I have a java web application (running on JBoss), which need to authorizate users by their domain objects, without asking any usernames and passwords.
Users are running windows, authorization with LDAP server.
WEB application is based on SPRING, so i hope that there is already implemented same functionality, but i didn't fount it.
Is it possible to authorizate user without asking username and password?
Some links on samples would be great :)
Found some solutions. Links below:
http://rgagnon.com/javadetails/java-0441.html - old sample throught JSP
http://blog.springsource.org/2009/09/28/spring-security-kerberos - a bit harder, but more actual sample of spring Kerberos/SPNEGO extention (that's what I was looking for).
Related
A customer wants to reach a section (where a process with a wizard take place) of our app from their portal. It means, from their app (.Net) they want to have a link in order to reach a particular section of our app BUT! without having to go through the login process. Our app is a java app (GWT) and it uses FORM based authentication. I did an implementation with oAuth but they don't want login. I have not idea how to deal with this problem, I don't know if there is an alternative to get logged in by following the way they are looking for.
You probalbly need Single Sign On.
If you choose to go the SSO way, there are some libraries that might help like JCIFS (useful for auth using NTLM) , Jespa. There is also Waffle, but this one works just on Windows server.
This article explore many options for JBoss:
https://dzone.com/articles/choosing-sso-your-jboss
I have two Java wepapps potentially on different domains/servers using Spring Security for authentication. The first is handling authentication locally storing users in the application database. For the second, I would like to authenticate users using the same users accounts than the first webapp with single sign on (if a user is authenticated in the first webapp, it shouldn't have to enter his info again in the second).
I identified three potential ways to do this but it doesn't seem very straightforward:
Shared cookies: Using a shared session cookie and the same database for the two applications. It seem relatively easy to do but the two webapps need to be on the same domain which isn't necessarily the case for my applications.
Directory service: Using a central directory service (LDAP) which would be used by the two webapps to handle authentication. It seem pretty heavy to implement and the users can't be stored in the first webapp database anymore. The existing users accounts would need to be migrated into the LDAP and it would not be possible to create new users using the first webapp.
OAuth: It seem to be be possible to make the first webapp handle external authentications requests by providing an OAuth api (like Google sign on kind of service). That would allow the second webapp to use this api to authenticate the users, but I'm not sure that the signin process would be totally transparent to handle single sign on. It doesn't seem very easy to implement either, as it would necessitate the development of a complete OAuth api in the first webapp.
I also looked at this service https://auth0.com that seem to provide an authentication api that can be interfaced with an external database, but I'm not sure that it can be interfaced with Spring Security and it also mandate the use of an online solution which isn't ideal. I'm not sure that it would handle single sign on either, only shared accounts.
Is there any other way to handle this use case that would be more straightforward?
CAS is a good candidate indeed as a SSO system for your need and it has several CAS clients for Spring Security. You can try for free a CAS server v4.0 at CAS in the cloud: http://www.casinthecloud.com...
As you mentioned, a shared cookie won't work across domains.
LDAP would give you shared credentials (single name/pw works for both systems), but not single sign on, and you notice you'll have provisioning issues.
Not knowing anything about Spring Security, odds are high you won't find a painless solution to this. Integrating SSO is fraught with workflow issues (user provisioning, password recovery, user profile maintenance, etc.)
We had a classic DB managed authentication scheme. Later, when we added LDAP support, we added the capability for "auto-provisioning". This basically consisted of having the application pull down the relevant demographics from the LDAP store during login, and simply updating fields each time user logged in. If the user didn't exist, we'd create one on the fly.
This worked well, because the rest of the application had no awareness of LDAP. It simply worked with the user profile we managed already and if it needed something from the DB, the data was there.
Later, when we integrated SSO, we just leveraged the existing LDAP logic to pull from the SSO server and do the same thing.
This workflow helped a lot with provisioning and management. We could maintained the authoritative source (LDAP, SSO), and the app just kept up. What it hindered was local editing of the user profile, so we simply disabled that. Let them view the profile, but they could go to the other systems portal for management. Inelegant, but it's a rare use case anyway, so we just muddled through it. We eventually worked out two way pushing and replication, etc. but it's a real pain if you don't need it.
You can look here if you want an overview of how to do cross domain SSO: Cross Domain Login - How to login a user automatically when transferred from one domain to another
For our SSO, we use SAML v2 Web Profile, but we ended up writing our most of our own code to pull it off.
But, bottom line, no matter what the web sites say, integrating this is non-trivial. The edge cases and workflow/help desk issues that surround it are legion. And it can be a bear to debug.
I have a couple of Java-based web applications developed. Both the applications have separate Authentication logic based on some ActiveX directory implementation.
Now, I need to change this to Windows authentication so that whenever the user hits the URLs of my web applications, instead of redirecting him to login page I need to check his Windows credentials.
I do not want to store his windows credentials in URL.
Is there any good way to do this ?
Depending on the level of integration you want your web application to have, Spring Security should have you covered in just about all aspects of what you are after.
If redirecting to a login page and authenticating the entered credentials against an Active Directory server via LDAP is acceptable, then the LDAP extension is the way to go.
If you want more of a Single Sign On (SSO) flow and your users are already authenticated against the authoritative Active Directory server in question (eg. they are logged in to the domain), then the Kerberos plugin for Spring Security may be more appealing, since your users will simply have to go to the web application and won't have to go through any other authentication steps. The systems will take care of it behind the scenes.
You can also combine / layer these approaches if you which and try Kerberos-based authentication first and if that falls through, fall back to a login form and LDAP-based authentication.
If you need to go beyond that, Spring Security is flexible enough to allow you to use OpenID or in-app authentication as well if needed.
I'd recommending using Active Directory to expose it's windows authentication layer over LDAP, which can then be hit by something like Spring Security.
This would effectively force anyone using your application to use their windows login.
I need to create a webapp that has a login system.
the user should authenticate against a database.
I want to save the userrole in session - or are there other (better) ways?
Furthermore there are areas for user access.
Guest area,
user area,
admin area.
The question now is.
How can I easily implement the authorization with jsf2.0?
I don't want to test on each site, if the user is permitted to acces the site or not.
Is there a configuration in web.xml or faces-config.xml that test the cases?
Can someone show me a tutorial or sample code?
Thanks and best regards
veote
You can also look at options (Framewroks)
Spring Security
Apache Shiro
Java EE Security Tutorial
As already suggested Application Server provided Authentication/Authorization.
Implement a Filter (Custom home grown logic for Authentication/Authorization)
Blogs covering AnA in JSF
User session filter
Access Control in JSF using a PhaseListener
Hope this helps
I am not familiar with Websphere, but since it is a Java EE 6 compliant application server, you can create a JDBCRealm for this purpose. See this chapter of the Java EE 6 tutorial.
You can try this approach, it uses PhaseListener to check if user has rights for accessing current site during the RESTORE_VIEW phase. It is quite easy to implement it and it's portable between different servers(opposite from realms)
I'm working on a server written in Java, and a client (a desktop application written in .Net) that runs on Windows machines on the same network. I would like to have some basic authentication so that the server can determine the username of the user running the client, without needing the user to re-enter their Windows password in the client.
Is this possible, and what's the simplest way to accomplish it?
I had a look at some of the available APIs, it looks as though the org.ietf.jgss package in Java, and NegotiateStream class in .Net, should probably be able to talk to one another to achieve this - but I keep hitting frustrating error messages I don't understand. I thought I'd check if this is the right approach, if so I'll post a separate question with more detail about the errors in question :)
The approach is the right one. Notice a number of things, though:
this will have nothing to do with "Basic Authentication" (in http)
.NET will try to use the SPNEGO GSS mechanism. See the Sun documentation for proper support of this mechanism.
your service will need to incarnate a service principal. So you need to create an Active Directory account not only for the user, but also for the service, and you need to put the service's password into the Java keytab.
If you're using Active Directory, I think the Spring LDAP module can offer you a nice way to access credentials.
Not being familiar with the GSS mechanism. I would suggest a shared key mechanism used in passwordless ssh.
This open source library http://spnego.sourceforge.net has exactly what you are looking for. It implements an HTTP Servlet Filter on the server so that your web-app can call request.getRemoteUser() to find out the username.