I'm trying to authenticate my Java application with a CAS-auth-based web. What I understand so far is that I need to handle cookies. I have retrieved the cookies from the login-form HTML page, and it sends me an JSESSION cookie. The value of this cookie is retrieved with a POST submit.
My problem is that after that submit, I got an "Successful login" HTML as response, but I don't know how to get the CASTGT cookie. I need it to access the services on the web (Intranet, being specific).
Additionally, in the browser, after the login I see the two cookies (JSESSION and CASTGT) from the domain who provides the login form, and another JESSION cookie from the domain which provides the intranet.
You don't need to deal with cookies directly at all. So long as you have declared the AuthenticationFilter and ValidationFilter instances in the web.xml file of your web application, you will be able to interact with your CAS Server instance through the CAS Java client API.
See Configuring the JA-SIG CAS Client for Java in the web.xml for more information.
Related
I have a Java servlet that accepts HTTP requests, "protected" by KeyCloak. I can manually send a GET request, which redirects me to the KeyCloak login page, and I can log in and see the correct webpage from the servlet. Now I would like to make it such that my other Java application can also authenticate itself and access the webpage.
In my current setup I have the Java servlet running in Wildfly and the keycloak standalone. I have a KeyCloak realm with a user "testuser" with the role "testrole" and client "testclient". To be fair I don't really know what the client does, since it has no role or other attributes set. Should it represent the servlet application or the requesting Java application? What attributes should I set here?
The documentation mentiones JWT Tokens, but I don't know how I can obtain one. The actual request should be to "localhost:8080/testservlet" , do I have to query for a token at the KeyCloak server first, or should I go through the redirect process as when it is "manual"?
I have a web application which requires username and password authentication to enter.
What I am doing is, authenticate a user from a stand alone Java app, which would do so by making Http request to the server using username and password. Then I would retrieve JSESSIONID cookie from response of server.
Now what I want is to use this JSESSIONID to continue session on browser i.e. to let user navigate pages of my web app which would be opened by my stand alone java app which I use for authentication.
Is this possible? Or is there any other way to do so.
Cookie can be changed using below mentioned methods.
Cookie cookie = new Cookie("JSESSIONID", NEWSESSIONID);
response.addCookie(cookie);
From your application you can send JSESSIONID as parameter while opening browser first time and reset your cookie using above method either in filter or servlet. This will reset your cookie in client side once you send response back. Next request on wards you will be able to access the session created previously.
It's possible but it's not that simple.
Since web applications don't share sessions, what you're looking for is a Single Sign On (SSO) solution, which involves an "Identity Provider" (IdM) that authenticates users for one or more "Service Providers" (SP). In this case, your servlet is the IdM and your web app is an SP.
Depending on your deployment, the following are third-party, open-source SSO libraries that you may be able to use:
Kerberos
PicketLink (for JBOSS)
OpenAM (for Tomcat)
If you don't want to use a third-party library, you may also be able to modify your servlet to be the IdM. Either way, I suggest reading a little about Security Assertion Markup Language (SAML) before deciding on a solution. SAML is a popular method that the above libraries implement.
I have a simple webapp on Tomcat with form authentication, and notice that there is a "pre-login" JSESSIONID that's being set whenever a user just goes to the login page, before any login attempt even occurs.
Is this default behavior in Tomcat? Why does Tomcat generate a JSESSIONID just for loading a login page? Shouldn't it generate any session id's only after an actual login? (Not because someone just loads the login page!)
Note: I should mention that my entire webapp (login page and all) is hosted over https; no part of it is exposed via http. Also I am not using JSP. After login, Tomcat generates a second JSESSIONID, different from the first. And that's the one the user uses for the remainder of their session.
But why does it set a "pre-login" JSESSIONID in the first place?
If you use Tomcat means of form auth, it has to store the initial request somewhere to perform the stateless redirect for the auth. After that, it will re-evaluate the request. The SavedRequest is saved in the session. You should disable the changeSessionIdOnAuthentication flag.
I need to implement Sign Sign Out in Java using Spring Security. What CAS needs from my application is to access
https://www.home.com/cas/logout.cfm?service=myService&redirect=http://encoded.url.of.my.site
I put this URL to LogoutFilter's constructor parameter (as logoutSuccessUrl), so when I click logout URL on my site, Spring Security clears the session and redirects me to that URL, which is over HTTPS. It does what is supposed to do and the tries to redirect me back to my website's welcome address. However, this address is on HTTP protocol, not on HTTPS. So either because of sending some info in parameters when accessing that secure page, or because of redirecting back to non-secure, Firefox gives me a message:
Although this page is encrypted, the
information you have entered is to be
sent over an unencrypted connection
and could easily be read by a third
party.
OK, this is clear, but... How does logging using SSO work then? It essentially does the same thing. My website redirects to SSO's login page over https, which on success redirects back to my site, which is over plain http. How can I get rid of that message?
OK, after some research I got the answer. Firefox throws this message only if there is some post data in the redirect, which occurs from HTTPS to HTTP. This message can't be disabled, there is a corresponding comment in Firefox'es source code. The data that is posted (in form of XML) should allow to invalidate session. This also gives CAS an ability to invalidate session without any action from the user of the application (CAS posts data to that URL and application invalidates user's session).
Logging in didn't throw any messages because it was a simple redirect, without any data.
I'm using gwt on my glassfish server, and I'm attempting to make some of my RPC calls authenticated via cookies. Is this possible? Are there any examples out there of how to code it?
Depending only on the cookie for authentication will make your website/services vulnerable to Cross-Site Request Forging/XSRF/CSRF attacks - read more on that in Security for GWT Applications.
The best way would be to double check the value you get from the cookie and with the one that's been transported to the server by some other means - as part of the request (header, a custom field, etc).
Other than that, there are many tutorials covering the subject - just search for Java (servlet) authentication - it doesn't have to be GWT-specific. The Google Web Toolkit Group also has many threads about the subject.
I assume that you use GWT's RPC servlet for handling requests made by the client.
One option that comes to my mind is to write and configure a ServletFilter which can examine the cookie, before the request reaches GWT's servlet.
You might rethink using cookies as it is a potencial security hole.
Why not put your communication to HTTPS?
Can you not just use the standard 'session' scope, i.e.
request.getSession()
A pattern I use in GWT apps is to have a separate 'old fashioned' login form which sets up the session. The GWT app's host page is then displayed after they have successfully logged in.
If the necessary values aren't in the session, then the user isn't logged in. Your service should return an exception, maybe, which instructs the GWT app to redirect to the login page, or display an error.