Reading the Java EE security docs, where they define a security realm to be:
An access channel for the application server to storage containing user's authentication and grouping information.
What do they mean by "access channel"? Is this a port number, or some sort of networking term? And what do they mean by "authentication/grouping information"? Permissions?
I'm just looking for some concrete (non-vague) examples here! Thanks in advance!
A realm is a credential store that enables identity or role based access control.
http://docs.oracle.com/javaee/5/tutorial/doc/bnbxj.html#bnbxm
What is a realm?
For a web application, a realm is a complete database of users and groups that identify valid users of a web application (or a set of web applications) and are controlled by the same authentication policy.
The Java EE server authentication service can govern users in multiple realms. In this release of the Application Server, the file, admin-realm, and certificate realms come preconfigured for the Application Server.
In the file realm, the server stores user credentials locally in a file named keyfile. You can use the Admin Console to manage users in the file realm.
When using the file realm, the server authentication service verifies user identity by checking the file realm. This realm is used for the authentication of all clients except for web browser clients that use the HTTPS protocol and certificates.
In the certificate realm, the server stores user credentials in a certificate database. When using the certificate realm, the server uses certificates with the HTTPS protocol to authenticate web clients. To verify the identity of a user in the certificate realm, the authentication service verifies an X.509 certificate. For step-by-step instructions for creating this type of certificate, see Working with Digital Certificates. The common name field of the X.509 certificate is used as the principal name.
The admin-realm is also a FileRealm and stores administrator user credentials locally in a file named admin-keyfile. You can use the Admin Console to manage users in this realm in the same way you manage users in the file realm. For more information, see Managing Users and Groups on the Application Server.
Related
We have a Springboot application (with embedded tomcat) which exposes certain API's. There are two major access points for these API's. (1) Users (2) Machines
The users needs to access these API's using basic authentication (username & password) on TLS while the Machines need to access these API's using Client Certificates (two-way SSL mutual authentication). I have added the following settings in application.properties
server.ssl.key-alias=server
server.ssl.key-store=classpath:server.jks
server.ssl.key-store-password=mypass
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS
server.ssl.client-auth=want
But this is still not allowing access through basic credentials. How do I solve this?
I have a Java Spring Boot web application deployed on an Azure App Service (not embedded Tomcat, but using App Service Tomcat PaaS). This application needs to make a call to a REST API, that is secured by mandating mutual authentication, i.e. with a client certificate.
I have the PFX file, and I don't have access to the environment to add the certificate to the keystore, truststore, etc.
Is there any way to call the REST API in Java, with just the client certificate, which possibly is part of the web application resources (or retrieved from KeyVault)?
I have the PFX file, and I don't have access to the environment to add the certificate to the keystore, truststore, etc.
Per my understanding, for using SSL certificate in Azure App Service, you could try to follow the steps below:
1) Click "SETTINGS > SSL settings" of your web app, then click Upload Certificate for uploading your certs.
2) Add a seting named WEBSITE_LOAD_CERTIFICATES with the value equals to the thumbprint of your certificates which would be accessed by your application code. Also, you could just load certificate as a file in your code. Details you could follow Use an SSL certificate in your application code in Azure App Service.
Moreover, if the above approach could not meet your requirement, you may use Azure Key Vault as your cert store. For a simple way, you could add your certificates via Azure Portal, details you could follow here. For retrieving your certificate in your code, you could follow Authentication samples for Azure Key Vault using the Azure Java SDK for authenticating to your key vault and retrieve your certificate.
I have an Apache server that handles authentication and authorization before forwarding requests to a second server.
Users accessing the server from a browser are authenticating with LDAP and the authorization checks to see that username is present within a defined file.
I also have a Java application that can access the server (at a different endpoint), which currently hardcodes a username and a password into a request URL and leverages Basic Authentication over SSL.
Rather than use Basic Authentication, is it possible to configure Apache to accept a keystore/truststore from the Java application and authenticate/authorize on the certificate's CN and a password? If so, can anyone cite an example?
You can configure Apache to request client certificate authentication and use +FakeBasicAuth SSLOption in order to preserve compatibility with your current setup.
If the Java application can be restrained to certain URLs then you can require certificate authentication, otherwise make it optional as you do not want your other clients to have to authenticate with certificates.
There are good examples of this in the SSL/TLS - How-To in the Apache documentation.
I have a web application running on Tomcat 7 and it is configured with a custom JNDIRealm and my login-config auth-method in my web.xml is set to "FORM".
I am trying to find a way to add the ability to authenticate users through the same LDAP with a smart card, if presented.
I have changed my server.xml to have clientAuth=want, but want to know if there is a way to authenticate the user when a certificate is presented via the LDAP and then re-direct them past the login form. Is this possible?
EDIT: Michael-O below was marked as the right answer because I was able to achieve this by creating a custom class that extends FormAuthenticator and then registering that in Tomcat's authenticator.properties. This allowed me to check for a x509cert from the client in the request. If the cert is present and valid, authenticate and forward the user to the secured resources page. If not present or invalid, forward the user to the form login.
You obviously do not now what you want or what technologies you are actually using. Smartcard authentication is mutual SSL authentication. So you first need to configure Tomcat to accept SSL-based authentication. Your realm will receive the X509 certs and will try find your DN in your data store. The store can be anything, database, files, directory, etc.
I have simple application deployed on weblogic (12) server. On Security realms I've created user with password. Now I want to use those credentials to connect from the java client code (inside my app) to some external server (like LDAP). Is this possible? To use user defined in realms without passing password (cause password will be defined on weblogic)?
What is the best practice for storing user credentials (for connecting to other systems)?