windows. This is why NTLM seems to be the right way to go.
Try WAFFLE windows authentication framework.
(http://waffle.codeplex.com/)
It is one of the third party libraries suggested in the tomcat documentation. (https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html)
It comes with zero configurations and all you have to do is to modify your web.xml to you waffle as in this tutorial (http://code.dblock.org/2010/05/20/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffle.html)
I am beginner java web developer, now my question is after i developed my application, how to make users see it on the web?
I used JSF,MySQL and GlassFish server in my development stage and now i want to publish it.
I got a domain name and an a web hosting account on goDaddy.com
In other words what to do after i develope my web application?
what steps should i take in server creation and other stuff?
I have searched alot but there is no specific way for it. I am trying to make this dynamic website based on jsf development--and it is already done--become alive and out their like any other web site?
any guide lines and steps should i take in making this steps ?
Either you will need a "Production" server to host the application yourself or use a hosting service of some kind that provides a Java EE container. If you're tied to Glassfish, you can Google for those providers like http://glassfishhosting.com/.
Other options that might be good fits for you are cloud services. Something like either Rackspace or Amazon EC2. Each has their own pricing tiers that scale based on usage. Good luck to you going Live!
Can host the code on Github and push it to Heroku.
http://devcenter.heroku.com/categories/java
I don't know the provider you chose but you need a java application server for your live environment. And optimally this should be the same server as your development server.
For our projects we buy a virtual server and install Glassfish on it. This costs around 15 € per month and we have the same environment for development and production.
I'am developing a java servlet application, and tesing it on Eclipse + Apache Tomcat (refer: http://www.vogella.de/articles/EclipseWTP/article.html#overview_wtp).
The application is now tested on the localhost and accesed by any clients on the same LAN.
Now, I need to deploy it into the web server, where everyone from anywhere can access this servlet.
Coud you guide me the way that I've to do to archive this task.
You need to have a computer accessible to everyone - i.e. placed on the internet and not behind a firewall - with the appropriate software installed (and hardened against hacker attacks).
If you do not have such a computer, you can have a look at the Google Application Engine which allows you to deploy Java web applications (with some additional restrictions) to the Google cloud. This is free for low-volume applications.
Yes, you can do it by deploying your application in the Cloud Instance. Since we cannot able to make our server instance or computer to be run always(We may come across internet connection problems, Power Fluctuation, etc.,), We have lot of problems while making our instance public(In Security perspective too). So it is better to use cloud instances.
We have many Cloud Service Providers such as AWS by Amazon, Google Cloud, Microsoft Cloud, etc.,
Take a look on this List of Cloud Services Providers.(You have links for all top 10 providers)
I have a web service that is using:
Java (familiar)
SOAP (new to me)
JBOSS (new to me)
The web service is currently unsecure. My task is to make it secure using https (ssl or tsl).
I am new to web services and web things in general. In the last week have gone through a tone of literature. Much of it which I think was not relevant to my project. I think that I need two things:
A pretty basic tutorial on web services (java specific)
A tutorial on making web services secured
Here are some of the tutorials I have gone through already:
SO Answer - In-process SOAP service server for Java
How to make a web service server.
Does not have instructions for the client.
Also does not specify what should happen so I am not certain that I got the propper result when navigating to the URL.
An Introductory Tutorial on Web Services, Java and XML
Pretty good description of lots of xml things and how messages are passed. Not certain but this seems more low level than what I need
Three Minutes to a Web Service
Good tutorial but in the second step one of the commands did not work.
I think that this may be because the tutorial is really old and maybe my jdk is differnt or something like that..
You can check out these frameworks
Apache axis
Apache cxf
The web service is currently unsecure. My task is to make it secure using https (ssl or tsl).
If it's just about (one-way) SSL, then this question doesn't have much to do with web services actually. It's more a web server or app server configuration issue. For JBoss, see SSLSetup or, if you are using Apache for the SSL encryption, see Apache SSL/TLS Encryption.
I would guess that you need to look at JBoss's documentation for how they handle security. Maybe this would help:
Chapter 8. Security on JBoss