Given these techonologies: Java, JAX-RS (either RESTEasy og Jersey), Javascript and jQuery. The servlet server is either Tomcat or Jetty. The GUI will be made as an "application" using jQuery and Javascript. MVC or MVP patterns will be used to separate view from model. The plan is to load the application after login. I need some recommendation on how to make a secure login and manage access (roles). So far I know about SSL, encryption, Security Annotations (to guard methods) - but still, I need some overview and tips. So far my plan is to start reading the Java SE documentation at:
http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html#overview
Some input would be appreciated.
Apache Shiro for JAAS - http://shiro.apache.org/
I'd recommend taking a look at the Spring Security library. It is highly customizable, documented well, and often used and discussed on the web. You may have heard of it before under its old name, Acegi.
Related
We are currently evaluating building a new web-application which consists of the following technology:
Back-end:
ee6 jax-rs restful web service
Front-end:
html5 UI using backbone.js (and various other libraries)
The question is, what is the best way to implement a secure session? Limitations are we cannot use oAuth (due to legacy login service we will be consuming). We need a financial industry level of security.
We are thinking about using HTTPS basic authentication with the rest server (back-end), and use backbone.js's session to elegantly handle the front end.
What are the security implications of adopting this strategy?
When you approach security issues, you must remember that your security is as strong as your weakest link. I hope you fully realize you need to secure all your communication, and not just the login.
Also, what key length are you going to use? 128bit?
I would recommend you to check about SPEGNO .. I think this might assist you.
Was just wondering at the current point in time, what is a good combination of tools/frameworks/libraries for implementing a REST API on top of J2EE that integrates to a backend RDB and using OpenID for authentication.
What I am looking to implement is a server component that provides a set of services, all of which will utilise OpenID authentication, and the services will retrieve or update information to/from a backend relational database environment.
What I'm interested in are:
* application server options available (e.g. Tomcat, Glassfish etc.)
* IDE's (e.g. Eclipse, Netbeans, IntelliJ etc.)
* additional components useful for implementing REST (and JSON payloads)
* what is best practice/good technique/options available for database integration from the services (hibernate via spring, hibernate directly, raw jdbc connections ... )
* for integrating authentication via OpenID - what is an appropriate integration point for any custom authentication mechanism within the J2EE environment - are there any commonly used solutions/plug-ins available for OpenId etc.
Also any pointers to good, current tutorials, books etc.
Edit:
Unfortunately I haven't had as much time to research the results to this question as I'd have liked.
At this stage I've found that installing/setting up REST with Jersey was very quick and I believe I can use a ContainerRequestFilter to provide the OpenID support as per the article here: http://plaincode.blogspot.com/2011/07/openid-authentication-example-in-jersey.html
I intend on using OpenId4Java for the OpenId support, with the PAPE extensions to get users email address returned. I don't need OAuth as I don't need to access any of the users other OpenID details or info on their OpenID site from my server app.
I've had a look at the latest Spring, it looks very good and if I were needing to build a web client with my solution, or had more time to look at both, I could easily have ended up leaning that way.
Thanks for the good answers and replies, hard to pick a single correct answer. I've accepted yves answer because it is correct and the way I'm going at the moment with minimal time to research properly, but awarded the bounty to cfontes answer, as it is also correct, and he's replied with additional information and justification.
Make it simple and modern (Spring is neither one nor the other for RESTful web-services):
Jersey – the JAX-RS reference – defines resources and supports OAuth; its code is compact, easy to use & to plug to libraries (backends, etc...).
Take a look at this project on GitHub, it produces JSON from static data. Its web.xml and ProductResource are good places to start.
Every server will do the job, Jetty is my favorite, Tomcat, the standard
The choice of an IDE is up to you, the 3 you're giving are great, well integrated with Maven and source control tools. I use Eclipse from habit
I would go for
Spring 3: this can be useful to wire things up with Dependency
injection and other things.
Spring MVC: Restful support and Request mapping, a request based
framework that integrates very well with Spring
Apache Tiles: to make the HTML templates easier to make.
Spring Security: it's a JAAS implementation and for me it's better and
easier than Standard JAAS.( doesn't need a full web server, tomcat will do fine)
This can help you decide which Persistence provider you want : Persistence Provider comparison I would go for Hibernate, because it have a lot of great features like Criteria API, hibernate Search and it's widely used.
Of course your app should be using JPA 2 for the sake of interchangeability instead of using a Persistence provider directly ( it's not easy to chance from one to another but with JPA2 it's possible, also should be giving you a lot of trouble but it's possible)
I would go with NetBeans 7.0.1 and GlassFish as explained here
From the linked tutorial:
The IDE supports rapid development of RESTful web services using JSR 311 - Java API for RESTful Web Services (JAX-RS) and Jersey, the reference implementation for JAX-RS.
For authentication, I would use the GlassFish JDBC Realm (have a look at this tutorial) but I have never worked with OpenID, so I don't know if this approach can be used together with OpenID.
I am developing a server/client Java application where I need to authenticate the client before sending data, also I need to encrypt the sent data after authentication and to ensure its freshness
I am wondering what is the best library that I could use to do that?
Take a look at the security module in the Spring framework. Pretty much covers all the common authentication and authorisation services
Java Authentication and Authorization Service is a part of Java spec since SE 1.4. The API is fairly well-defined, but as it has been written with goal of covering every possible auth backend (including LDAP, smart card and similar stuff) it may bring too much functionality overhead.
Apache Shiro is one of libraries/frameworks that I am aware of, that build upon JAAS, abstracting it's concepts and making them generally easier to use. The second one is jGuard, but as of Dec 2013 it seems to not being maintained anymore.
You could integrate with an existing LDAP (or Active Directory) registry using OpenLDAP ( http://www.openldap.org/jldap/ ).
You could use Public Key Encryption and do client authentication based on certificates.
Check out JSSE of SUN on secure sockets
If you are not using Spring and you are using some off-the-shelf server framework, look there - most include authorization modules.
Preferably something that integrates well with a Flex front end. Yes the Spring Security guys say this is possible, but all examples seem to use legacy jsp tag libraries making them half useless as examples. I don't want to spend a month setting up and learning how to use a security tool. I would like a tool which supports using annotations (#RolesAllowed etc), MINIMAL XML, and 'remember-me' features (not cookie based).
Apache Shiro seems to support Flex/Silverlight/Swing as well but I'd like to know if there are any other alternatives that are NOT container specific.
Turns out Apache Shiro is actually a simpler and easier to learn solution than Spring security. And no stupid xml configuration is nice.
Spring Security is by far the best tool out there.
BlazeDS is no magic. It is ultimately just a call to the server over HTTP. The Blaze application is just a war file, and has traditional urls. So, to protect the services, you have to protect the urls in your web.xml / spring configuration files.
Essentially, read the documentation of Spring Security/JAAS, and substitute the jsps with the urls of your blaze services.
Spring Security also has support for Roles and authorization. It also has a remember-me functionality, but that absolutely uses cookies. You cannot have a remember-me functionality without cookies.
Regarding authentication, it is possible to pass the authentication token as a request parameter instead of a cookie. But cookies are recommended, and are a lot easier to get right.
And finally, security is pointless without using https. You absolutely must use https throughout your application if you care about security.
I don't see why Flex should authenticate anything, after all that is the client side. Whats stopping someone from decompiling your flash/flex?
For most people Apache Shiro is overkill and they just roll their own. Which isn't the best idea to be honest. I have seen a lot of horrible authentication systems over the years. Cookies are meant to keep track of the session for the client, why use anything else?
Edit:
Use spring secuirty for authentication.
I come from an ASP.NET background. In ASP.NET, there is built-in support for users and roles. My question is, does JSP have anything similar or is everything built from scratch? I have not been able to find a good resource to answer this application structure type of question.
The Servlet API supports user/role based authentication and security. Tomcat (among others) includes built in support for authenticating using a variety of sources: xml file, database, LDAP, etc.
You could also consider using Spring MVC as a fairly lightweight web framework over JSP. Spring has a very capable authentication & authorization model (right down to method level on objects) using Spring Security (was Acegi) interceptors which can use the sorts of sources that Asaph talks about. You don't need to use Spring MVC in order to use Spring Security if you don't want to.
If you're going to be running your JSPs in a full J2EE server like JBoss, WebLogic or WebSphere there are a whole load of security options that come with such containers incl. integration with AD users and groups.