Please explain what, why and how of kerberos authentication. I am using spring 3+.
Also please elaborate on how to implement it in my java spring project.
There's an official Kerberos extension for Spring Security: http://projects.spring.io/spring-security-kerberos/
First step is to configure Spring Security for your project. Try that with for example a temporary in-memory authentication configuration, with some hardcoded users - just to check that the rest of the configuration is O.K.
Then, proceed with adding a Kerberos authentication provider, configuring the Spnego configuration and etc (everything is described in the documentation).
Check out the example (uses Java-based configuration, but it's easy to translate that to XML config): https://github.com/spring-projects/spring-security-kerberos/blob/master/spring-security-kerberos-samples/
And the documentation: http://docs.spring.io/spring-security-kerberos/docs/1.0.0.RC2/reference/htmlsingle/
I have tried to explain the what and how part of the Kerberos protocol in my blog at: Kerberos. Please feel free to checkout. A summary of the same is as follows:
Kerberos is s a trusted third-party authentication protocol designed for TCP/IP networks which is based on symmetric cryptography.
Kerberos provides encrypted transport and authentication using security tokens and secure session keys, in order to secure the communication between the client and the server.
The kerberos model basically consists of a kerberos server which authenticates the client and provides security tokens in order to interact with a ticket granting service or the TGS. The TGS then is responsible for authenticating this client for access to the actual server.
I have tried to describe it in a pictorial and step by step way in my blog.
Related
I have been asked to create an oauth2 server to access multiple webapps of our company. And I am following this github project.
I dont have nay idea about creating Oauth2 server.And stuck while Getting Access token via authorization code (followed given process in link).
When you speak about an OAuth2 server you mean the interface between user storage (f.e. LDAP) and the web aplications?
The easiest way to have an OAuth2 server would be to install WSO2 IS and configure your LDAP as a secondary user store.
I have not coded the server side of OAuth2 but Apache OLTU is a project that has been very helpfull for me. It includes libraries for the server part.
Spring Security OAuth2 provides some sample code, one of which is an Auth Server.
http://projects.spring.io/spring-security-oauth/docs/oauth2.html
By default, it supports a single user. But it could be modified to be a more fully-featured Auth Server. But it does show how to use Spring Security inside the Auth Server as well as implement the OAuth server endpoints and return JWT
How can I configurate the identity server to work as LDAP server? how can I test the ldap server with connection (in java) to create and authenticate users?
I read the documentation but its not clear.
Thanks
First of all Identity Server is not a LDAP server or it cannot work as a LDAP server. It can use LDAP (or Active Directory or relational databases) as its user stores. It comes with a pre configured LDAP as its primary user store. Documentation at [1] describes how to change the primary user store and configure secondary user stores. If you want to use the built in LDAP you don't have to bother about those configurations.
For user authentication you can use several protocols. First of all you need to configure a service provider as described in [2]. In the beginning you can focus only on the "Inbound authentication configuration" of. In this part you have to select a protocol for authentication such as SAML, OAuth, etc.. For authentication with SAML, you can use sample web application and configurations done at [3].
[1] https://docs.wso2.com/display/IS510/Configuring+User+Stores
[2] https://docs.wso2.com/display/IS510/Configuring+a+Service+Provider
[3] https://docs.wso2.com/display/IS510/Configuring+Single+Sign-On
I was trying to learn JAAS, then i came up with the terms SAML and Realm, and now I am confused.
In any of the basic tutorials of JAAS, we are pretty much configuring the basic that a normal Realm configuration is. If I read configuration of SAML then it looks similar as JAAS. I have absolutely no idea why different names. May be SAML is built on Realm and JAAS on SAML, not sure can any body please clearly state the difference.
Please a humble request if you share any link, Please define a bit of it, so that it help me when i am reading them.
I have successfully configured, JAAS's BASIC and FROM based authentication on both JBOSS and Glassfish. It helped me to protect my JSP and Servelets (Web Project). where to look if I want to protect an EJB as part of my application.
JAAS is a set of standard APIs for Java SE and EE which provide basic ways to achieve authentication and limited authorization. The typical use of JAAS for authentication is through LoginModules. Implementation of a LoginModule interface (javax.security.auth.spi.LoginModule) is able to authenticate user based on credentials provided by the caller in CallbackHandler. Most application servers allows you to plug-in your own LoginModules. Other key concepts of JAAS are Subject (a collection of information about a user) and Principal (a single attribute of a user - an ID, a password). Capabilities of JAAS for authorization are rather limited and are rarely used directly.
The standard authentication mechanism for Java web applications (like FORM, BASIC or DIGEST declared in your web.xml descriptor) typically delegate verification of the provided credentials to the configured JAAS LoginModules.
Realm is a concept used to denote separation of authentication and authorization policies for different applications/systems. E.g. if you want to authenticate users in application A using LDAP and applicaton B uses database table, you can put them into different security realms, so that their security requirments are isolated and correctly enforced. The typical system which uses this term is Tomcat, but you will find similarities in othe containers/application servers too. In most cases (e.g. when depoying a single application) you don't need to worry about Realms too much.
Java EE provides standard mechanisms for securing of EJBs using role based access control (RBAC). You first define which roles are applicable to your application, then define which users accessing your application belong to which roles. You can then use either declarative authorization (= annotate your methods with security annotations such as #RolesAllowed, #PermitAll, #DeclareRoles, or do the same using XML descriptors) or programmatic authorization (= test whether user belongs to a role by calling isCallerInRole on EJBContext directly in your code). A basic tutorial can be found here http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html
SAML is a very different beast from the previous ones. In a very simplistic way you can see SAML WebSSO as an authentication method. Generally SAML is a standard which defines an XML-based protocol used to transfer information about users, their authentication events and security attributes between remote systems in a secure way. Apart from the protocol itself SAML standard defines typical use-cases for the protocol, the most common being Web Single Sign-On (a possibility to authenticate user externally from the application at an entity called Identity Provider and login to an application - Service Provider without revealing user's credentials to it). In these use-cases SAML is similar to OpenID or OAuth 2.0 authentication you can see provided by Facebook or Google to 3rd party developers.
Hope this helps,
Vladimir Schafer
See if this helps you. A realm is a area where a specific configuration is in place. JAAS and SAML are both authentication modules that can be configured to handle authentication on that reaml. SAML is an authentication scheme. http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
To add to the other answers, I found the following explanation from this article to be helpful:
In reality, SAML and JAAS are two distinct security frameworks. SAML is an XML framework for exchanging authentication and authorization information. SAML provides a standard XML schema for specifying authentication, attribute, and authorization decision statements, and it additionally specifies a Web services-based request/reply protocol for exchanging these statements.
JAAS, on the other hand, through implementation-specific login modules receives information about the user, authenticates the user, and verifies that they are a valid subject.
So as I understand it, JAAS can be used to implement custom authentication and authorization for your app, and there are many possible ways to do this, some of which involve SAML. For example, you could use SAML to get the user's identity and role/group information; this would be stored in XML tokens that your JAAS module would need to parse.
I am looking for a Java based REST server which support following authentication mechanism. Also please let me know the best resources for the REST based authentication
Token
Certificate
Kerberos
Oauth
Open Id
I am an architect from WSO2... so my reply could be biased...
You can use the open source WSO2 Application Server to deploy your RESTful services and WSO2 Identity server has the support for 2-legged OAuth...
Thanks...
Partial answer for method 2) Certificate:
If you're planning on using certificates for authentication, I must assume that the API will be consumed by a limited number of trusted client applications. I've recently developed and deployed a REST API for internal use within an organization, and we use server-client certificates for authentication. This solution delivers a really high level of security, but is very impractical to use in an externally exposed API. This post gives some information: Java HTTPS client certificate authentication.
Any Java container should support these with either:
Apache / IIS as a reverse proxy deployed for SSO (Single Sign On)
Authentication plugins
I have an application that using ldap acegi-security-1.0.2.jar . I able to authenticate the user with active directory. I wanted to add NTLM auto login feature for my application. May i know what extra acegi library do i need to do this? is there any example on acegi+nltm on this?
Spring Security 2 supports NTLM, if you canĀ“t upgrade the library try Jespa.
Some of the things that you can do with Jespa include:
Implement NTLM Single Sign-On (SSO) for HTTP servers
Check Windows group membership
Enable NTLM authentication with AD using a JAAS LoginModule
Add NTLM to the builtin HTTP stack or another HTTP client
Use NTLM with SASL clients and SASL servers
Add NTLM to the standard JNDI LDAP client
Easily authenticate and encrypt network communication
Create advanced and custom solutions using our intuitive "security provider" API
Here's another open source library, http://spnego.sourceforge.net, that can support integrated windows authentication/sso (no prompt).
The library is installed as a servlet filter.
Waffle is drop in solution that can be used with springsecurity/acegi to achieve this: https://github.com/dblock/waffle
Drop in meaning not have to do all those things in the above list - but having to add a SPN.