I want to authenticate a user against our Active Directory database on a BlackBerry mobile app.
I've written J2EE apps that authenticate against AD using JNDI (javax.naming).
I've also written BlackBerry apps that do local data access and remote JSON interaction.
In this app, I need to limit access to the back-end servlet based on their AD access.
I do not have access to change the servlet, so I can't pass authentication credentials to it.
Thanks in advance for your input.
Related
I'm trying to integrate my web app with an external system where the user will login in external system (which I do not have control of ) using Single Sign-On with Oracle Access Manager 11g then can access my web-app without the need to login again .. is it possible to validate the user token which comes from the Oracle Access Manager?
Your application must "plug in" to OAM using an OAM WebGate so that OAM can validate the token. This is typically done through the web server.
See here for an example: https://docs.oracle.com/cd/E40329_01/doc.1112/e49451/webgate_apache.htm#WGINS76147
I have developed a web application where we can sign into to once dropbox account and get their data.
The problem here is ,lets say user(X) accessed the web application through a browser and sign into his dropbox account in the network (lets say A) , now if we open the same web application in another network (lets say B) it also says that the user (X) has signed into the dropbox account.
Same happens between browsers also, Like if a user (X) opened the application in google chrome and signed into the dropbox account and when the user opens the application in Mozilla it says that user(X) has signed in.
The application is developed in Java using Spring MVC framework, used jsp pages for UI and jquery.
Im running this application on Apache Tomcat Server.
Question:
How do I make resources not shared among browsers and networks.
We need to implement sessions in the project and store the accesstoken given by Dropbox as part of Outh 2.0 protocol as a session variable.
Whenever the user tries to request the web-application, that particular session loads up and uses the value of accesstoken present in that session variable.
In this way we can differentiate between requests.
I have a java web application(hosted in Linux) which speaks to a document management system which is a .NET based system via rest services. By default SSO Kerberos authentication is used in document system and for the same we are passing SSO Token to identify the user who accesses our application via web browser. This works fine and the document system is able to identify the user and allows user to upload document.
However we have a problem when a user who belongs to a different domain/AD tries to access the application. This is due to the external trust level between the environment document service is hosted and user environment. The document mgmt system supports NTLM authentication to handle this scenario and we were told that we need to pass credential object in the request. It appears there are easy ways for .NET client to extract user credential using CredentialCache object but I am struggling to find equivalent in Java.
I am trying to find out a way to pull the users windows credential so that I can set in the credentials object before i send the request to document system. Our application is SSO enabled, hence we dont want the user to explicitly pass his windows credential.
I'm developing a web application that has a REST api. At the moment the Api are protected in the server side trough spring security with a form-login authentication. Recently I also added spring social to allow access with facebook and twitter and all this works. So a user has to be registered to access some endpoint.
Now I have to build a mobile application that has to access the REST api and I was wondering what strategy I should use.
I saw that facebook has a android/ios sdk to allow the authentication on mobile side. So once theuser is authenticaded on the mobile I should do the request to my server so how should I authenticate the user on the server side to access the resources?
If you think that is not a good solution can you give me an advice how I should solve this problem?
Two options:
Your mobile app can login to your API the same way your other client code does, via form-login or spring social. Simply send the same session ID cookie with your API calls after login.
You can allow your app to accept a username and password as HTTP headers via HTTP-Basic, to save yourself the initial login step. This might be more useful if you don't need to make a lot of API calls per session.
I am trying to secure my Flex application within my Java web application. Currently my Java web application, handles logging and managing user accounts and the like. I was wondering if there is a way to essentially share that user credentials with the Flash movie in a secure mechanism? For instance, if you log in, we want you to be able to save items in the Flex application for that user, only if that user is logged in of course. Any ideas? Any help is greatly appreciated.
Update:
I apologize for the vagueness. I'm running Tomcat 5.5, Java 6 doing portlet development inside a Vignette Portal. All data communication is via Blaze DS. In our environment, we have data services and the portal handles logins, user management and the like. Currently we are simply passing down the username to the flash movie, which I don't feel is very secure.
You can pass data to a flash movie using flashVars which can be generated in a JSP. The data can be a one-time key generated on the server and associated with a user id. The Flex application can then take the key and use it to log in via a webservice call. The server will then validate the key and allow access to the user's account.
It is a very general question and it's hard to provide a good answer without knowing what is your current architecture. The Flex application is using the same web server as your web application? What are you using in order to discuss with the backend (web services, sockets, rtmp sockets)? If you are sharing the same web server you can access the same HTTP session and you can check if the user is logged in or not.
If you need to be aware in your Flex application that the user has just logged off from the HTML application or the session has expired you have several options, again depending on your architecture. Assuming that the HTML application was already was notified you can call through ExternalInterface a method from the Flex application. If not (session expired while you are using the Flex application) you will know when trying to save your data.