I have two apps, app1 is running using multiple jars inside a war and uses spring security(digest) for authentication. app1 runs in tomcat, and i have another app running in another web container (glassfish) app2. app2 uses form based authentication. Both the apps use same username and password, i need to authenticate app1 from app2 and have the authentication results in a securitycontext. I have searched, but couln't find much info. Have some across similar scenario?? Any information will be highly appreciable.
Sounds like you need a single sign on solution. Apache Shiro has some basic SSO capabilities, but for a more robust tool you should check out JOSSO.
Spring also support integration with Central Authentication Service (CAS).
There is an extension for SAML.
And another extension for OAuth.
Any of them could give you autentication across multiple apps.
Related
I am working on a java application having Database authentication using spring-security.
It is very usual that, this application is used with other applications on similar domain.
Requirement: The need is that all such partner apps should be able to share common authentication with my application.
Also it is required to continue supporting DB authentication as well.
One way I found is to embed LDAP server like ApacheDS in my application so that other partner apps can use it to get authenticated.
In this case, I need to load ApacheDS with related Database records and keep it in sync programmatically.
But disadvantage on this is to have redundant copy of authentication data - one at DB and another at ApacheDS LDAP.
Question: Is there any way to avoid such duplication. By googling, I found option of having virtual directory server Penrose or Oracle Virtual Directory. But unfortunately they cannot be embedded in application. Is there any way to provide embedded LDAP support on top of existing Database authentication?
Disclaimer: I know very little about Spring Framework and even less of Spring Security
Having said that. I did face a similar situation, in my case, it was Apache DS as my app authentication source and client AD as the other.
My deployment environment was Tomcat and I used Tomcat Combined realm, which nests more than one realm for authentication. My app realm was configured to be one and client's AD was configured to be another.
Users could authenticate from any one of the realm, it worked. However, I did have to replicate client's AD users every night (including AD tombstones to mark them inactive), for authentication is one thing but other client information was also required, e.g. email, roles etc. and inclusion of new users.
I am kind of sure that Spring Security will also have the concept of Combined Realm.
I understand that this answer is not really an answer and more of design approach and many years too late at that; however, I wished to share my experience.
We have a Java web application (using struts and hibernate) and want the users to automatically log into the Google apps domain accounts.
We have set up the Google apps for Education domain accounts and created the users in it and we have the same users in our java web application also.
The requirement is that when the users log into our application portal, their is a link to go to Google apps, once they click on this link, it should log them in without asking for password.
We are using Tomcat 7 as our server for the web application. Which SSO tool should we use for doing this? Oracle's SSO is paid, Shiboleth doesn't work with Tomcat 7.
Any help highly appreciated? Is SSO the only option or another way to do this.
Thanks
Any SSO solution that supports the SAML2 protocol should work. Apart from the expensive solutions that Oracle, IBM, CA and others provide, you can find the following solutions that definitely work well with Tomcat7 and are open source :
Apereo (ex Jasig) CAS : Used quite a lot in the education community. Simple to setup but specific configurations (like an advanced authentication module) might require some programming effort. It supports Google Apps authentication, but none other SAML2 service. If you really want to only login to Google Apps, that's a great and simple solution.
Forgerock OpenAM : Formerly Sun OpenSSO, this is used in education and industry. Many more features, supports most of the SAML2 service providers out there including Google Apps, but more complex.
Note that if you already have a portal solution, you should check if that portal does not already support SAML2 federation and could act as the SSO server.
Note also that you will need to link the portal authentication and the SSO server authentication, to make sure that your users do not authenticate twice. This can be done in two ways :
Tell the SSO server to delegate the authentication to your portal solution. This might require some light custom coding depending on your portal.
The opposite : tell the portal to use the SSO as an authentication solution. Most portals support some kind of authentication delegation so it should only be configuration?
Lastly, if your authentication is setup on Tomcat itself (that is if your portal already delegates the authentication to the Tomcat container), then you can do the same for the SSO server.
I am currently trying to implement a single sign on solution across multiple JVM based (Grails, Servlets) web applications currently all deployed in the same servlet container (currently Tomcat, but don't want to limit my solution to just Tomcat). All web applications share a common database.
I've looked at various options from using CAS or other third party libraries to creating a new web service to handle Single Sign On, but none seem to really satisfy the business. My current implementation involves creating a new jar library which has a common implementation of AuthenticationProviders, and Pre-Authentication Filters based on Spring Security.
In this approach I have multiple AuthenticationProviders (currently Active Directory, and Database) for the application to authenticate against. Upon successful authentication a row would be inserted in a session table that contains the user, an expiration time, and a token. The token would be also stored as a cookie on the user's machine and that would be used to validate they have a current session in the Pre-Authentication Filters.
Having never done this before I want to make sure I'm not creating a huge security problem, and I'd also like to know what I would need to create the token? At this point a simple GUID seems to be sufficent?
Currently we are working on Spring Security 3.0.x, and haven't upgraded to 3.1 yet.
Thanks in advance.
I ended up solving this problem by doing the following:
I created a AuthenticationSuccessHandler which would add a cookie to the user's session which had identifying information as well as the hostname to try to secure it as much as possible. (The application was running internally at most customer sites so the risks here were determined to be minimal, but be careful about cookie jacking.)
Then on each application that needed to have SSO I implemented a AbstractPreAuthenticatedProcessingFilter, and placed in before the authentication filter which would pull the cookie out and create an Authentication object. Lastly I created an AuthenticationProvider which validated the information from the cookie.
Hopefully that helps someone else in the future for this type of request.
There are extensions available for KERBEROS, OAuth and SAML available on the Spring Security Extensions website. Here is the blog entry which provides an example: SpringSource Blog
If you are using NTLM as your SSO Provider, take a look at the jespa-spring project.
Or you might want to look at the Java Open Single Sign-On Project
I have two different web applications running on two different instances of tomcat. I need to be having a common page with links to both the applications. But I should be able to log in only once and should be able to access links in the other application without being asked to login again.
Is there a way to do it ?
Check out josso which you can use to create a single sign on solution across your applications
You can use a token parameter, where the token could be the username/some credentials encrypted. You can verify the credentials are correct in the 2 apps.
An alternative, if your applications are under the same domain would be set cookies and recreate the session from them.
Thanks for the replies. We finally decided to use Pre authentication Filter provided by Spring security to fulfill this requirement along with authentication token for validation
The easiest way is to provide Central Authentication Service (CAS) : Single Sign On. It provides centralized access control and authentication for your applications. And Spring Security has a CAS module that integrates with CAS seamlessly. For that you need to setup a CAS server.
More Info on how CAS works and implementation see the documentation.
Spring-Security Documentation
CAS architecture
Another way of doing is to create a Tomcat cluster and maintain the session replication between the 2 nodes under the cluster.
Please refer the Tomcat manual how to create the Tomcat cluster and enable the session replication.
You can use Spring RMI to update the each other nodes App context about the session info etc...
I'm working on an RESTFul API that need to authenticate users on different realms based on the URL called. For example, if you call /service1 you need to be authenticated on a JDBCRealm, but if you call /service2, you need to be authenticated on a LDAPRealm.
Furthermore, I'd like to be able to configure (database or config file) which url uses which realm. This configuration wouldn't require a redeployment of my war if possible.
Do you have any idea how I can achieve this?
I'm using Glassfish 3.1.2 with Jersey and Spring 3.0.5
Thank you, have a nice day!
--
Samuel Dionne
You can add a separate layer for it so that it forwards the request to the proper device per authentication. Actually this is a good use case for the IBM DataPower device if you are a big enterprise, if not a simple proxy server can do the job for you.