I have simple application deployed on weblogic (12) server. On Security realms I've created user with password. Now I want to use those credentials to connect from the java client code (inside my app) to some external server (like LDAP). Is this possible? To use user defined in realms without passing password (cause password will be defined on weblogic)?
What is the best practice for storing user credentials (for connecting to other systems)?
Related
I'm trying to integrate my web app with an external system where the user will login in external system (which I do not have control of ) using Single Sign-On with Oracle Access Manager 11g then can access my web-app without the need to login again .. is it possible to validate the user token which comes from the Oracle Access Manager?
Your application must "plug in" to OAM using an OAM WebGate so that OAM can validate the token. This is typically done through the web server.
See here for an example: https://docs.oracle.com/cd/E40329_01/doc.1112/e49451/webgate_apache.htm#WGINS76147
I have a web application which is hosted on apache web server. And i have external java application which runs on tomcat integrated in this web application.
The apache is kerberized and I get the username of the person accessing it in the intranet. I want to use the same username and pass it on tomcat to check against ldap and authorize the user.
I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user.
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password?
PS: Sorry there is no code or configuration that I can post at this point. The only resources i found implemented both username and password. I cannot kerberize the tomcat server because I have other issues in the network.
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have
access to the user's password. But I'm able to get the groups the user belongs to and based
on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. I found a way to make it work. However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! Its very insecure.
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. Then, redirect to the C# service when someone hits the Java site and the username session variable is null. Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created.
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. So basically, its the same thing, except you won't need C#.
Reading the Java EE security docs, where they define a security realm to be:
An access channel for the application server to storage containing user's authentication and grouping information.
What do they mean by "access channel"? Is this a port number, or some sort of networking term? And what do they mean by "authentication/grouping information"? Permissions?
I'm just looking for some concrete (non-vague) examples here! Thanks in advance!
A realm is a credential store that enables identity or role based access control.
http://docs.oracle.com/javaee/5/tutorial/doc/bnbxj.html#bnbxm
What is a realm?
For a web application, a realm is a complete database of users and groups that identify valid users of a web application (or a set of web applications) and are controlled by the same authentication policy.
The Java EE server authentication service can govern users in multiple realms. In this release of the Application Server, the file, admin-realm, and certificate realms come preconfigured for the Application Server.
In the file realm, the server stores user credentials locally in a file named keyfile. You can use the Admin Console to manage users in the file realm.
When using the file realm, the server authentication service verifies user identity by checking the file realm. This realm is used for the authentication of all clients except for web browser clients that use the HTTPS protocol and certificates.
In the certificate realm, the server stores user credentials in a certificate database. When using the certificate realm, the server uses certificates with the HTTPS protocol to authenticate web clients. To verify the identity of a user in the certificate realm, the authentication service verifies an X.509 certificate. For step-by-step instructions for creating this type of certificate, see Working with Digital Certificates. The common name field of the X.509 certificate is used as the principal name.
The admin-realm is also a FileRealm and stores administrator user credentials locally in a file named admin-keyfile. You can use the Admin Console to manage users in this realm in the same way you manage users in the file realm. For more information, see Managing Users and Groups on the Application Server.
I want to authenticate a user against our Active Directory database on a BlackBerry mobile app.
I've written J2EE apps that authenticate against AD using JNDI (javax.naming).
I've also written BlackBerry apps that do local data access and remote JSON interaction.
In this app, I need to limit access to the back-end servlet based on their AD access.
I do not have access to change the servlet, so I can't pass authentication credentials to it.
Thanks in advance for your input.
My Java desktop application includes a component for communicating with a web service.
We therefore need to include the access details for it within the application, but do not want it to be easily accessible in the event that the code is decompiled (we will be obfuscating).
What techniques can we use to secure these details?
Do not bother encrypting the password in your application. Whatever you do, a determined user will be able to decrypt it and get access to it. My recommendation is to have a username and password for every user. The application will ask the user to enter the credentials and store them (using MD5 for example). If you can't modify the web service to authenticate many users, create a proxy service that can do that. The proxy service, deployed on a secure environment, will be allowed to have access to the username and password of the secured service.
I prefer you try Java Properties API.