We are having a application which returns logged in username (Windows NTLM) and we normally pass to all other applications to check authentication part.
I would like to know is it possible to pass username from application which returns username
and pass to our new web application which is developed using Spring 3? So that we could leverage the use of Spring Security features
If it is possible, how could I use this?
As we already have a application which returns Windows user, management discourages the usage of Kerberos and other SSO methods.
Any help or insight is highly helpful and beneficial.
Thanks
The simplest way to solve your problem is the following:
1) Install Apache Web Server and configure to use NTLM authentication using modntlm
http://modntlm.sourceforge.net/
(Similar you can use Kerberos authentication using mod_auth_kerb using http://modauthkerb.sourceforge.net/)
2) Configure mod_jk to your Selvlet container (JBoss or Tomcat)
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
After the successful authentication Apache sends the REMOTE_USER header to the servlet container.
The header (according the name) contains a user name of the authenticated user
Ensure you configure tomcatAuthentication="false" to allow Apache to allow apache to send the REMOTE_USER header
3) Implement and configure in Spring Security your own PreAuthenticatedProcessingFilter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167
It should be very similar to the Request-Header Authentication filter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295
In addition, you should omit a domain name from the user name.
The user name is sent in the REMOTE_USER header after NTLM or Kerberos authentication.
You cab bind your username with application URL like "localhost:port/somename/j_spring_check?j_username=your username".
Related
I've a Java Spring Web application (no Spring Boot) with a "standard" authentication mechanism using database user credentials (It uses Spring Security lib).
Now I need to know if is it possible to include a second auth method with an external Identity Provider and a SSO login.
For example: A user with a specific e-mail domain ex: userX#domain1.com, login with his DB credentials but another type of user (ex: userY#domain2.com) need to be able to login against an external IDP.
I've already developed a bunch of application with Spring Security SAML lib with ADFS or OpenAM but that was the only login method for all the users.
If is it possibile, how I need to setup the Spring Security Configuration in order to achive this? Maybe I should use a multi-provider config?
Thanks.
Supporting multiple authentication mechanisms can be achieved by checking the user domain and redirecting to your own service that supports UserNamePassword based DB authentication or redirecting to the SSO service.
And for configuring Spring Security, you can create separate implementations extending
org.springframework.security.authentication.AuthenticationProvider
Checkout this link that guides on how to implement multiple authentication mechansism
For SSO specificly, you have to configure a redirectURL with the SSO provider, that internally calls your API with the SAML response.
SSO with spring security
I have implemented a simple java web application with tomcat realm authentication(Custom FORM authentication). Now, I'm trying to add a second authentication page for the user(two-factor authentication, I'm using Google authenticator). As far as I have referred the Tomcat documentation, we can specify only one login-config.
I tried adding a filter and also tried managing whether the user has finished the Two-Factor authentication manually with session and tokens.
Is there a way to add the second authentication in the web.xml or the server.xml. So, tomcat should handle whether the user has finished both the authentication.
Thanks in advance.
Tomcat only starts one login process. That process may decide to ask the user for more than one credential but tomcat is not aware of it.
So, you should create a filter and/or login servlet that handles authentication for the tomcat container. That filter/servlet (combination) must prompt for all desired credentials.
If you do not use a framework for your application that already has an authentication layer, you are essentially writing your own 2FA implementation.
I have an Apache server that handles authentication and authorization before forwarding requests to a second server.
Users accessing the server from a browser are authenticating with LDAP and the authorization checks to see that username is present within a defined file.
I also have a Java application that can access the server (at a different endpoint), which currently hardcodes a username and a password into a request URL and leverages Basic Authentication over SSL.
Rather than use Basic Authentication, is it possible to configure Apache to accept a keystore/truststore from the Java application and authenticate/authorize on the certificate's CN and a password? If so, can anyone cite an example?
You can configure Apache to request client certificate authentication and use +FakeBasicAuth SSLOption in order to preserve compatibility with your current setup.
If the Java application can be restrained to certain URLs then you can require certificate authentication, otherwise make it optional as you do not want your other clients to have to authenticate with certificates.
There are good examples of this in the SSL/TLS - How-To in the Apache documentation.
I'm trying to monitor Tomcat in Java program but I don't how I should pass the username and password to JMXProxyServlet. Does any one have any idea how to do this?
So your monitoring software will be written in Java. You can configure your manager webapp to use HTTP BASIC authentication and a MemoryRealmDatabase (which is how it's set up by default). Then,
Enable a user in tomcat-users.xml with the manager-jmx role.
Verify that HTTP BASIC authentication is working using a regular web browser.
Set an 'Authorization' HTTP header along with your HTTP request to JMXProxyServlet. The value of that header should be base64(username + ":" + password).
Various HTTP helper libraries (like Apache httpclient) have specialized methods to help you do this, or you can use HttpURLConnection directly.
I have a very basic login form which accepts username and password. When the data is submitted a controller class essentially authenticates the username and password, if the credentials are correct a user is then forwarded to a membersOnly.jsp which is located in the WEB-INF of the java EE project. Since content in the WEB-INF is only accessible by forwarding and not redirect I assume the only way someone can access this information is through the server-side forward.
My question is, how secure is this approach and should I use some other form of security?
You're using some sort of custom-based authentication, but the Java EE Standards defines several authentication mechanisms:
HTTP Basic authentication
Form Based authentication
HTTPS Client authentication
With Form-Based authentication you can still use your custom-made form, and delegate password validation to your Java EE Container. Almost every vendor offers credential validation against LDAP servers, database tables and other repositories.
Most containers will handle authentication for you.
With Glassfish, for example, you can simply tell the container which database table contains users and passwords.
It will do the rest for you.
You can also let the container control access to different pages.
Hope this helps.