I have web-app on Tomcat. I need to limit access to all its resources only for authenticated users. User logins and credentials are located in some DB table with according columns. What's the easiest way to implement this in the case database schema is not to be modified.
I found some options:
Extend tomcat JDBCRealm. It requires additional table for roles (that's why extending instead of using standard), but i have simplified case of just one role.
Implement JAAS LoginModule based on DB. If there is existing opensource solutions with license for usage in proprietary software let me know about it.
After successful login put an user in session attribute. Then implement servlet filter that checks for presence of that attribute in the session.
Probably there are simpler options. So it will be interesting to see them.
Related
Good day community:
I am currently developing projects with MyBatis, Spring Security and JSF 2.2.
I've done with these frameworks, 3 projects. These projects have three different database developed in SQL Server 2008.
Then, users of each database are the same, but they are in a Users table each, ie there is a table users per database.
What we have asked is that there can be only one single sign, and thus a user only has a single username and password.
How could make for these three systems are unified into single login?
My current solution in which also I have problems is:
Create a view in SQL Server 2008 users to bring me a central database and from there access is obtained.
Create an authentication module, which at login, can see only those systems where the user has access; in this case, clicking on one of these systems, automatically enter without again login. I was thinking to login to web services.
I hope I can help with ideas or ways of solutions.
All users are retrieved from a database and systems can continue to increase, but henceforth depend on the database.
Greetings and thanks.
Have you come across the Spring SAML module before? This is Spring's implementation of SAML 2.0 authentication, designed specifically with single sign-on in mind.
One of your servers can act as the identity provider, which you can think of as the main system that the users access. They will enter their username and password into this system. The other two systems will need to be setup as service providers - when a user tries to access one of them, they do not enter their username and password. Instead, a request gets sent to your identity provider (main system), which receives and validates the request, and will then allow access if the user is signed in to the identity provider already. If they are not signed in already, it will re-direct them to the login page for the identity provider from which they can login, and will then be re-directed to the system they were attempting to access.
Sorry if that is confusing at all. Head over to here for more information about the Spring SAML module. I implemented SSO for one of my clients using this, and I can highly recommend it for ease of configuration and implementation.
when using a JDBC realm for authorization I usally have this tables:
User table
Role table
Group table
When I now login with username, password the security module makes a lookup in the table: give me all roles for user: username.
Can I somehow hook into the process and add another attribute? E.g.
give me all roles for user: username where UserTable.X = Y ?
Note: I must use pure Java EE
There are some possibilities to achieve the desired behavior.
The easiest solution would not be to customize the login process, but to use a manual lookup using perhaps a #WebFilter or some similar approach.
If you need or want to customize the login process itself have a look at JASPIC (relatively new). In the version 1.1 it is quite usable, but its support depends on the application server you are using. The idea is to write an own login process and pass a custom Principal back to Java EE. Here is a nice collection of links: Zeef
An older approach to customize the login process is to create an application server specific security realm. In other words you are writing or extending the JDBC Realm that is currently used by your application server. You can then also pass a custom security principal back to Java EE.
I need to create an application with authentication and authorization using Java EE 6 (Glassfish Server). I read a lot about Java EE 6 security and just wanted to ask if my concept is correct:
Every user in the company has an account according to "X123456". I want to use this for LDAP Authentication:
Application ---> LDAP
So, I can use the company's infrastructure to authorize the user.
However I want to be in control of the roles in my application. So, I want to define my own roles using JACC. Therefore I will create a database with a user-to-role mapping,
Example: "X123456 -> ADMIN".
The benefits would be:
I don't need to store any password
I can create a kind of admin panel in my application where I can set the existing roles to users dynamically
Do you think this would be technically possible and good practice?
Alternative: Would it be possible to define the roles (Admin, User) in Active Directory and query it via LDAP? So I could outsource my user-to-role mapping into active directory.
Update:
For authentication I currently use a LDAP-Realm (user, password).
For authorization I want to use a database (rolename, user). However I don't know how to tell my application to use the database for authorization. If I would use a JDBC-Realm, I could specify the Group/Role table and column. Is there a way to tell my application to just use the JDBC-Realm for authorization?
Questions:
Is there a concept of user & role that is general to Servlet Containers?
If so, is there a container agnostic way to access those users and roles?
If not, is there a way to access Tomcat Realm users & roles?
Background:
I would like to either get all users and their roles from the Java webapp context (Servlet Container) or, better yet, query the users and their roles directly.
I see that there are projects like Apache Directory which let you do this for LDAP if you know the connection string. However, I want to be agnostic to the technology serving up the users and roles.
Specifically, I'm on Tomcat and in the simplest scenario want to access the users & roles in a) tomcat-users.xml b) any other configured Realm in the context. However, I am really looking for a solution which isn't specific to Tomcat and it's Realms.
In tomcat(or any other conytainer) (using std. Servlet API), directly accessing of user roles is not possible (without using tomcat/third party specific mechanisms). the getUserPrincipal & isUSerInRole are the two methods, access to the role list is not directly possible.
Since the API does not provision for such an access, I guess you will have to rely on other mechanisms which is container or technology specific.
As you pointed out, if the realm configured is a JNDI realm and the realm store is implemented over an LDAP, it is possible to write a servlet filter and get the roles from the LDAP and set them on session or on a thread local.
I'm working on an existing j2ee app and am required to remove some vendor specific method calls from the code.
The daos behind a session facade make calls into the ejb container to get the user's id and password - in order to connect to the database. The user id and password part of the initialContext used to connect to the server.
I am able to get the userid using sessionContext.getCallerPrincipal()
Is there anyway to get to the SECURITY_CREDENTIALS used on the server connection or, is there a way to pass information from the server connection into the ejbs (they are all stateless session beans).
This is a large app with both a rich-client and web front end, and in a perfect world I'd be happy to go back and re-architect the entire solution to use J2EE security etc - but unfortunately, that is not realistic.
I can't give you a generic solution, but this is what has worked for us. We have the app server connect to LDAP as a specific user that has the ability to request credentials for other users. Then we have some generic security code that we can use to request a users credentials from inside the session beans, based on the users identity from their initial login (just as you are doing it via getCallerPrincipal()).
We also place the users identity in a thread local variable, so that classes down the call chain from the EJB do not have to be "container aware". They simply access the identity from the thread local and use the security classes to look up user profile information. This also makes it easy to change the implementation for testing, or even something other than LDAP lookups.
Other conveniences we created were a JDBCServiceLocator that retrieves connections with user/password for the current user. So the developer does not have to explicitly code the security lookups at all.
Normally the Java EE security model will not allow the retrieval of the user password, for security reasons. But it depends on the implementation. Some vendors provide methods to retrieve this kind of information, but if you rely on such implementations, be aware that the portability of the application will be compromised.
One common approach is to write a servlet filter to intercept the login request and save a copy of the credentials, to be used later. If your application doesn't use the Java EE security infrastructure, this could be easily implemented. That's because some vendors prevent you from filtering an authentication servlet.
Robin,
Sounds like what I was planning. I figured I'd make a call right after a successful server connection to load the credentials into a threadLocal variable on my connection class. I was hoping there was an easier way - but I guess not.