I am developing an application using Spring , jsp and Apache 7.0 server, now suppose i have register domain such as "www.example.com" and in my application the user fills the registration form in which the user is ask to enter his url to name such "123" as soon he submit the form after filling details i want to redirect the him to the newly created URL now in our case "123.example.com"
Now at this movement i have to create sub domain in my code itself before he gets redirected.
I have gone through google not find much.
Any help
Thanks in advance.
You need to enable wildcard subdomains. That will allow your app to respond to requests from anything.yourdomain.com. Next, your app needs to define a route which converts the subdomain to a variable so that you can use it to scope your database requests to their account. Once the user has their custom subdomain set up, they should register their domain under their account (so that you can look up the account by domain instead of subdomain) then create a CNAME DNS record which points to their subdomain. These principles apply regardless of the language/framework.
You could use a wildcard cname (i.e *.example.com) then use a spring interceptor (https://dzone.com/articles/using-spring-interceptors-your) to determine which subdomain the user requested.
Related
I'm using Spring Security's SAML 2.0 to connect my service provider to multiple identity providers.
Everything in Spring's SAML 2.0 documentation makes sense. I have read many helpful tutorials including this one, which are similar to my existing code.
However, I am missing where and how to select an identity provider for a given user.
I understand SAMLDiscovery can be used to delegate the identity provider selection to a third party service. I also understand how to configure multiple identity providers. But I'm looking for a way to run my own code (i.e. check a database) and then trigger a SAML request for the chosen identity provider (not a third party service). I would expect this around the time SAMLEntryPoint is hit. I have seen mention of specifying EntityID in the initial request. Is this related?
I am attempting to perform SP-initiated SAML 2.0 SSO. Can someone please point me toward where I can manually specify an IdP based on the current user?
As far as I know, SAML doesn't offer any mechanism for what you want.
SAML discovery is used to find out which IdP exist for your application.
Your problem is that you don't know who the user is before it tries to log in and when he does, it means that he already know which IdP he wants to use.
So you have these options:
Most common. Use a landing page that lets the user select which IdP to use. For example, Epic games lets you select the IdP from a list of 8. Once the user selects it, then you are good to go, by directing his request to the correct IdP.
If you know in advance which user belongs to which IdP then you can have a page that lets the user enter his username only. Once he does this, you can check in your DB to which IdP this user belongs to and send a redirect message back to the browser. While this works, it will not allow the user to select which IdP it wants to use, putting this job on the shoulders of the backend.
Do step 2 once and save a cookie in the user's browser. Then, when the user tries to log again in another session from the same machine, you can automatically redirect him to the right IdP. Using this option, everything is done automatically and except for the first time.
One thing to consider. From a security standpoint giving a hacker any info is a bad practice and so option 2,3 do reveal to a hacker which IdP belongs to which user. IMO this is not such a big breach and can be implemented.
This is not really a SAML question, since any solution would happen outside of standards and involve identifying the user before asking them to authenticate.
GENERAL PATTERN
App redirects to Service Provider using Technology A, eg SAML, OpenID Connect
For this app, the Service Provider is configured to run an action, eg present a screen, to identify the user - you may have seen this in systems such as Office365
Service Provider then uses some kind of data lookup to identify the IDPs for the next step
If there is more than one then the user is prompted to select one, otherwise the default option is invoked automatically
The Service Provider then redirects to the IDP using Technology B - could be SAML / OIDC / Other
EXTENSIBILITY
Hopefully my comments above show that an IAM system is a toolbox and should be extensible. I work at Curity where we use a concept of authenticators and actions which can be combined - eg for MFA, but a common option is as follows:
Capture the user name
Run some custom logic - eg JavaScript that invokes a data lookup to set the next authenticator
Here is a recent article to show how this works - the Username Authenticator is the interesting part.
PROVIDERS
Unfortunately Spring may not provide the options you would like. This should clarify your requirements a little though.
I am developing an application using Spring , jsp and Apache 7.0 server, now suppose i have register domain such as "www.example.com" and in my application the user fills the registration form in which the user is ask to enter his url to name such "123" as soon he submit the form after filling details i want to redirect the him to the newly created URL now in our case "123.example.com"
Now at this movement i have to create sub domain in my code itself before he gets redirected. I have gone through google not find much.
Any help
Thanks in advance.
I'm creating a spring mvc (spring 4) with spring security 3.2. I have a login page which works fine, with custom UserDetailsService. I want to add on website a new functionality, adding some demands. When someone add a demand, he will receive an email with a button through he can manage this demand, including the creation of a session for the website. I want to create him an account.. and give him authetincation from this button's url which will be handled by a controller. How should i do that? create an account with some hardcoded password? and how about the authentication provider? User with demand couldn't login through normal login page.
In database that type of accounts will have a different status than the normal accounts. Hope you understand what i need...
You can try creating a common user for all such use cases (called guest or similar). If you have validated a user using the trusted url which they have provided, you can query the database using the hard coded username (guest), and get the authentication details like passoword, roles etc. Then you can programatically authenticate the user. In such a way, user only has to provide you a url, and your code can fetch a real authentication detail from the db.
For the authentication part, you may refer to the below link.
stackoverflow.com/a/15119876/3981536
I have configured IdP and SP in my desktop.To test SSO, I have a single html page deployed in tomcat.I have given the url : http://machinename:portno(here tomcat's port)/webApp/index.html in default url of SP configuration. When I try to hit the SP SSO url,(http://machine_name:portno/sp/startSSO/ping) it redirects to IDP and prompts for authentication. Once the user is authenticated, the user is redirected to the tomcat webpage.
But, when I try to access the tomcat page, I am able to access it without any authentication. Is there any configuration on the SP side? If so, how to do it? When I access the web page, I should be prompted for authentication.
This configuration question really has nothing to do with PingFederate. This is more about how you have chosen to integrate your Tomcat application with the PingFederate SP Adapter. Chances are you are using the SP OpenToken or SP ReferenceID Adapter for a Java app in Tomcat- these Adapters merely provide the user's identity attributes to your application after the SAML Response is validated by PingFederate SP. It is up to your application to validate the specific token type (using the proper steps required by the SP Adapter you have chosen) and then your application is also responsible for enforcing access/maintaining a session based upon the user's identity that is passed in the token.
If you are expecting Access Control/Session management, I'd recommend looking at integrating PingFederate with PingAccess.
Bottom Line: Ping's solution's are hugely flexible so there are a number of ways to accomplish this based upon your application infrastructure and use case requirements. I suggest that you work with your Ping Identity RSA to help you work through these questions in order to have the best possible outcome.
I am developing a java application having front end in html5 and dojo. I am using SOAP as well as REST services tomake service calls to get data from downstream system. What I found is a potential threat in the application. Users are able to access the URL of the application and they are able to edit the URL.e.g. IF the user is viewing his profile and if he knews name of some other user then he can edit the URL to change the user name from his name to someother name and can change some other fields and hit the url. Likewise user can edit some sensitive data and get access to confidential information.
My question is How can i prevent the user from editing the parameters in the application url?
What URL a user chooses to access is client side and can't necessarily be controlled. Anybody can easily open a new tab and type in whatever URL they want to.
I would instead suggest protecting your REST endpoints with some sort of server side security framework instead. If you're using Java on your server side, you could look into something like http://shiro.apache.org/ for security which would not allow any user to access data that they shouldn't have access to.
Another solution would be to just have a single REST endpoint that can access whatever profile the user's session currently refers to.