I have a java web application(hosted in Linux) which speaks to a document management system which is a .NET based system via rest services. By default SSO Kerberos authentication is used in document system and for the same we are passing SSO Token to identify the user who accesses our application via web browser. This works fine and the document system is able to identify the user and allows user to upload document.
However we have a problem when a user who belongs to a different domain/AD tries to access the application. This is due to the external trust level between the environment document service is hosted and user environment. The document mgmt system supports NTLM authentication to handle this scenario and we were told that we need to pass credential object in the request. It appears there are easy ways for .NET client to extract user credential using CredentialCache object but I am struggling to find equivalent in Java.
I am trying to find out a way to pull the users windows credential so that I can set in the credentials object before i send the request to document system. Our application is SSO enabled, hence we dont want the user to explicitly pass his windows credential.
Related
I'm trying to integrate my web app with an external system where the user will login in external system (which I do not have control of ) using Single Sign-On with Oracle Access Manager 11g then can access my web-app without the need to login again .. is it possible to validate the user token which comes from the Oracle Access Manager?
Your application must "plug in" to OAM using an OAM WebGate so that OAM can validate the token. This is typically done through the web server.
See here for an example: https://docs.oracle.com/cd/E40329_01/doc.1112/e49451/webgate_apache.htm#WGINS76147
We are implementing Single Sign On [SSO] across multiple applications, which are hosted on different domains and different servers.
Now as shown in the picture, We are introducing a Authenticate Server which actually interacts with LDAP and authenticate the users. The applications, which will be used/talk to Authenticate Server are hosted across different Servers and domains.
for SSO, I can't use session variables, as there are different servers and different applications, different domains, a domain level cookie/session variable is not helpful.
I am looking a better solution which can be used for SSO across them. Any demonstrated implementation is existing? If so, please post it or point me in the right direction for this.
You can achieve this by having all your log-ins happen on the auth server. The other applications can communicate to the auth server through a back channel. The general principle is like this:
User accesses application 1.
Application 1 needs the user to sign on, so it sends a token to the auth server through the back channel. Application 1 then redirects the user to the log in page on the auth server with the token as a parameter on the request.
User logs in to auth server. Auth server sets a cookie, flags the token as authenticated and associates the user details with it. Auth server then redirects user back to application 1.
Application 1 gets request from user and calls auth server over back channel to check if the token is OK. Auth server response with user details.
Application 1 now knows that the user is authorised and has some basic user details.
Now this is where the SSO bit comes in:
User accesses application 2.
Application 2 needs the user to sign on, so it sends a token to the auth server through the back channel. Application 2 then redirects the user to the login page on the auth server with the token as a parameter on the request.
Auth server sees that there is a valid log in cookie, so it can tell that the user is already authenticated, and knows who they are. Auth server flags the token as authenticated and associates the user details with it. Auth server then redirects user back to application 2.
Application 2 gets request from user and calls auth server over back channel to check if the token is OK. Auth server response with user details.
Application 2 now knows that the user is authorised and has some basic user details.
There are some existing implementations of this method, for example CAS (Central Authentication Service). Note that CAS is supported out of the box in Spring Security. I would advise you look at using an existing implementation, as writing your own will be hard. I have simplified things in my answer and there is a lot of potential for introducing security holes if you're new to this.
I will recommend you check out OAuth. It is a good Authenticaiton and Authorization protocol used by several large organizations including facebook, google, windows live and others. It may have an initial learning curve, but it is a production grade solution.
It also has libraries for Java, Ruby, PHP and a range of other programming languages.
For example, the following server side implementations are available for Java.
Apache Amber (draft 22)
Spring Security for OAuth
Apis Authorization Server (v2-31)
Restlet Framework (draft 30)
Apache CXF
Following client side Java libraries are also available:
Apache Amber (draft 22)
Spring Social
Spring Security for OAuth
Restlet Framework (draft 30)
Please refer here for more details:
http://oauth.net/2/
http://oauth.net/documentation/
The bigger question is how you are implementing single sign on. Many open source and even proprietary (IBM Tivoli) offerings worth their salt offer cross domain single sign on capability. This would be the easiest and best way to implement cross domain sso. You can configure the LDAP server you use in the sso server you choose.
Taking for instance open sso, here is an article to configure cross domain single sign on
http://docs.oracle.com/cd/E19681-01/820-5816/aeabl/index.html
To configure LDAP in open sso,
http://docs.oracle.com/cd/E19316-01/820-3886/ghtmw/index.html
Reference on the issue is presented in a neat diagram here
http://docs.oracle.com/cd/E19575-01/820-3746/gipjl/index.html
Depending on which offering you use, you can configure cross domain single sign on.
With this, your diagram will look like this, with the auth server being your utility to interact with sso server of your choice.
Having an auth server that communicates with sso is a sound architecture principle. I would suggest making calls to authenticate as REst end points which could be called via http from different applications.
You cannot use Rest Service .
You could use what i call a Refferer Url Authentication
Say you have a Authentication application running on www.AAAA.com
In the applications , where you want to authenticate , you could have a filter which looks for a authenticated cookie in its domain else redirect to www.AAAA.com for authentication
On Successfull authentication , you could pass the user profile information as encrypted GET / POST data back to the application
Since I have built a Java application, I have been looking for an SSO solution for it. I found a free Java SAML Connector using which you can achieve SSO in java based applications built using any java framework.
Here's the link to it - https://plugins.miniorange.com/java-single-sign-on-sso-connector
I have a web application which is hosted on apache web server. And i have external java application which runs on tomcat integrated in this web application.
The apache is kerberized and I get the username of the person accessing it in the intranet. I want to use the same username and pass it on tomcat to check against ldap and authorize the user.
I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user.
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password?
PS: Sorry there is no code or configuration that I can post at this point. The only resources i found implemented both username and password. I cannot kerberize the tomcat server because I have other issues in the network.
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have
access to the user's password. But I'm able to get the groups the user belongs to and based
on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. I found a way to make it work. However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! Its very insecure.
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. Then, redirect to the C# service when someone hits the Java site and the username session variable is null. Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created.
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. So basically, its the same thing, except you won't need C#.
We have a Java desktop application that makes SOA Web Service requests to some backend services that require SMSESSION value passed into the SOAP Headers. In our Web Application we get Single-Sign-On once SMSESSION is established in a browser Cookie, so passing SMSESSION is seamless.
For our Desktop application we don't know how to get SMSESSION from the desktop. Is there an SiteMinder Java API that would allow for us to grab SMSESSION from a cookie on the desktop or any other solution?
The Class SmAuthenticationContext contains methods which:
lets you retrieve an AppSpecificContext object
includes credentials information from the user directory where user context was established
sets the user text response for this authentication request
Here are a few references which may help:
CA SiteMinder API Reference Guide for Java
Persistence Service
NTLM SSO
Simplify enterprise Java authentication with single sign-on
I've worked through the examples for performing OOB OAuth2 connections and it works fine from my laptop.
The challenge I'm having is that it fires up a browser, asking me to verify if I want to grant access for my app to the documents in question. From then on it stores my credential set in a local file and continues to work just fine.
The use case I have is that I have a number of departments in my company that want to leverage Google Docs spreadsheets for reporting. I then want to be able to run a program on a server (from a cron job) that can scrape this data and build an aggregated report for all departments.
I had intended on creating a "reporting user" that is granted read access to all of the documents in question, then run the report process using that identity.
I tried running it on my laptop, then copying the stored credentials to my server for it to use. But it seems those credentials are tied to the machine and so it forces a new verification flow via browser.
Any suggestions on how to work with the auth flow for Google Drive to allow me to do what I need?
TIA
Rather than needing to grant some user read-only access to all docs, I'd suggest using a service account which has been granted read-only access to all of your Google Apps domain user's docs:
https://developers.google.com/drive/delegation
use:
https://www.googleapis.com/auth/drive.readonly
as the OAuth scope that you grant the service account access to in the Control Panel. That way if the server is compromised you've limited access to read-only.
Create GoogleCredential with p12 file from API console (API Access > Create Another Client ID > Service Account etc):
GoogleCredential.Builder#setServiceAccountPrivateKeyFromP12File(File)
more info on Service Accounts
The other answers are better than this, but you can always get a set of credentials and save them in a file for reuse. Getting the credentials could be done with a web browser, but only once, and then your server could use them forever (as long as you request offline access and get a refresh token).