I'm fairly new to java development and I have found myself tasked with implementing a functionality authorization system for a desktop application written in java.
Currently the application requires user authentication at startup and users are authenticated against an active directory server via LDAP.
The application as it stands has no user privillage system in place, once a user is authenticated they have full access to the applications entire functionality.
What I need to do is define a number of user roles or groups which have access to different functionality i.e. user:Alice (of group:Admin) may see menuItem:EditCell in a popup menu for a JTable but user:Bob (of group:Peasant) may not.
It has been suggested that I look into Spring security and method/class annotation but I'm finding it a little difficult to get my head around the information I have found so far.
Is there anyone who has had a similar experience around who might be able to offer some assistance?
Cheers,
I would definitely recommend Shiro over Spring for your use case. Take a look at their website and go through the 10 minute quick guide. You'll be surprised at home much you can get done with simple, straightforward code.
For simple testing you can define roles within Shiro itself, but eventually you are going to want to put all the roles into your LDAP.
Related
I have a j2ee web application that is typically accessed over the intranet.
I have a requirement to have only a small set of webpages in the application exposed over the internet. There isn't a large set of users who need the internet access. I dont really want to expose the whole application as is over the internet, since it has some other sensitive data. I'd like to add an extra layer of access restriction/security on top (even though the application has role based access). What would be a good way to achieve that?
Some options that come to mind are below (not given too much thought to it yet)
Figure out something in Apache (our web server) to restrict access to only certain set of URLs in the application. Not sure if something like that is supported out of the box or with some modules.
Mark internet based request with some attribute in Apache, and in the application layer use Spring security to restrict access.
Use something like a citrix server to allow indirect access to the application through a virtual desktop. I wonder if this is easier said than done and if its really buying me anything.
Build another web application that acts as a proxy to my large application for those limited web pages. Initial thought, this sounds like too much work.
Your thoughts? Any Better options, different products?
I would recommend to use Spring MVC.
As you already have role based access in your application, it should be quite easy to develop controllers which will render jsp that are relevant to that logged in user.
Though Spring MVC being a proven and robust framework, compare the effort that you need put in for Spring MVC integration with other solutions.
Is there a security Framework available for Java Desktop Applications? When I searched on google I saw persons talking about Spring Security, however it seems to be chiefly web-based. I have been using ordinary java code(Login forms, jdbc) to implement User Level security but I am not comfortable programming this way. Thanks for your assistance
I have decided to use Apache Shiro Security Framework. It is very easy to use and the website host good documentation. Thanks all for the help.
you can still use rolebased access and some sort of directory service for desktop applications and you could do that with spring it's not necessarily only for web access. not that i'm pushing spring specifically.
regards
It's hard to really answer you without knowing what threat model you're thinking of.
Do you doubt that the signed in user has permission to open your application?
Does the application talk to a server and get data from there?
Are you concerned with the user tampering with code?
In the first case, this seems like something that is better handled with OS level permissions.
In the second case, handle your security on the server, you can't trust the client anyway.
In the third case, good luck.
I have been trying to implement SSO in an existing java web-application. I have spent lot of hours to understand this thing but couldn't get success so far. Can anyone tell me some guided way by which I can achieve it.
I am looking for
With what module/API should I start
What will be best way to implement SSO for a beginner
Any good books/blogs/websites.
PS : I know Servlet/JSP and have built very simple application using JSP/Servlet till now. (NO FRAMEWORK).
What exactly do you mean by single sign on, is your application distributed or single sign on on different applications?
You could write filters for authentication and authorisation; where you check for a valid session and if the user has logged in; depending on that dispatch the request to a resource or login page.
Another option is to use Java EE declarative security.
This is a very beginner question. I have tried to search for advice but am overwhelmed by the amount of information and would like some help with ideas on approaches to server design or what to search for!
What I would like to set up is a backend server that provides search capabilities and business logic and validation across some fairly basic data. It wont get too large.
I would then like to be able to plug in a website as a front end or a mobile app or a facebook app or even a desktop app..
My question is what is the best way for front ends to hook into the backend? I would like to have various user accounts with permission levels so authorisation would be important.
I generally only code as a hobby so whilst technically I have built a spring based website before the exact semantics of the client server relationship weren't clear to me. Now I want to separate the backend so that is is agnostic of how the data is displayed or entered completely and can run on a separate machine.
Thanks,
Rob
There is a ton on options. I had good expirience with apache CXF rest services (logic encapsulated in java beans, spring configuration) and pico web remoting ( more exotic,
but also rest service and plain java objects providing business logic)
if you ar already using spring, I would recommend to stick with CXF - it integtrates seamlesly ( and is spring configured itself )
I´m developing an web application in java that is called from a pre-existent portal.
I need to check if the user is authenticated in this portal to show my application.
I don´t have access to his database to check the user and pass again.
I don´t know what the portal can pass to me that garantees that the user is
authenticated.
Maybe a token, or i can check the domain. I´m not sure how to do this.
I´ve searched to use spring security, but i didn´t find a solution yet.
Some sites say to integrate it with cas, but i don´t have cas here.
Can anyone help me?
Web applications can use container based security.
You need to hook this mechanism up with the portal which may, or may not, be relatively easy. The portal must expose its security mechanism.
How to actually do this, depends on your actual container.
I think it is not possible to answer the question here. If other portal links to your application and requires you to identify other portal's user, it must specify how this could work. You all need to specify an interface between the two applications which describes how exactly user identification has to happen. "other portal" people should tell you what they support as well as what they recommend...