I have a java web application running on tomcat, and will use single sign on (against an Active Directory) for authentication.
What I want to accomplish is, that only certain pages in the web app are allowed to be the first "landing page" in the site.
The use case is that one may point the browser to index.jsp, and then be authenticated behind the scenes, and then be forwarded to some_content.jsp.
However, if I point the browser directly to some_content.jsp, I want the request to be denied, somehow, and NOT authenticated behind the scenes.
To rephrase, if I go to some_content.jsp first, without already being authenticated, I do not want authentication to happen, eventhough I have SSO set up.
Is it a matter of some fairly simple security-constraint, or what could a solution be? I am looking for a solution that can be configured, rather than adding code.
Thanks a lot!
This won't work with container managed security. The only method to have a concrete login-entry-point with container-manager auth like in Tomcat is FORM auth. I use SPNEGO auth myself and Tomcat will perform it on any URL if it is denoted as protected. So a routing login page is not possible unless you write a custom authenticator.
Related
I wanted to get some more information on about form based authentication. I understand that the form based authentication mechanism is used when you want to protect certain server resources, like all jsps under a certain directory, and only make those URL's available to users with certain roles.
I am working on an application from scratch, just to get better at web development, and I have the form based authentication setup, and it is working fine. However, I would also like to build in the ability for users to login on the fly, using a 'Login' button, not just when they necessarily try to access a protected resource.
I know that when I tried to have the login button take the user to the login page that uses j_security_check as its action, the server yelled because I was directly accessing the login page, which makes sense because since I wasn't trying to access a protected resource, so I guess the server wouldn't know where to take me after I authenticate.
So, my question is, if I want to keep the form based authentication in place to protect some admin resources, but also have the ability for the user to just login on the fly using a login button, do I have to roll my own security, and have the form take me to a servlet(for example) that manually checks the username and password against the database, and set some attribute that says whether or not the user is logged in? How would that mesh with the server knowing whether or not I'm logged in? I know that there are some server side methods for getting the user, asking if they are in a certain role, etc, but isn't that all server managed, meaning I can't just say 'hey, I've authenticated the user myself, and this is who they are, it has to go through the form based authentication? I'm still learning web development. Thanks for the help.
The only way I can think of providing the behavior that you want is through a cookie that doesn't expire easy, which has its fair share of security concerns. It seems you want to have the ease of use that the "Login with Google", or "Login with Facebook" have. These tend to make heavy use of something called OAuth, and I don't think are applicable for your project.
Are you forced to login for a resource every single time you access it? You shouldn't be , as you seem to be using the servlet's form authenicator.
I have a live spring web app running on amazon and I have recently found login attacks from various IPs. So far nothing has been compromised as the login system is secure enough, with complex passowrds, and encoding with salt etc..
However, I would like to prevent this.
One thing that the logs revealed was that the attackers are somehow able to reach my service classes (only the authenticaltion manager) circumventing my login page. I dont have a special url for login, but how is it possible to call the authentication manager/service etc without going via the login jsp ? I can see logging from loadUserByUsername() method of my authentication service class (which implements UserDetailsService).
Any help will be much appreciated.
Why do you need login.jsp, you can simulate a person posting the login form just by performing HTTP post with all the parameters right?
If all the request coming from the same IP, you can configure your firewall to block it. Other mechanism is to put a delay after a number of failures (eg 30min delay after 5 subsequent failures).
If you want to go further, two form authentication will increase security, eg perform sms confirmation if user is logging in from unknown IP / computer
I have a couple of Java-based web applications developed. Both the applications have separate Authentication logic based on some ActiveX directory implementation.
Now, I need to change this to Windows authentication so that whenever the user hits the URLs of my web applications, instead of redirecting him to login page I need to check his Windows credentials.
I do not want to store his windows credentials in URL.
Is there any good way to do this ?
Depending on the level of integration you want your web application to have, Spring Security should have you covered in just about all aspects of what you are after.
If redirecting to a login page and authenticating the entered credentials against an Active Directory server via LDAP is acceptable, then the LDAP extension is the way to go.
If you want more of a Single Sign On (SSO) flow and your users are already authenticated against the authoritative Active Directory server in question (eg. they are logged in to the domain), then the Kerberos plugin for Spring Security may be more appealing, since your users will simply have to go to the web application and won't have to go through any other authentication steps. The systems will take care of it behind the scenes.
You can also combine / layer these approaches if you which and try Kerberos-based authentication first and if that falls through, fall back to a login form and LDAP-based authentication.
If you need to go beyond that, Spring Security is flexible enough to allow you to use OpenID or in-app authentication as well if needed.
I'd recommending using Active Directory to expose it's windows authentication layer over LDAP, which can then be hit by something like Spring Security.
This would effectively force anyone using your application to use their windows login.
We've configured Liferay to use CAS. However, it only works when you click the sign in link in the top right. The standard login portlet where you enter your username/password does not go against CAS. We would like to have this portlet use CAS, which I'm assuming would be via the proxy method.
Any ideas on how to accomplish this? I figured this would be an out-of-the-box sort of functionality once you enable CAS within Liferay, but it appears to not be.
Thanks!
One of the main advantages for using any SSO solution (like CAS) is that the single applications don't ever get access to your password - it's solely in the realm of the SSO solution to handle this.
My advice is to remove the standard login portlet from the page instead of changing it to go to CAS. You can add a link to the CAS login page if you want, but you don't need the login portlet for that.
Web Apllication shows login screen after logged in when i click back button in browser.
I am using spring framework. Is there any Solution for this?
Use sessions. If he has logged in, save his username, or id to a session variable. At your login page, make sure to check that session. If it exists, redirect him to another page. Else, login.
I don't recommend using self-implemented authentication tools unless there is a strong reason not to use existing libraries (very rare case, based on my experience).You might want to check out spring-security, a project which could deliver pretty much everything you might need in terms of securing your web application. You definitely can achieve this behavior using this library. Although, it didn't work properly in Mozilla Firefox, if I recall. I guess Mozilla just reads the webapp from cache and doesn't even communicate to the server in such cases. But I might be wrong here.