I have a SAAS which services multiple customers and I want to be able to use client certificate to authenticate the different customers (different certificate for different customers). My services runs on Jetty 9 (not embedded). How do I do that?
If I use <auth-method>CLIENT-CERT</auth-method> I am also required to provide the LoginService in the Jetty configuration, but that doesn't make sense to me because I need to be able to write the authentication code based on the certificate.
I want to stress that I need to do the client authentication per customers, so this needs to be on the application level and not the Jetty level using the SSL setup.
According to the documentation, it looks like the LoginService is what you should use on the application level for the authorisation step.
Related
I want to access a REST service from Java. The service runs under Windows and uses probably a "default" authentication mechanism. I was told it was Kerberos with a fallback to NTLM. I am able to access the service by a plain HTTPS GET request using Firefox (works with HttpRequester, too) - without specifying any credentials explicitely (obviously my Windows account is used).
How can I access the service from Java? A naive attempt to read using java.net.URL fails with status code 400.
Even the JDK (JVM implementation of Oracle) offers this, you may have a look at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html
This provides the high-level steps for the solution. You'll need Active Directory in order to leverage Kerberos with Windows. Then what you will do is use Java Spring Security for Kerberos in order to access the REST service from Java. The below are the more concrete steps.
The Java Spring Security for Kerberos library will do the heavy lifting for you, this provides a class to inject a Kerberos configuration into the HTTP client: org.springframework.security.kerberos.client.KerberosRestTemplate
You define some Kerberos properties within a client configuration .properties file. Here's the most important snippet from the file with respect to Kerberos:
KERBEROS.FLAG=Y
KERBEROS.DEBUG=true
SERVICE_ACCOUNT_PRINCIPAL = HTTP/some.hostname#YOUR.REALM
KEYTAB_LOCATION = file:///C:/path/to/filename.keytab
KDC = server.fqdn.name
KDC_DOMAIN = YOUR.REALM
KRB5 = file:///C:/path/to/krb5.conf
EDIT:
Kerberos keytabs are not required with a Java client on a Windows AD domain-joined machine. Since you want to use the credentials of the person who is running the Java program, you wouldn't use a keytab (since the keytab itself contains only one credential).
Refer to the official Spring Security Website
I want to create a java client (on eclipse) to connect to WSO2 Identity Server 5.1.0 using the API to autenticate, create, save and manage users.
So my idea to configurate the identity server as ldap and to test it with an example of client in java that can authenticate and manage users with API...
I tried to use the example in https://docs.wso2.com/display/IS510/Managing+Users+and+Roles+with+APIs, but i think that the new version of server do not support this example.
apparently you are mixing several things (and the WSO2 documentation is misleading in that point too):
I want to create a java client (on eclipse) to connect to WSO2 Identity Server 5.1.0 using the API to autenticate, create, save and manage users
The web page you refer provides 2 ways to call the admin services:
admin web services - you may create or generate a web service client and use the web service to connect to the WSO2 IS remotely. How to get the WSDL files is described in this post. That should work with all (even older) versions of the WSO2 IS. I would suggest to use this approach.
The code snippet you have provided should works (I haven't try it myself though). I use the default admin web services.
If you are unable to create a client or connect, you should provide more details where / with what you have the problem.
So my idea to configurate the identity server as ldap...
WS2 Identity Server is not an LDAP server. It may have an LDAP configured as a user store (it has an embedded OpenLDAP instance by default). But you can use the web services or the OAuth2 endpoint to authenticate users against configured user stores.
I have a question about whether I really need SSL or not. The scenario is as follows:
I have two applications at the moment, they are both Java webapps. One of them is getting data from another via RESTful web service secured by Spring Security, but my problem is that it sends username and password in URL so the other app can authenticate and authorize it using LDAP. In the end both apps will be running on JBoss AS 7 server so even though one of them is a client and the other one is server they will be running on one server and that confuses me a little bit (even if they will use multiple instances of JBoss they will still be both in the same network). Also signing certificate by third party seems unnecessary here because I don't really care if anyone will trust my server app and again I found that I can implement my own Certificate Authority but it really seems to me as an overkill.
So to summarize it: if I only care about request (or just its parts - username and password) being encrypted do I need to enable SSL and provide all it needs or is there any easier way to achieve it?
I am looking for a Java based REST server which support following authentication mechanism. Also please let me know the best resources for the REST based authentication
Token
Certificate
Kerberos
Oauth
Open Id
I am an architect from WSO2... so my reply could be biased...
You can use the open source WSO2 Application Server to deploy your RESTful services and WSO2 Identity server has the support for 2-legged OAuth...
Thanks...
Partial answer for method 2) Certificate:
If you're planning on using certificates for authentication, I must assume that the API will be consumed by a limited number of trusted client applications. I've recently developed and deployed a REST API for internal use within an organization, and we use server-client certificates for authentication. This solution delivers a really high level of security, but is very impractical to use in an externally exposed API. This post gives some information: Java HTTPS client certificate authentication.
Any Java container should support these with either:
Apache / IIS as a reverse proxy deployed for SSO (Single Sign On)
Authentication plugins
Let's suppose that I have authentication infrastructure that provides multi-factor authentication. I want to create a service which will authenticate users for some clients. Clients have different web servers like Apache, jBoss, TomCat, WebLogic, IIS 7.0, and some other.
I need to insert an existing java front-end into my infrastructure based on some authentication protocol to interact with my clients' servers. The requirements are: existing solutions for clients' servers that will need minimal changes and settings at client side.
Upd1 : Interaction between font-end and clients' servers should be secure, based on shared secret.
Upd2 : The client's user shouldn't know anything about my service.
Please ask for more details...
Sounds like you do indeed need a SAML IDP which enforces multi factor authentication. SAML is supported across platforms (Java, Spring Security, PHP and .NET come to mind). If you're looking for a hosted solution check out our Cloudseal platform. If you want an open source solution you may want to look at CAS, although you will have to code your own integration with a multi factor authenticaton system.