I want to have authorization in my Java EE application.
Online it describes how you should define the roles in sun-web.xml. However I would like to have all my roles, and groups defined in a database table.
That means, when I access a method for my application, the request needs to be intercepted to see if the user is allowed in the role.
Do I need to
create some kind of interceptor class that checks auth as user makes call to my web service method
create a custom Login Module that fishes out the group and role data from the database when a user first logs on
Any pointers would be really helpful.
First of all: I would strongly suggest using standard authorization mechanisms.
But for your use-case these standard mechanisms won't work, see this post: dynamic roles on a Java EE server
Roles have to be declared in the web.xml or sun-web.xml.
Frameworks
The next thing I would look into are frameworks, that could help you with that. The link will provide you with two suggested frameworks.
Building your own
If you don't need it for productive purposes, I would suggest the following:
use Filters to check for authorization and authentication: Filters a fairly easy to use ,very powerful and often used for security purposes: See http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html for more information about filter.
For the login, you could probably just stick with the standard form-based login.
Related
I'm new to web applications and security and I have a basic question.
Imagine a single java web application with a single database but multiple accounts. Let's think about a to-do list for simplicity where people can access only their own 'items' at /item/item-id. EG:
User1 creates items 1 and 2;
User2 creates items 3 and 4;
How do I prevent User2 from accessing /item/1 for instance?
This seems to go beyond Authentication (who is this?) and Authorization (what role does he/she have?) to me.
Should I keep a persisted map of user-items and check every time before returning a response?
Are there any Spring (or other) tricks/helpers for this problem?
Authorization isn't "What role do you have?". It's "Are you allowed to do this?". The role will play a part in deciding if the subject is allowed.
What you are describing is exactly the purpose of authorization.
User2 is trying to access (think of CRUD in HTTP GET,POST,DELETE,PUT) the resource at /item/1. Are they allowed? No. So deny them access.
Should I keep a persisted map of user-items and check every time before returning a response?
How you perform authorization is up to you. Spring security definitely offers some good tools to do it from a database while separating that logic from your application logic (if need be).
I'd also like to recommend another security framework: Apache Shiro. I think it's a little easier to configure than Spring security and I find its authentication/authorization logic more straightforward .
In addition to Spring Security and Apache Shiro, you want to consider XACML-based authorization frameworks e.g. SunXACML, WSO2, Axiomatics (disclaimer: I work for Axiomatics).
XACML is the eXtensible Access Control Markup Language. It's the de-facto standard for fine-grained authorization. Much like SAML is great at identity federation / SSO, XACML helps you achieve authorization.
XACML gives you an architecture (see picture below) as well as an authorization language which you can use to express specific authorization scenarios e.g.
doctors can view medical records of patients they are assigned to
nurses can view medical records of patients that belong to the same clinic
patients can view their own records and that of patients for whom they are the guardian
You can have as many rules as you like. There is no limit.
I'm trying to get Spring Security to handle authorization via GET variables. All the examples I've been able to find focus pretty much entirely on role-based authorization, which doesn't really work for my application. The way the authentication/authorization process needs to work is as follows:
User authenticates through external system, gets a session ID.
User passes two GET parameters to my application, sessionId and objectId.
Application verifies that session is valid (already figured this part out)
Application verifies that the object is visible to the user (need help here)
Application returns object information to the user
All the examples I've seen have been demonstrating how powerfully Spring Security can check a granted authority on a URL pattern or a Java method. But I need to implement a custom check on step 4 to make sure that the user has the correct permissions in the backend (users can be granted object-specific rights, so a role approach won't work here).
I am new to Spring Security, so it could be that my thought process is just all sorts of wrong. If I am, feel free to correct me!
You need to use ACL feature or you can emulate the same thing via some custom code (for example via custom web security expression). See this post for details.
I think you need to look at the Pre-Authentication Scenarios section in the documentation. In particular, you will probably need to implement a AbstractPreAuthenticatedProcessingFilter to pre-authenticate the user based on the GET parameters.
I want to implement a token-based authentication mechanism for a scenario which is similar to the following:
In Google Calendar, you can invite guests to your event, who in turn can respond to these events right from the email invitation. The invitation to such an event contains the respective links to respond (Yes, No, Maybe) with authentication tokens encoded in the URL. These authentication tokens are restricted to the specific event and user.
What's the best practice to generate these kinds of "one-time" tokens that can only perform limited actions and have only access to limited resources (and potentially are only valid for a limited amount of time)? And how do I implement this in Glassfish? I want to expose this through the RESTful API of my application (using Jersey). Currently, all URL paths in my app are secured with an authentication constraint, which I configured in the web.xml.
My approach to this would be as follows:
Provide a URL where no authentication constraint is applied (e.g. /token_auth) and use this for token authentication.
In the web service method, manually check the security tokens and do the required actions. The tokens are saved in the DB along with information such as username, expiration date, authorized resources, etc.
I was wondering whether there is a more elegant solution using any frameworks or built-in container capabilities that can avoid all the manual work. And whether this solution might have some security drawbacks.
A similar question has been asked on SO before: Newbie at JAAS authentication; Sign in using a token in the URL Bar
Have you looked into UUIDs?
At work we use the Safehaus UUID.
You approach looks fine. I am not aware of a framework to do this kind of thing for you. Spring Security may have something you can use but not the whole thing.
I'm looking for a java package/spring user management package that is similar to django's auth application, which provides the database models such as User and Group out-of-the-box.
I have a standard spring/hibernate application (based on Spring ROO), and I would like to use an existing User/Group/Role implementation instead of reinventing it (the actual authentication can use spring's mechanism, but I'd like to save the time implementing the user management part).
Thanks for the help
The Emmet project may be of interest to you. Emmet includes a custom SpringSecurity UserDetailsStore and a webapp for user account management. Out of the box functionality includes basic user account details, roles, support for multiple identities, support password aging, self registration and password reset. You can use it in conjunction with SpringSecurity based authentication and access control, or (at a pinch) with other "stacks".
(Emmet also provides some custom SpringSecurity authentication components, and potted wirings, but you can ignore that aspect if you like.)
Disclaimer: I'm the lead developer for Emmet.
Spring Security is a full-featured and widely-used Java auth module. While it doesn't have data models right out of the box, there is documentation provided that gives you the DDL to create the most basic tables you'd need:
Spring Security Database Schema
in this period I've created a new Open Source project related the RBAC and a generic solution for the user management:
microservice-rbac-user-management
You can find an RBAC apis and model here ready to use and with all the documentation. Ready to be used also with Docker.
I hope this will help you.
Is there any way to extend the authentication operation which connects a client application to an EJB, using standard JAAS/container-based security? I'm looking for a way to use more than just a username to authenticate the user (in this case a domain name is also needed). Ideally I'd like to be able to use the SessionContext.getCallerPrincipal() to get access to both the username and the domain name in the EJB.
I'm using Glassfish, if that influences the answer at all. Do I need to create a custom login module/custom realm and what should it do?
Adding authentication mechanisms to an EJB Container is usually a vendor specific task. I don't believe there is a standard way to do it. For Glassfish though, I believe this article will help you set up a SAM (Serve Auth Module) that can handle the authentication in any way you need. http://blogs.oracle.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
Keep in mind this is Glassfish specific.