I want to protect my JSF pages in a Java EE 6 app.
I want to store users and roles in the DB and have privileged users administer them via a web tool. The privileged users would add users to roles and set certain pages to require certain roles for access.
It seems to me that container managed security won't let me do that. Would JAAS be the way forward?
Any suggestions and links to examples would be appreciated.
The short answer is yes. JAAS will allow you manage security against a database use a LoginModule(many container implementations JBoss offer these pre-canned out of the box) and you can check out this article(http://weblogs.java.net/blog/2006/03/07/repost-using-jaas-jsf) or this book(http://www.java.net/external?url=http://purl.oclc.org/NET/jsfbook/) for more specifics how to authenticate Users and determine authorization parameters with JAAS and JSF.
For your second requirement, I can't see any reason why you can then create a separate tool that has access to those tables to modify credential information. Though this seems like a problem that has already been solved by using an LDAP provider with any one of a number of free and open source web interfaces.
Another nifty feature because of the clear separation of concerns is that you can later easily migrate to LDAP or third party services with little effort.
I recommend that you take a look at Spring Security.
Spring Security is a powerful and highly customizable authentication and access-control framework.
Here is an article that explains using Spring Security with JSF.
Related
We are developing a Java based product. We need to make the authentication part to fit for major authentication services, like LDAP, OpenID, Oauth2, SAML. The idea is, when we deploying the product for a company who is having LDAP, our product should be able to cater it. If the company has OAuth2, then our product should be able to cater that as well.
I want to know, what are the better approaches and tools. I'm looking for a open source solution which support all these protocols in one place. Please share the knowledge.
I'd suggest Spring Security. It is completely independent to the Spring Core framework and with some simple configuration and some additional libraries (also developed by the same team), you can get a simple solution for most of the popular authentication methods.
With a couple of annotations, you can configure which methods or endpoints you want secured either.
You can create spring profiles, who decide which authentication method to be used.
Simple approach is to use an IAM (identity and access management) solution. Kecloak is a good open source one (and is written in java but you shouldn't mind).
By the way, your question is off-topic (recommending software or tools). Post it here
You need to separate out Identity repositories and Identity protocols.
LDAP and AD are repositories.
OpenID, OAuth2, SAML are protocols.
You need an IAM system that handles all the protocols and sits on top of the repositories.
For your product to talk to your IAM, you need a protocol stack in your product e.g. for SAML.
You then federate your IAM with other vendors e.g. if a vendor comes along and wants to authenticate with their AD, they would install ADFS and then ADFS federates with your IAM system.
So the logical flow goes:
User --> authenticate on their IAM --> trusted by your IAM --> access to your application granted.
You could also look at Identity as a Service e.g. Azure AD, Auth0, Okta etc.
Our project consists of Java back end(spring web application) and iOS and Android client applications. Now we need to add an authentication for client applications to Java back end. The idea is to register user for the first time using an external web service. At this step user provides full credentials(login and "big" password) and chooses some PIN for further authorization. After that primary step is complete successfully, user should be able to authenticate using his login and PIN(which he chose previously himself). Those login and pin should be stored in our DB. We should also be able to destroy that "session" and PIN whenever is necessary. We expect web application to have up to 10 000 registered users with up to 1000 users being online simultaneously.
We also don't plan to use any separate Authentication server, we plan to embed security into web application(back end) itself.
I've been investigating 2 different approaches. First is usual spring #EnableWebSecurity approach. This seems pretty straight forward, but some people say it will create "sessions", which are bad for the server. Session will consume lots of memory, and overall impact on performance will be bad. Is it true?
The other approach is to use Spring Oauth2 implementation. I didn't have time to study it properly, this seems to be a little bit of an overkill to me. Is it worth to study for our needs? (we are running out of time btw).
I also need to have some proper DB sctructure for the security needs.
So the question is, what is the best approach for our situation? Are there any open source projects, solving similar issue? I would appreciate any help.
Thank you.
Whatever technology you use for authentication, you will require sessions to maintain the state of authenticated user. You can use Spring security alone or with Oauth2 .
I'll suggest for simplicity you can go with Spring Security with Token functionality.
However you can find an good blog over Spring Security and Oauth.
Securing REST Services with Spring Security and OAuth2
For more clarification you can also visit here
Sessions should only take up allot of memory if you were to store large amounts of data in the session. So long as you don't do that there won't be any problem. You will need to make your own authentication decision based on your acceptable levels for security and user experience, there is no one 'right' answer. Spring security and sessions have already been talked about here How can I use Spring Security without sessions?.
I've created my own JDBC realm (using WildFly 8.2) as described at paragraph 50.3 of the JavaEE 7 tutorial. My understanding is that JDBC realm authentication implies that user credentials are read and checked by the server, the application doesn't even know the coordinates for the auth-reserved DB.
For a "new user sign up", the only thing I can imagine is to implement a classic solution from the inside of my application: accessing auth DB, check if chosen username is already present, insert row in the table... but doesn't this violate the whole paradigm of "container managed authentication", and maybe insert security holes?
Is there some server-implemented mechanism that I ignore?
but doesn't this violates the whole paradigm of "container managed authentication", and maybe insert security holes?
Yes, more or less. The container managed security concept, where the application is totally unaware of the authentication mechanism and the identity store (location where the user data is actually stored) doesn't really take the use case into account where an application has its own user sign up/register functionality.
The idea seems to be more intended for integrating externally obtained applications (e.g. say a Sonar or JIRA instance) into an existing enterprise structure. There the users are created by an admin using a central system like LDAP, or in some situations even an admin UI of the application server.
Unfortunately many of your typical public web applications aren't of this variety. They are standalone apps (don't integrate with existing internal enterprise infrastructure) and they effectively manage their own users.
The classical concept is an ill fit there, and that's why the Java EE Security EG is currently exploring how to best address this.
You basically have three "solutions" in the mean time:
Just define your DB connection details twice, once at the server level, once at the app. It looks like you were indeed already doing this.
Use JASPIC, which is a container provided authentication API which has the option to let the application contain the auth module. It can use the exact same data source and possible JPA entity manager and such that the application is also using.
Do your security using an external security framework, e.g. DeltaSpike Security or Shiro, that's totally implemented in "user space".
From a Java EE perspective, none is really ideal. The first has the duplicate definition and indeed somewhat violates the principle, the second is by itself okay, but JASPIC is a tad low level, and the second is a rich solution but doesn't integrate well with existing Java EE security.
Here is my specific question:
There is a project which contains a lot of pages which uses Spring Framework on Java.
There is some kind of Admin users and department users.
The problem is that an admin user should see all kind of users(all information).
Sometimes an admin might delete some users: This method should be accomplished.
My project leader told me to look at the session properties access and search if there is a framework for that which should work with Spring.
How could I manage that?
Is there a framework for that? If not what is the best way ?
You can by using Acegi security framework, it integrates with Spring framework. To solve your issue, you have to set current user into Http Session (Spring-Acegi has a specified class for this) and read current user whenever needed.
Spring + Acegi has more features like :
Multiple level security by multiple level filters
Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
Support ACL (Access Control List) and Object Domain Security.
Support authentication&Authorization.
and a lot more
It has a lot of useful utilities and structures.
You can see more information at the following links:
http://en.wikipedia.org/wiki/Spring_Security
http://www.tfo-eservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1-html.html
To add Spring Security to existing Spring app follow next example:
http://www.mkyong.com/spring-security/spring-security-hello-world-example/
And I recommend you to read their documentation. Spring have really good documentation.
Another example
I am using ActiveMQ to connect a number of application modules written in Java.
I eventually would have a web interface for the application, developed in either Grails, Struts2, or Rails.
My 2 main concerns are:
to have an external security module that is not bound to the Web Framework in use.
to have an independent security db
Any recommendations for this Architecture?
You should place all your components within a secured firewall. Then you wouldn't need to worry about any kind of security for ActiveMQ. If not a firewall, you should have a way to whitelist your components so only you can connect to them.
For the database, I recommend having one user that read data and one user that writes data. Separating this permissions will be a closer step to someone deleting you data.
You need to secure both parts of your application. For the first part go with Amir Raminfar's answer, and insure that your running on secure servers. Also make sure to use what ever security features are built into MQ to allow the components to communicate securely. For Web Security there is no good way I know of to have a framework agnostic security setup. An option for you may be Spring Security You should be able to integrate it with Struts and there is a Grails Plugin This should make it easier to do security in a relatively common way whether you use Struts or Grails but you will probably not be able to easily use Spring Security from Ruby.