I´m developing an web application in java that is called from a pre-existent portal.
I need to check if the user is authenticated in this portal to show my application.
I don´t have access to his database to check the user and pass again.
I don´t know what the portal can pass to me that garantees that the user is
authenticated.
Maybe a token, or i can check the domain. I´m not sure how to do this.
I´ve searched to use spring security, but i didn´t find a solution yet.
Some sites say to integrate it with cas, but i don´t have cas here.
Can anyone help me?
Web applications can use container based security.
You need to hook this mechanism up with the portal which may, or may not, be relatively easy. The portal must expose its security mechanism.
How to actually do this, depends on your actual container.
I think it is not possible to answer the question here. If other portal links to your application and requires you to identify other portal's user, it must specify how this could work. You all need to specify an interface between the two applications which describes how exactly user identification has to happen. "other portal" people should tell you what they support as well as what they recommend...
Related
I have a j2ee web application that is typically accessed over the intranet.
I have a requirement to have only a small set of webpages in the application exposed over the internet. There isn't a large set of users who need the internet access. I dont really want to expose the whole application as is over the internet, since it has some other sensitive data. I'd like to add an extra layer of access restriction/security on top (even though the application has role based access). What would be a good way to achieve that?
Some options that come to mind are below (not given too much thought to it yet)
Figure out something in Apache (our web server) to restrict access to only certain set of URLs in the application. Not sure if something like that is supported out of the box or with some modules.
Mark internet based request with some attribute in Apache, and in the application layer use Spring security to restrict access.
Use something like a citrix server to allow indirect access to the application through a virtual desktop. I wonder if this is easier said than done and if its really buying me anything.
Build another web application that acts as a proxy to my large application for those limited web pages. Initial thought, this sounds like too much work.
Your thoughts? Any Better options, different products?
I would recommend to use Spring MVC.
As you already have role based access in your application, it should be quite easy to develop controllers which will render jsp that are relevant to that logged in user.
Though Spring MVC being a proven and robust framework, compare the effort that you need put in for Spring MVC integration with other solutions.
Is there a security Framework available for Java Desktop Applications? When I searched on google I saw persons talking about Spring Security, however it seems to be chiefly web-based. I have been using ordinary java code(Login forms, jdbc) to implement User Level security but I am not comfortable programming this way. Thanks for your assistance
I have decided to use Apache Shiro Security Framework. It is very easy to use and the website host good documentation. Thanks all for the help.
you can still use rolebased access and some sort of directory service for desktop applications and you could do that with spring it's not necessarily only for web access. not that i'm pushing spring specifically.
regards
It's hard to really answer you without knowing what threat model you're thinking of.
Do you doubt that the signed in user has permission to open your application?
Does the application talk to a server and get data from there?
Are you concerned with the user tampering with code?
In the first case, this seems like something that is better handled with OS level permissions.
In the second case, handle your security on the server, you can't trust the client anyway.
In the third case, good luck.
I have been trying to implement SSO in an existing java web-application. I have spent lot of hours to understand this thing but couldn't get success so far. Can anyone tell me some guided way by which I can achieve it.
I am looking for
With what module/API should I start
What will be best way to implement SSO for a beginner
Any good books/blogs/websites.
PS : I know Servlet/JSP and have built very simple application using JSP/Servlet till now. (NO FRAMEWORK).
What exactly do you mean by single sign on, is your application distributed or single sign on on different applications?
You could write filters for authentication and authorisation; where you check for a valid session and if the user has logged in; depending on that dispatch the request to a resource or login page.
Another option is to use Java EE declarative security.
currently we are developing a JAVA APP that runs on TOMCAT and uses POSTGREE SQL
And we have an introducting website (JOOMLA 2.5 based) that explains the app, and also have a register module, that runs on APACHE PHP, on a different server.
Our goal is that the clients enter direct to our website JOOMLA, register there and then they can go directly to the web-app.
Very like to www.tiendanube.com or shopify.
The java-app has a login as well as the joomla website.. We need to unify those process, we cannot find a form to achieve this.
The problem is also that Joomla cannot run in the same server as the web-app.
Is there any way to interconnect both the web-page and the app (which runs in differents server) to make then look as one ?
So we thinked that when the user register in the joomla it also has to be saved in the same POSTGREE SQL of the java app. Since the java app is running in a different server we cannot access postgree SQL of the java app
That can be a solution, still we are pretty sure it has to be a easy solution or a more powerful and better solution for this.
Also been the 2 services in differents servers, it seems that we are not able to mantain the same domain for both.
We will really appreciate some help
Thanks very much
Facundo
You have at least two ways to do it.
Use a LDAP, GMail authentication or equivalent. Easy, Joomla already have it
Do in a manual way with "Single Sign On across multiple domains". Will have to undestand how session cookies works and avoid avoid some problens.
Please read my recent answer on implementing SSO across subdomains in joomla
I'm fairly new to java development and I have found myself tasked with implementing a functionality authorization system for a desktop application written in java.
Currently the application requires user authentication at startup and users are authenticated against an active directory server via LDAP.
The application as it stands has no user privillage system in place, once a user is authenticated they have full access to the applications entire functionality.
What I need to do is define a number of user roles or groups which have access to different functionality i.e. user:Alice (of group:Admin) may see menuItem:EditCell in a popup menu for a JTable but user:Bob (of group:Peasant) may not.
It has been suggested that I look into Spring security and method/class annotation but I'm finding it a little difficult to get my head around the information I have found so far.
Is there anyone who has had a similar experience around who might be able to offer some assistance?
Cheers,
I would definitely recommend Shiro over Spring for your use case. Take a look at their website and go through the 10 minute quick guide. You'll be surprised at home much you can get done with simple, straightforward code.
For simple testing you can define roles within Shiro itself, but eventually you are going to want to put all the roles into your LDAP.