We have over a dozen legacy web applications (each with their own app contexts) that use Tomcat's container managed security for simple form-based authentication. We currently use Tomcat's single sign on valve to allow authenticated users to jump between web apps without the need of re-authenticating. We are also developing new web applications using the Spring Security framework.
Is it possible to get users who are authenticated via the new Spring Security apps to also be able to jump to the older legacy (non-Spring) apps without the need of re-authenticating? Is their a way to bridge Spring Security with the Tomcat SSO valve?
I prefer to avoid making any changes to the legacy web apps, but understand if it doesn't seem possible.
You will be able to do it using J2eePreAuthenticatedProcessingFilter:
http://static.springsource.org/spring-security/site/docs/3.2.x/reference/htmlsingle/#d4e2766
Please note:
When Tomcat SSO is configured it provides Java EE authentication for a web application.
It means that for an application is transparent if it was authenticated by form authentication or for Tomcat SSO. Finally it is Java EE authentication.
So, you need to use J2eePreAuthenticatedProcessingFilter to be able to use Java EE authentication provided by Tomcat.
Related
What is the best way to implement SSL in Spring Boot & Angular application (frontend with backend)?
Should I configure SSL in both applications separately?
Or should I configure SSL in Nginx web server and not taking care about securing applications?
Should I configure SSL in both applications separately?
If you've built out a microservice architecture and both your spring boot application and your Angular application are served off different domains, then yes you should configure SSL on both applications.
Or should I configure SSL in Nginx web server and not taking care about securing applications?
If you are using NGINX to serve your Angular application, then yes you should setup SSL on it.
I'll add that SSL is not the only step required to secure an application. Many applications will require some user management with role based permissions and control access to screens in your app or REST APIs based on user permissions.
In my Spring Boot based web application there should be two authentication options. On the one hand, single sign-on should be used, which is the default way. On the other hand, a form-based authentication should also be offered. This is commonly known as Mixed Authentication.
If the form-based authentication is used, server-side known user accounts are checked. Single sign-on uses the Windows logon.
I could already successfully integrate WAFFLE as a single sign-on component into the server application and used the example of mgoldgeier as a template.
There are examples of Mixed Authentication with WAFFLE related to Tomcat (here and here), but unfortunately I couldn't find any code related to Spring Boot or Spring Security.
I'd love it if someone could give me an example!
I have a web based Java application made using Spring Framework. I have a spring security file that authenticates users. I need to enable SSO on my application using Azure Active Directory so that I can integrate it with myapps.microsoft.com. Can someone provide me any pointers or direction.
Thanks.
SSO with with protocol? SAML or OAUTH?
In any case you have to register your app in the Active Directory as SSO Application. In this configuration you also define the OAUTH or SAML Options.
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
I have a question about integrating authentication into my web application.
First let me give the relevant technology background of my web application -
Application/Web Server - Tomcat 8.5
Underlying OS - CentOS 7.x 64-bit
Programming technology - Java Servlets 3.1
JDK version - 1.8
UI technology - Browser based; Developed using Angular2/Javascript/HTML/CSS
Web application users - Targeted at enterprise users
As of now, there isn't an authentication system built into the web application. However as I build this web application, I need to include an authentication module.
My main points to consider as I decide on authentication system/technology are -
I preferably do not want my application to deal with the storage and protection (on disk) of the user credentials
I preferably do not want my application to deal with enforcing password complexity, history, expiration policies etc.
My application will have to provide for -
A login page to allow the user to login
A change password page
A create user page
Based on the above, I am currently thinking of deploying a Windows Server 2016 instance as the Active Directory(AD) server that will hold the credentials for the application users. Note that at this point, this Windows server is not planned to be shared with any other application to support a single sign-on experience across applications.
I am planning to configure my Tomcat server with a JNDI realm to authenticate users (against the AD) and then use some kind of Java AD library that will allow me to create an user and change a user's password in AD via my application's create user and change password page.
My application will support its own custom roles and authorization constraints so i am not looking to use AD's group membership for authorization within the web application.
My questions are -
With the above setup, are there any reference authentication systems/libraries/modules that might be better suited (than AD) to integrate within my web application?
If I go with the above Windows AD server approach then are there any Java (inbuilt or community developed) AD libraries that allow for creating an user in AD, changing user password in AD etc. I have used the JNDI realm before so I am sure that it can be used to authenticate the incoming user against AD
I am not an expert in Spring Security and my web application does not currently use Spring Security but I am open to using it if Spring Security includes a solution to my problem described above.
I am also not worried about supporting single sign-on as such and its totally fine in my scenario if the application users have a separate login for my application.
Since my web application is targeted at enterprise users, I don't want to leverage Facebook authentication. As much as possible I want to ensure that the credentials are maintained in a server within the deployment infrastructure rather than the credentials being hosted and maintained by a 3rd party service
Thank you for your help and suggestions
I come from an ASP.NET background. In ASP.NET, there is built-in support for users and roles. My question is, does JSP have anything similar or is everything built from scratch? I have not been able to find a good resource to answer this application structure type of question.
The Servlet API supports user/role based authentication and security. Tomcat (among others) includes built in support for authenticating using a variety of sources: xml file, database, LDAP, etc.
You could also consider using Spring MVC as a fairly lightweight web framework over JSP. Spring has a very capable authentication & authorization model (right down to method level on objects) using Spring Security (was Acegi) interceptors which can use the sorts of sources that Asaph talks about. You don't need to use Spring MVC in order to use Spring Security if you don't want to.
If you're going to be running your JSPs in a full J2EE server like JBoss, WebLogic or WebSphere there are a whole load of security options that come with such containers incl. integration with AD users and groups.