I'm working on a web application under Tomcat on a Linux server and all clients are under a windows domain. I need to get the user account from the request to assign it the right role on my application. So to summarize I just need to retrieve the user account becasue the authentication is not required.
What could be the more easy framework or solution to do that? Jaas could be the solution?
Could you help me, please?
thanks,
Andrea
Have you checked out Spring-Security?
http://static.springsource.org/spring-security/site/
Spring Security supports Single Sign On options using Kerberos, JNDI/LDAP, Active Directory, OAuth, OpenID, etc.
Integrate Single Sign On using Spring Security
Try the Apache Shiro project, former JSecurity.
Related
I'm using Spring-Boot and annotation based Spring-Security and I would like to use another site as one of my authentication providers.
I search on google but not getting any proper example or related solutions.
Let me know how can I implement Single sign on for 2 different application.
Please Guide.
Thank You.
You could use Jasig CAS to implement SSO and it is supported by Spring Security: https://docs.spring.io/spring-security/site/docs/3.0.x/reference/cas.html
You can use #EnableOAuth2Sso on your spring-boot application set some properties: client id, client secret, token endpoint for your oauth2 server, etc.
This tutorial is for an angularJS client on spring-boot but the server side is similar: https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v
I am currently trying to implement a single sign on solution across multiple JVM based (Grails, Servlets) web applications currently all deployed in the same servlet container (currently Tomcat, but don't want to limit my solution to just Tomcat). All web applications share a common database.
I've looked at various options from using CAS or other third party libraries to creating a new web service to handle Single Sign On, but none seem to really satisfy the business. My current implementation involves creating a new jar library which has a common implementation of AuthenticationProviders, and Pre-Authentication Filters based on Spring Security.
In this approach I have multiple AuthenticationProviders (currently Active Directory, and Database) for the application to authenticate against. Upon successful authentication a row would be inserted in a session table that contains the user, an expiration time, and a token. The token would be also stored as a cookie on the user's machine and that would be used to validate they have a current session in the Pre-Authentication Filters.
Having never done this before I want to make sure I'm not creating a huge security problem, and I'd also like to know what I would need to create the token? At this point a simple GUID seems to be sufficent?
Currently we are working on Spring Security 3.0.x, and haven't upgraded to 3.1 yet.
Thanks in advance.
I ended up solving this problem by doing the following:
I created a AuthenticationSuccessHandler which would add a cookie to the user's session which had identifying information as well as the hostname to try to secure it as much as possible. (The application was running internally at most customer sites so the risks here were determined to be minimal, but be careful about cookie jacking.)
Then on each application that needed to have SSO I implemented a AbstractPreAuthenticatedProcessingFilter, and placed in before the authentication filter which would pull the cookie out and create an Authentication object. Lastly I created an AuthenticationProvider which validated the information from the cookie.
Hopefully that helps someone else in the future for this type of request.
There are extensions available for KERBEROS, OAuth and SAML available on the Spring Security Extensions website. Here is the blog entry which provides an example: SpringSource Blog
If you are using NTLM as your SSO Provider, take a look at the jespa-spring project.
Or you might want to look at the Java Open Single Sign-On Project
I have two different web applications running on two different instances of tomcat. I need to be having a common page with links to both the applications. But I should be able to log in only once and should be able to access links in the other application without being asked to login again.
Is there a way to do it ?
Check out josso which you can use to create a single sign on solution across your applications
You can use a token parameter, where the token could be the username/some credentials encrypted. You can verify the credentials are correct in the 2 apps.
An alternative, if your applications are under the same domain would be set cookies and recreate the session from them.
Thanks for the replies. We finally decided to use Pre authentication Filter provided by Spring security to fulfill this requirement along with authentication token for validation
The easiest way is to provide Central Authentication Service (CAS) : Single Sign On. It provides centralized access control and authentication for your applications. And Spring Security has a CAS module that integrates with CAS seamlessly. For that you need to setup a CAS server.
More Info on how CAS works and implementation see the documentation.
Spring-Security Documentation
CAS architecture
Another way of doing is to create a Tomcat cluster and maintain the session replication between the 2 nodes under the cluster.
Please refer the Tomcat manual how to create the Tomcat cluster and enable the session replication.
You can use Spring RMI to update the each other nodes App context about the session info etc...
I'm working on an RESTFul API that need to authenticate users on different realms based on the URL called. For example, if you call /service1 you need to be authenticated on a JDBCRealm, but if you call /service2, you need to be authenticated on a LDAPRealm.
Furthermore, I'd like to be able to configure (database or config file) which url uses which realm. This configuration wouldn't require a redeployment of my war if possible.
Do you have any idea how I can achieve this?
I'm using Glassfish 3.1.2 with Jersey and Spring 3.0.5
Thank you, have a nice day!
--
Samuel Dionne
You can add a separate layer for it so that it forwards the request to the proper device per authentication. Actually this is a good use case for the IBM DataPower device if you are a big enterprise, if not a simple proxy server can do the job for you.
I have two apps, app1 is running using multiple jars inside a war and uses spring security(digest) for authentication. app1 runs in tomcat, and i have another app running in another web container (glassfish) app2. app2 uses form based authentication. Both the apps use same username and password, i need to authenticate app1 from app2 and have the authentication results in a securitycontext. I have searched, but couln't find much info. Have some across similar scenario?? Any information will be highly appreciable.
Sounds like you need a single sign on solution. Apache Shiro has some basic SSO capabilities, but for a more robust tool you should check out JOSSO.
Spring also support integration with Central Authentication Service (CAS).
There is an extension for SAML.
And another extension for OAuth.
Any of them could give you autentication across multiple apps.