i am stumped on this.
I wish to ask how do i really know that an authentic client is connecting to my web service.
I have successfully set up an HTTPs protocol on my web service and also my apache tomcat server.
However , how do i really authenticate a client dynamically without him giving me a username and password. Example, google authenticates its clients by giving them an api key , with that key they are allowed to use its web services.
I wish to do something similar to that, how do i do it?
Hope you guys can help me out on this.
Thanks in advance!
Probably you should look into The Apache Santuario project which is aimed at providing implementation of the primary security standards for XML.
-> This library includes a mature Digital Signature and Encryption implementation. It also includes the standard JSR 105 (Java XML Digital Signature) API. Applications can use the standard JSR 105 API or the Apache Santuario API to create and validate XML Signatures.
You can find more info at the following url
http://santuario.apache.org/index.html
You can also find an example here :
https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/samples/org/apache/xml/security/samples/signature/
specifically look into the KeyResolver feature
The Apache Santuario project is recommended project by Apache Axis.
http://axis.apache.org/axis/java/security.html#Authenticating_the_caller
What we tried in this situation is to go really Service Oriented .
i.e. We have an Authentication Service which takes input as User Credentials and return a session id . For all other Service calls the session id is added in the soapheader block.
soapHeader.addAttribute()
Using this approach
We avoided user credentials details to be used every time in service calls.
Also the signature of the service is devoid of any authentication data.
In this approach the client application has to authenticate first and use the output , session id for other service calls.
Request : We still haven't completely analyzed the security threat for this approach. Any suggestions / criticisms would be highly appreciated
Related
I have already set up a running application having:
an authentication server
several resource servers
a javascript-frontend
For the authentication I am using the oauth2-stack of Spring-Security to hand out JWT-tokens to successfully authenticated user's. The login-information is collected in the javascript-fronted which then asks the authentication-server for an auth-token and stores it. This all works well for my application.
What I want to do now is integrate third-party-login-services like Google or Facebook. Currently I am at a point where the process can be started from the javascript-frontend, then the authentication-server does it's magic and communication with the third-party-login-provider. I've gotten so far that the login process is successful and I get the needed information which actually is only the e-mail-address.
But now I'm stuck. I have the authentication information on the server but now I need to construct one of my own authentication-JWT-tokens and hand it to my javascript-frontend. Can anybody give me a hint on how to achieve that?
The JWT Login Sample in Spring Security Samples demonstrates how to create JWT tokens for your own purposes. The key is to ensure that authentication has already occurred, prior to provisioning said token (which in your example is already the case).
Note that the sample uses the com.nimbusds:nimbus-jose-jwt dependency as Spring Security already depends on this library internally. You may also consider using io.jsonwebtoken:jjwt-api or another library instead. jwt.io has a useful list of libraries that support creation of JWTs, and you can filter by Java and click through to the repository to get more information about any of them.
In any case, the sample should be easily adapted to your choice of library, and the out-of-the-box support for verifying JWTs in Spring Security should work.
I've got 2 backends that need to share information between them using SOAP services across the Internet. Theses services are designed to be only used between these 2 backends so I need to secure them.
I've been reading about securing SOAP APIs but in this instance wouldn't a 'password' param in each method of the API be enough? The password would be hardcoded in each backend and verified at each call against the hardcoded one.
There are 3 methods total so implementation would be easy enough. Also, both points are server sided (client calls one point of the backend, not the SOAP API) so I guess hardcoding the password isn't that terrible.
Does this implementation pose any security risks? Would it be worth it to do it any other way?
Server backend is Spring + CXF.
Thanks!
A way to implement this is using Public key cryptography. This allows you to share a public key with the other side to encrypt the messages send. The message can then be decrypted with the private key. more in the wiki entry above.
java doc
Tutorial
All these links on the subject where done with a quick google search so you should be easly be able to find more examples on this subject by googling:
java public key encryption tutorial
I'm charged with building an app health monitoring system, and one of the requirements is to check both if our various java services are up and if our reverse proxy is up. The reverse proxy is a .NET application that gets a user's AD Groups and passes them along to our apps via a header for monitoring/security reasons.
Obviously the rinky dink input and output stream http request isn't enough, but I haven't found information or guides about client-side NTLM authentication for Java.
I'm guessing there's a library (probably Oracle or Apache) that provides a handler that can do this, but I have come up empty trying to find it. Please help.
Great code and context can be found here, for client side.
http://davenport.sourceforge.net/ntlm.html#appendixD
We have mobile application backend running in AWS. Backend build using Java spring front end supported for native iOS, native Android and angular js based website, it has own authentication using email id and password. Now we are planning to integrate our app authentication with our organisation Active directory which available in Azure AD.
We have outline idea about Azure portal application creation, use ADAL library to get token from azure. But we are not clear about how we can validate token at web service side. Could you please enlighten us about integration process
Unfortunately, Azure AD doesn't have great guidance on securing a web API in Java at this time. However, taking the open-source approach isn't terribly difficult in this case.
Azure AD's access tokens are JWTs, which are essentially just base64 encoded JSON strings with a signature. jwt.io has compiled a nice list of open-source libraries that can be used to validate JWTs (some libraries for generating them too, fyi). The best reference material available at this time is:
The claims listed in this token reference article where necessary (ignore the comment about id_tokens only, that's incorrect).
The OpenID Connect spec also has some good tidbits on how to validate tokens. You should also make sure to validate the scope claim, which won't be mentioned there.
This code sample shows how to take this approach, but it's in .NET. You can follow its patterns for Java.
The hardest part will be robustly fetching, caching, and refreshing the Azure AD public signing keys, making sure your app can handle key rollover. Microsoft's .NET open source library, for instance, refreshes the keys every 24 hours and refreshes them immediately any time signature validation fails. Most JWT libraries won't do that for you. The signing keys are available via Azure AD's OpenID Connect metadata endpoint,
https://login.microsoftonline.com/<tenant-or-common>/.well-known/openid-configuration
The OpenID Connect spec also has information on the format of the data available there.
I have a customer who wants to implement SSO using SAML2 assertion based approach. The customer will be the Identity Provider (IDP) and my application will effectively be the Service Provider (SP).
In the past I've implemented SSO solutions where the IDP was Oracle Access Manager and therefore we were provided with the idp.xml file which allowed us to configure our SP environment using the supplied Fedlet. This conveniently created a relevant WAR file which, when deployed, allowed me to distribute the sp.xml file to the customer who imported it into their IDP. This all worked fine and I understand the concepts i.e. We receive the initial request, the fedlet handles this and takes the user to the IDP where they authenticate, then they're passed back to our SP with a SAML response which the Fedlet allows us to parse and extract some data identifying the user. I then do what's required to sign them into our application.
However the current requirement is not using any backend framework to provide the IDP, they've stated that it's custom built one. They've given me the IDP URL and a cert file and are asking for our "AssertionConsumerServiceURL" and "AudienceURI".
The application which I'm enabling SSO for is largely Java based. My investigation so far has led me to Forgerock's OpenAM solution as well as Shibboleth's OpenSAML. However I'm struggling with the first step, essentially where do what I start building a custom SP application connecting to a third party IDP using OpenAM/Shibboleth/AnotherFramework.
Any pointers would be very useful.
Thanks,
Lee
Depends on what what you requirements are. OpenAM feldlet or Shibboleth i probably the best approach since you don't have to do so much coding on your own.
OpenSAML is a very low level toolkit for handling SAML messages. I would not recommend it if, not really needed.
As for the things they are asking for, the AssertionConsumerServiceURL is the service endpoint where you recieve your SSO SAML messages.
Defenition of AudienceURI is quite gray. Basically you send them an identifier, they include this in their messages and you validate that identifier is the same you gave them. I my self do not understand the difference between this and Destination...
I'm a bit surprised that they ask you for this. The standard way to do this first exchange of information is by SAML metadata documents.
As you may know OpenAM also provides the FedLet, which is a lightweight SAML2.0 SP implementation. If you want to do it all yourself you have to build an SAML2.0 SP yourself.
If you want to mess around with Spring you could also use Spring Security SAML2 extension ..'http://static.springsource.org/spring-security/site/extensions/saml/index.html'
Why roll out those heavy SAML solutions? Have you taken a look at PingOne APS (Application Provider Services) or PingFederate from Ping Identity? You can implement APS in less than a day and you first customer config is free. Includes dashboard reporting, IDP self service functionality for config and a dead simple REST API integration for your application. [Note: I work for Ping.]
You can setup the Spring Security SAML Extension. The extension creates an AssertionConsumerServiceURL and if they want to access your metadata just as you are accessing theirs, they would just need to go to www.yourwebsite.com/saml/metadata and your SP metadata will be downloaded by them.