Currently I have a requirement from a client where the user may belong to an LDAP server for authentication, or they may belong in an authentication database table.
I want to implement authorisation on my web-service methods with a two step process whereby, (a) the user is first checked against the LDAP server. If the user is not in the LDAP server then (b) check the database table for the user.
In other words it is a cascading two step process. Can this be done in any application server such as Glassfish? I've heard that JBoss can do this.
I don't think it depends on the server, it has to do with whatever security mechanism you choose (like Spring Security etc). I was able to achieve this on Tomcat with Spring Security.
EDIT: you might wanna read this: How to use both database and LDAP authentication in Spring security?
Related
How can I configurate the identity server to work as LDAP server? how can I test the ldap server with connection (in java) to create and authenticate users?
I read the documentation but its not clear.
Thanks
First of all Identity Server is not a LDAP server or it cannot work as a LDAP server. It can use LDAP (or Active Directory or relational databases) as its user stores. It comes with a pre configured LDAP as its primary user store. Documentation at [1] describes how to change the primary user store and configure secondary user stores. If you want to use the built in LDAP you don't have to bother about those configurations.
For user authentication you can use several protocols. First of all you need to configure a service provider as described in [2]. In the beginning you can focus only on the "Inbound authentication configuration" of. In this part you have to select a protocol for authentication such as SAML, OAuth, etc.. For authentication with SAML, you can use sample web application and configurations done at [3].
[1] https://docs.wso2.com/display/IS510/Configuring+User+Stores
[2] https://docs.wso2.com/display/IS510/Configuring+a+Service+Provider
[3] https://docs.wso2.com/display/IS510/Configuring+Single+Sign-On
I am working on a java application having Database authentication using spring-security.
It is very usual that, this application is used with other applications on similar domain.
Requirement: The need is that all such partner apps should be able to share common authentication with my application.
Also it is required to continue supporting DB authentication as well.
One way I found is to embed LDAP server like ApacheDS in my application so that other partner apps can use it to get authenticated.
In this case, I need to load ApacheDS with related Database records and keep it in sync programmatically.
But disadvantage on this is to have redundant copy of authentication data - one at DB and another at ApacheDS LDAP.
Question: Is there any way to avoid such duplication. By googling, I found option of having virtual directory server Penrose or Oracle Virtual Directory. But unfortunately they cannot be embedded in application. Is there any way to provide embedded LDAP support on top of existing Database authentication?
Disclaimer: I know very little about Spring Framework and even less of Spring Security
Having said that. I did face a similar situation, in my case, it was Apache DS as my app authentication source and client AD as the other.
My deployment environment was Tomcat and I used Tomcat Combined realm, which nests more than one realm for authentication. My app realm was configured to be one and client's AD was configured to be another.
Users could authenticate from any one of the realm, it worked. However, I did have to replicate client's AD users every night (including AD tombstones to mark them inactive), for authentication is one thing but other client information was also required, e.g. email, roles etc. and inclusion of new users.
I am kind of sure that Spring Security will also have the concept of Combined Realm.
I understand that this answer is not really an answer and more of design approach and many years too late at that; however, I wished to share my experience.
I have a very simple question for which I have not found an answer in SO or elsewhere (namely, the hundreds of pages of JBoss security documentation):
I want to implement a login function (specifically, database logging), at the point when authentication happens through JAAS, without the client having to make a separate REST call.
I'm not an expert, but my understanding is that the authentication happens through a database query off in the JBoss XML, without calling the server directly. Since JBoss is doing this and connecting the authentication with the server war, I'm hoping that there is a hook available to have it kick off a REST call, or call the Java code through another mechanism.
Couldn't find a duplicate but please point me to it if it answers this exact question.
Thanks
My experience is with webapps and not with client apps so I do not fully understand your question, but it is clear you are suffering a serious missunderstanding.
want to implement a login function (specifically, database logging), at the point when authentication happens through JAAS.
To do that you just need to implement a LoginModule class and register it with JBoss.
Let's make this clear. JAAS is executed at the server, as part of a resouce security policy. When a resource needs authenticated access, the JBoss servlet executes the security policy related to it. The security policy includes
a) how the container (the JBoss server) requests the authentication data. But that part is not specified by JAAS. JAAS only specifies how the container passes that data back to the login module.
b) the login module that the container runs to check that the authentication data is correct, and to fill/provide the principal that will be passed to the application in the server. The login module makes its checks as it wants (let it be SQL query, or LDAP queries, or calling a WS, or...).
The without the client having to make a separate REST call. has no relationship with JAAS. It may be that the policy requires to setup a cookie for authentication. I am pretty sure (again, I am used to webapps) that if you use Basic HTTP authentication you do not need extra calls. Then again JAAS is only related with checking the user/password and providing/filling the principal. How the data is obtained by the container (JBoss server) is not related to JAAS.
I'm not an expert, but my understanding is that the authentication happens through a database query off in the JBoss XML, without calling the server directly. Since JBoss is doing this and connecting the
The "JBoss XML" does nothing, it is just a description of the security policies. When you deploy an app, its descriptor tells which resources are to be protected by which security policies. Do not confuse the terms. Which performs the SQL query (or LDAP query, or webservice call, etc..) is the container (the "JBoss server") through the login module.
From the rest of your question, I cannot understand what are you trying to do. Do you want the JAAS module to call your webapp code directly?
I am currently trying to implement a single sign on solution across multiple JVM based (Grails, Servlets) web applications currently all deployed in the same servlet container (currently Tomcat, but don't want to limit my solution to just Tomcat). All web applications share a common database.
I've looked at various options from using CAS or other third party libraries to creating a new web service to handle Single Sign On, but none seem to really satisfy the business. My current implementation involves creating a new jar library which has a common implementation of AuthenticationProviders, and Pre-Authentication Filters based on Spring Security.
In this approach I have multiple AuthenticationProviders (currently Active Directory, and Database) for the application to authenticate against. Upon successful authentication a row would be inserted in a session table that contains the user, an expiration time, and a token. The token would be also stored as a cookie on the user's machine and that would be used to validate they have a current session in the Pre-Authentication Filters.
Having never done this before I want to make sure I'm not creating a huge security problem, and I'd also like to know what I would need to create the token? At this point a simple GUID seems to be sufficent?
Currently we are working on Spring Security 3.0.x, and haven't upgraded to 3.1 yet.
Thanks in advance.
I ended up solving this problem by doing the following:
I created a AuthenticationSuccessHandler which would add a cookie to the user's session which had identifying information as well as the hostname to try to secure it as much as possible. (The application was running internally at most customer sites so the risks here were determined to be minimal, but be careful about cookie jacking.)
Then on each application that needed to have SSO I implemented a AbstractPreAuthenticatedProcessingFilter, and placed in before the authentication filter which would pull the cookie out and create an Authentication object. Lastly I created an AuthenticationProvider which validated the information from the cookie.
Hopefully that helps someone else in the future for this type of request.
There are extensions available for KERBEROS, OAuth and SAML available on the Spring Security Extensions website. Here is the blog entry which provides an example: SpringSource Blog
If you are using NTLM as your SSO Provider, take a look at the jespa-spring project.
Or you might want to look at the Java Open Single Sign-On Project
I have two different web applications running on two different instances of tomcat. I need to be having a common page with links to both the applications. But I should be able to log in only once and should be able to access links in the other application without being asked to login again.
Is there a way to do it ?
Check out josso which you can use to create a single sign on solution across your applications
You can use a token parameter, where the token could be the username/some credentials encrypted. You can verify the credentials are correct in the 2 apps.
An alternative, if your applications are under the same domain would be set cookies and recreate the session from them.
Thanks for the replies. We finally decided to use Pre authentication Filter provided by Spring security to fulfill this requirement along with authentication token for validation
The easiest way is to provide Central Authentication Service (CAS) : Single Sign On. It provides centralized access control and authentication for your applications. And Spring Security has a CAS module that integrates with CAS seamlessly. For that you need to setup a CAS server.
More Info on how CAS works and implementation see the documentation.
Spring-Security Documentation
CAS architecture
Another way of doing is to create a Tomcat cluster and maintain the session replication between the 2 nodes under the cluster.
Please refer the Tomcat manual how to create the Tomcat cluster and enable the session replication.
You can use Spring RMI to update the each other nodes App context about the session info etc...