Since I'm running Java with Tomcat6 as servlet container I found it appropriate to use the Tomcat JNDIRealm feature so that LDAP users can log into my site without any additional efforts. The LDAP server I'm using is OpenLDAP on Ubuntu.
On top of this I have the login page using form-based authentication over an https connection.
I found two very good examples of authentication users via LDAP, here and here, that both achieve what I feel I almost achieved. Why almost achieved?
When I attempt to login with the wrong credentials I'm appropriately sent to the <form-error-page>, login-failed.html in my case.
When my credentials are good and I authenticate successfully I start getting a 403 for all urls in the site. And I cannot remove the 403 error (not even for the login page!) unless I restart Tomcat.
I suspect the reason is because I don't have roles in the realm or other config files set up correctly. For the sake of brevity I put the relevant config files excerpts on pastebin:
Realm in Tomcat server.xml
Relevant tomcat-users.xml part
Relevant web.xml part
Basic LDAP structure, dashes indicate tree structure
Note that Tomcat-based auth works perfectly since the role is easily attached to the user in the tomcat-users.xml. Therefore I believe it's a problem in getting the role for an authenticated user from LDAP once it has been successfully been authenticated.
TL/DR
I have a config issue in connecting Tomcat to LDAP auth. User data fetched properly, but not the user's role. LDAP log messages available on request ;)
UPDATE: I pasted the LDAP data here.
That is correct. Your LDAP roles aren't being found by the JNDIRealm. You need to test your role search string outside Tomcat to ensure it yields what you think it should yield. As you haven't provided any LDAP details it isn't possible to comment further.
Putting a security-permission on the entire site with /* is a mistake. You need to exclude the login page and probably also the front page and the forgot-password page, maybe more, from requiring a role.
Related
I have implemented a simple java web application with tomcat realm authentication(Custom FORM authentication). Now, I'm trying to add a second authentication page for the user(two-factor authentication, I'm using Google authenticator). As far as I have referred the Tomcat documentation, we can specify only one login-config.
I tried adding a filter and also tried managing whether the user has finished the Two-Factor authentication manually with session and tokens.
Is there a way to add the second authentication in the web.xml or the server.xml. So, tomcat should handle whether the user has finished both the authentication.
Thanks in advance.
Tomcat only starts one login process. That process may decide to ask the user for more than one credential but tomcat is not aware of it.
So, you should create a filter and/or login servlet that handles authentication for the tomcat container. That filter/servlet (combination) must prompt for all desired credentials.
If you do not use a framework for your application that already has an authentication layer, you are essentially writing your own 2FA implementation.
In tomcat, I can setup security constraints that require certain resources to only be accessed by authorized users. The users are authenticated using either BASIC or FORM authentication, where a username and password is provided.
However, I'd also like to allow users to authenticate externally using an oauth provider. Is this possible?
Note that I can already pass all the information I need to acquire the access tokens for the user. From there I can get the username and other profile metadata.
But how do I then log the user into tomcat? The only way I can think to make this work is to take this username and create a tomcat account, maybe setting the access token as the password. Then I could do a tomcat login on behalf of the user, so she is locally authenticated. On subsequent logins I'd just update the password to the new access token.
But this seems like a hack, and when it comes to users and security I'd prefer to avoid hacks.
It looks like JASPIC might offer a solution for this? Unfortunately, it looks like it became available to tomcat starting at 8.5 but I'm stuck using 8.
Are there any other options?
Thanks!
I have a web application which is hosted on apache web server. And i have external java application which runs on tomcat integrated in this web application.
The apache is kerberized and I get the username of the person accessing it in the intranet. I want to use the same username and pass it on tomcat to check against ldap and authorize the user.
I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user.
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password?
PS: Sorry there is no code or configuration that I can post at this point. The only resources i found implemented both username and password. I cannot kerberize the tomcat server because I have other issues in the network.
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have
access to the user's password. But I'm able to get the groups the user belongs to and based
on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. I found a way to make it work. However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! Its very insecure.
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. Then, redirect to the C# service when someone hits the Java site and the username session variable is null. Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created.
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. So basically, its the same thing, except you won't need C#.
I have a couple of Java-based web applications developed. Both the applications have separate Authentication logic based on some ActiveX directory implementation.
Now, I need to change this to Windows authentication so that whenever the user hits the URLs of my web applications, instead of redirecting him to login page I need to check his Windows credentials.
I do not want to store his windows credentials in URL.
Is there any good way to do this ?
Depending on the level of integration you want your web application to have, Spring Security should have you covered in just about all aspects of what you are after.
If redirecting to a login page and authenticating the entered credentials against an Active Directory server via LDAP is acceptable, then the LDAP extension is the way to go.
If you want more of a Single Sign On (SSO) flow and your users are already authenticated against the authoritative Active Directory server in question (eg. they are logged in to the domain), then the Kerberos plugin for Spring Security may be more appealing, since your users will simply have to go to the web application and won't have to go through any other authentication steps. The systems will take care of it behind the scenes.
You can also combine / layer these approaches if you which and try Kerberos-based authentication first and if that falls through, fall back to a login form and LDAP-based authentication.
If you need to go beyond that, Spring Security is flexible enough to allow you to use OpenID or in-app authentication as well if needed.
I'd recommending using Active Directory to expose it's windows authentication layer over LDAP, which can then be hit by something like Spring Security.
This would effectively force anyone using your application to use their windows login.
I have a java web application running on tomcat, and will use single sign on (against an Active Directory) for authentication.
What I want to accomplish is, that only certain pages in the web app are allowed to be the first "landing page" in the site.
The use case is that one may point the browser to index.jsp, and then be authenticated behind the scenes, and then be forwarded to some_content.jsp.
However, if I point the browser directly to some_content.jsp, I want the request to be denied, somehow, and NOT authenticated behind the scenes.
To rephrase, if I go to some_content.jsp first, without already being authenticated, I do not want authentication to happen, eventhough I have SSO set up.
Is it a matter of some fairly simple security-constraint, or what could a solution be? I am looking for a solution that can be configured, rather than adding code.
Thanks a lot!
This won't work with container managed security. The only method to have a concrete login-entry-point with container-manager auth like in Tomcat is FORM auth. I use SPNEGO auth myself and Tomcat will perform it on any URL if it is denoted as protected. So a routing login page is not possible unless you write a custom authenticator.