I have a very basic login form which accepts username and password. When the data is submitted a controller class essentially authenticates the username and password, if the credentials are correct a user is then forwarded to a membersOnly.jsp which is located in the WEB-INF of the java EE project. Since content in the WEB-INF is only accessible by forwarding and not redirect I assume the only way someone can access this information is through the server-side forward.
My question is, how secure is this approach and should I use some other form of security?
You're using some sort of custom-based authentication, but the Java EE Standards defines several authentication mechanisms:
HTTP Basic authentication
Form Based authentication
HTTPS Client authentication
With Form-Based authentication you can still use your custom-made form, and delegate password validation to your Java EE Container. Almost every vendor offers credential validation against LDAP servers, database tables and other repositories.
Most containers will handle authentication for you.
With Glassfish, for example, you can simply tell the container which database table contains users and passwords.
It will do the rest for you.
You can also let the container control access to different pages.
Hope this helps.
Related
Background: Our current technology architecture includes Tomcat Servlets that do backend activities and Codeigniter PHP which handles the presentation layer. So when a particular page is loaded, the Codeigniter View invokes the Controller which constructs the servlet URL with necessary input parameters and invokes the URL and gets the response and passes it back to the View so that the page is rendered.
Issue: User information and login credentials are stored in database and is validated by PHP front end. There is no authentication for the Tomcat servlets and in cases where we need user information in the backend, the user id is passed as a parameter to the backend.
Currently Tomcat and PHP resides on the same server and we have used firewall port based restrictions to ensure that servlets can be invoked only from within the server to secure the servlets.
Help required : We are looking to implement token based authentication and authorization mechanism for the servlets. If we can get some sort of existing library that we can easily plug-in to our servlets, that would be ideal. Otherwise please guide what would be the best solution to implement without too much code changes but would effectively secure the backend servlets.
Cássio Mazzochi Molin have a nice articel about the topic : Token-based authentication with JAX-RS 2.0
I have 4 single page applications with same technologies: Spring MVC, Spring Security, Angulajs.
Each application has own ldap authentication and authorization. We want to build a single sign architecture and make a central authentication application. And make the other 4 application use this central application.
When user login into one of the apps, he should not need to login the others.
What is the easy way to implent this in server side and client side?
What you want is Single Sign-On (SSO). There are two options:
Use some existed SSO server like CAS.
Do it yourself using subdomain cookie technique.
First option is exactly what you want implement. When you open URL of app1 you will be redirected to SSO server and prompted for login/password. After successful authentication you will be redirected to app1 URL. Now if you open app2 URL you will be signed in automatically. One of advantages is that user password is stored only in SSO server.
Second option is more lightweight IMHO, because instead of using existed SSO server for sharing authentication information between your apps you use HTTP cookies. From the other side you need to write some minimal authentication code which may be less secure.
Subdomain cookie technique:
Use subdomains for all your apps (app1.domain.com, app2.domain.com)
When user connects to app1, generate some token (your session id), store it in some shared DB and as a cookie for domain.com
When user opens app2, check if token is present (as a cookie for domain.com), verify that it is valid (use shared DB) and allow access.
It is very simple algorithm that do not take into account all possible security vulnerabilities (like session fixation for example). So if you do not have enough time to solve them it may be better to go with first option.
I've tested the Spring Security SAML Extension for integration in my project and it looks good for me.
But I have one problem with this implementation:
How can I change the authentication to a form based login?
I have an application with a login form. And the requirement is that the authentication goes against an Active Directory Federation Services.
But up to now I found no way in the SAML Extension.
Sorry about this question, but my experience in Spring Security are not very good. I hope the someone here can help me in a simple way.
Best Regards
Thomas
The main point of federation protocols (like SAML) is that user's credentials are only used at the Identity Provider (= ADFS), and are not revealed to the Service Providers. In other words when using SAML you can't have a form login on your SP page.
If you want to combine multiple authentication methods - e.g. SAML + form login against local database, it is of course possible.
We are having a application which returns logged in username (Windows NTLM) and we normally pass to all other applications to check authentication part.
I would like to know is it possible to pass username from application which returns username
and pass to our new web application which is developed using Spring 3? So that we could leverage the use of Spring Security features
If it is possible, how could I use this?
As we already have a application which returns Windows user, management discourages the usage of Kerberos and other SSO methods.
Any help or insight is highly helpful and beneficial.
Thanks
The simplest way to solve your problem is the following:
1) Install Apache Web Server and configure to use NTLM authentication using modntlm
http://modntlm.sourceforge.net/
(Similar you can use Kerberos authentication using mod_auth_kerb using http://modauthkerb.sourceforge.net/)
2) Configure mod_jk to your Selvlet container (JBoss or Tomcat)
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
After the successful authentication Apache sends the REMOTE_USER header to the servlet container.
The header (according the name) contains a user name of the authenticated user
Ensure you configure tomcatAuthentication="false" to allow Apache to allow apache to send the REMOTE_USER header
3) Implement and configure in Spring Security your own PreAuthenticatedProcessingFilter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167
It should be very similar to the Request-Header Authentication filter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295
In addition, you should omit a domain name from the user name.
The user name is sent in the REMOTE_USER header after NTLM or Kerberos authentication.
You cab bind your username with application URL like "localhost:port/somename/j_spring_check?j_username=your username".
Has anyone had any experience creating a JAAS LoginModule that uses SAML to authenticate and authorize a user? As I understand JAAS, this would likely require a custom CallbackHandler that understand and can parse a SAML message.
In my case, the authorization is defined as a set of roles in a database, but like your typical Database Login Module. There are, however, no passwords stored in this system. Instead users are authenticated on another site and a SAML exchange is used to pass that authentication event to our system.
My hope is to enable our application code to not have to deal with SAML directly and to be able to leverage standards JAAS techniques for managing permissions/roles/etc.
An example would be most welcome, but any links you may have found would also be wonderful.
The main issue you'll run in to is that there is no standard way to send the user's credentials to the IdP. In the SAML Web SSO flow you have the browser so the IdP can just put up a page asking for the credentials. In the ECP flow, which does not assume browser, does not provide a standard way for delivering the credentials. HTTP BASIC auth? WS-Security? Something else?
So, before you go further you'll need to know which SAML profiles the IdPs support and, if ECP is supported, which mechanisms are available for accepting the user's credentials.