I have 2 different web applications that uses spring and are running on the same tomcat (maybe later to be separated to different tomcat for each)
My first webapp is a straight forward web application that users can login, create account, and do stuff.
The other webapp is actually executing periodically http requests (rest api) towards the first app.
My problem is i must ensure that these requests are actually legitimately being executed from webapp#2 and not from another hostile requestor.
1) How can i do that?
How can i make sure in webapp #1 that it must serve only requests from webapp #2?
I don't want to rely on IP address alone.
2) Does spring security can help me achieving this?
3) Does authenticating from web app #2 against webapp#1 via the standard spring security authentication mechanism is a viable solution? (username/pass that is only known to both webapps)
For a login you can use a service all form most facing web portal, and once authentication is successfully done than you can transfer on a spring login authenticated page and its pass access for user as well
Related
The scenario is this: I'm developing a Java EE application with an Angular 2 frontend. The client has an Apache server which is usually used to serve static resources and an Oracle Weblogic for the dynamic part. The problem is that by default the Angular 2 App and the Weblogic server will not be able to talk each other due to the Same Origin Policy.
So far I have 3 possible deployment approaches in mind:
Set up a Reverse Proxy in Apache to point the REST endpoints to Weblogic
Package the Angular App in a WAR/EAR and deploy it to Weblogic. So I would end up with something like: myserver/myapp for the UI and myserver/myapp-rest for the Backend.
Package the Angular App in the same WAR as the Java backend. So I would end up with myserver/myapp for the UI and myserver/myapp/api for the REST endpoints.
There is a 4th option which would be setting up CORS, but I'm worried about the security using that approach.
Which is the right approach?
If you are allowed to make infra decisions , change apache webserver to nginx , we switched to nginx and got lot of added values in terms of concurrent processing.
In our project the angular client is served by nginx webserver which talks to java backend hosted on tomcat 8.x(our app server) , also there are couple of tiers after app-server a separate DB server and an elastic search server.
Don't feel intimidated to set up CORS, you will eventually need to allow some origins requests which don't originate on your domain and port.
If your java tech stack has spring mvc , then setting up CORS is just a matter of adding few lines of configuration. You can even hardcode your angular url to allow backend server to serve requests only from your angular URL.
In normal JavaEE world, CORS is just another filter or interceptor where you can set response headers with all the allowed origins, http methods etc. It's very simple you can look it up.
For your given choices
seems plausible and a value addition that you get is you can
delegate SSL encryption to proxy server .
seems rather odd, you would want to separate the static content server from dynamic contents server, your angular js bundles, assets
etc are mostly static, if you keep your static server separate then
you can configure cookie-less domains down the line that would make
serving a lot faster.
3 same as 2.
I would strongly suggest the CORS option , from my past experiences.
I have A SSO environment configured through CAS. When I log into one application and try to access the other application login it will successfully authenticate without credentials. Or, if I make a rest call to the other application when logged in through any of the SSO configured application , I am getting the result while using an application like POSTMAN. But the problem is when I am making a REST call from java back end. Instead of generating a token CAS is redirecting me to the login page... Please, let me know how to proceed.
For web application to backend communication, I will recommend using the proxy mechanism: https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough
The way to configure everything properly depends on the CAS client you use.
I have a very simple question for which I have not found an answer in SO or elsewhere (namely, the hundreds of pages of JBoss security documentation):
I want to implement a login function (specifically, database logging), at the point when authentication happens through JAAS, without the client having to make a separate REST call.
I'm not an expert, but my understanding is that the authentication happens through a database query off in the JBoss XML, without calling the server directly. Since JBoss is doing this and connecting the authentication with the server war, I'm hoping that there is a hook available to have it kick off a REST call, or call the Java code through another mechanism.
Couldn't find a duplicate but please point me to it if it answers this exact question.
Thanks
My experience is with webapps and not with client apps so I do not fully understand your question, but it is clear you are suffering a serious missunderstanding.
want to implement a login function (specifically, database logging), at the point when authentication happens through JAAS.
To do that you just need to implement a LoginModule class and register it with JBoss.
Let's make this clear. JAAS is executed at the server, as part of a resouce security policy. When a resource needs authenticated access, the JBoss servlet executes the security policy related to it. The security policy includes
a) how the container (the JBoss server) requests the authentication data. But that part is not specified by JAAS. JAAS only specifies how the container passes that data back to the login module.
b) the login module that the container runs to check that the authentication data is correct, and to fill/provide the principal that will be passed to the application in the server. The login module makes its checks as it wants (let it be SQL query, or LDAP queries, or calling a WS, or...).
The without the client having to make a separate REST call. has no relationship with JAAS. It may be that the policy requires to setup a cookie for authentication. I am pretty sure (again, I am used to webapps) that if you use Basic HTTP authentication you do not need extra calls. Then again JAAS is only related with checking the user/password and providing/filling the principal. How the data is obtained by the container (JBoss server) is not related to JAAS.
I'm not an expert, but my understanding is that the authentication happens through a database query off in the JBoss XML, without calling the server directly. Since JBoss is doing this and connecting the
The "JBoss XML" does nothing, it is just a description of the security policies. When you deploy an app, its descriptor tells which resources are to be protected by which security policies. Do not confuse the terms. Which performs the SQL query (or LDAP query, or webservice call, etc..) is the container (the "JBoss server") through the login module.
From the rest of your question, I cannot understand what are you trying to do. Do you want the JAAS module to call your webapp code directly?
I have developed a web application (say webapp1) running on server (say server1 ).
I have another web application (say webapp2) running on different server(say server2).
Only registered users on webapp1 must be able to log in to webapp2 using username and password from webapp1 session.
webapp1 using active directory to authenticate users. Some users of webapp1 can access webapp2 by internally going through active directory.
I want to access webapp1 fron webapp2. How can I do that?
I think you question is something like this. You have two web apps and when a request comes in your first webapp1 does some processing and other part to be done by second webapp.
This can be done by redirecting/forwarding the request to the second webapp, let the second webapp complete the remaining part of work and return it to user or to the first webapp again.
You'd want to create an API to do this.
See a similar question (for PHP but the basic concept still applies): create api using php
Build RESTful web services with Java technology:
http://www.ibm.com/developerworks/training/kp/j-kp-rest/index.html
If we are to separate our web server and app server, would we need java on both machines? I've had one coworker say to install jboss on both machines (seems to defeat the purpose if both machines have app server installed) and another says just install jboss on one and apache on the other (app server/web server).
I have the web project setup already and it uses servlets and JSPs. The JSPs display the content while the servlets do the action. The servlets receive requests and forward responses to the JSP. My question is how do I do this if the web server only has apache and therefore displays static content? I understand how to forward the requests from the web server to the app server but what about maintaining session state, is that done on the web server and if so how would it be done?
If the login page is html and the content after the login is html then how could I stop people from accessing the content if they haven't logged in?
The latter setup you describe, with Apache serving static content and forwarding requests for JSP/servlets onto the app server is the standard setup.
Session state is maintained as normal, your Java webapp on the app server sends the user back a cookie containing a JSESSIONID and when the user makes subsequent requests, Apache includes all request info (including cookies) in what it forwards to the app server.
The setup becomes a bit more complicated if you want to have Apache sit in front of and load balance requests to multiple JBoss instances, but it's still pretty easy to set up with mod_proxy_balancer.
Some links that might help you:
http://help.shadocms.com/blog/2009/how-to-setup-apache-with-jboss-on-a-shado-site.cfm
http://redlumxn.blogspot.com/2008/01/configure-apache2-and-jboss-422ga.html
There are many possibilities.
On web machine install just apache with mod_jk to redirect the requests to tomcat/jboss.
In this case you don't need java on this machine.
You can also separate your jsp container (e.g. tomcat/jboss) and your app server in this case you you will need to install java where you have your web container.
Generally where there is a need of higher security people combine the above mentioned possibilities. Thin web layer (apache + no java) + Web container (e.g. tomcat) + app layer (jboss/glassfish)
The first solution is normally the standard one.
Your scenario reminds me of SiteMinder. It was used to access control into our application. It has built in HTTP forwarding so from the user's perspective the browser talks to siteminder and siteminder talks to the real application. They both use session cookies and siteminder's called SMSESSION while the app's called JSESSIONID so there is no conflict.
A common deployment is to use Apache fronting servers to serve static content and forwarding requests for dynamic content to the JSP server. This is mainly for performance reasons, Apache being both faster at serving content and reducing the load on the JSP server.
I don't see any reason why you couldn't, for example, use IIS as the fronting server (removing Java from the equation), although with the wealth Apache modules and accompanying information about the configuration I think you might be making life difficult for yourself if you did.
Short answer - No.
Long answer -
It depends on the needs of your application. There are a few reasons why you would want to have the web server on a different physical machine:
You want to have the web server serve
the static content, and leave the app
server free to only process
servlet/jsp content
You wish to implement software based
load balancing. You would have the
apache server proxy requests to
multiple backing app servers
In your login example, the html page is served by apache, and the action of the html form points to your servlet for processing - so JBoss/java will still manage the session. Keep in mind that any static content you want apache to server will need to be present on the web server.