i have a two web applications running in java wih weblogic server, both the applications have same user name and password, so i decided to use single sign on machanism for sharing the session.
Apart from openSSO configuration, policy agent installation, i have to write java code for redirect the particular page from one application to another application.
if anyone already implemented the single sign on with java, please send me java the part to control the user authentication.
If OpenSSO is setup properly for both the weblogic instances, you can just redirect from one application to the other, you don't have to do anything else.
Related
So I have a Java Program that just runs in the windows console at the moment. When the program first starts, I want to have it go through a login prompt with a username & password. I’ve previously used a MySQL database to check if a username + password combo exists, and then allow that user to login. I know how to encrypt passwords and such when I compare them to the database info. However, when I did this, the MySQL login details were left in the code so that the program could connect to the database. This leaves a huge problem in that someone could decompile the program and find those login details, then use them to access the database.
So my question is, is there a way to access these logins using the program, WITHOUT exposing my database details to a snooping person. Is there a library out there that could accomplish this?
Yeah you can do it, But you need to re-architect your application.
You should separate you application into two different application.(In short: you have long way to go)
1- Client Application: Where your Java Application is interacting with the end user.
2- Server Application: Where your Application is interacting with your DataBase. This Application can talk to your Client through your network.
Note: keep in mind that, any application at client, can be decompiled. All traffic even any communication between client-server can be monitored.
There are many methods out there, to make the communication between the server and clients. The choice is yours, you can make your own one (Socket communication) or follow some standards like REST or SOAP.
If you want to use REST or SOAP, there are many ready framework and libraries available where Spring is one of them. Since you need to have Server Application(Ex: Rest Server), you need to run your server application in a container, where in this case, Tomcat is the most famous one in JAVA world.
But there is better way to Start ; you can make an Spring Boot Application for your Server app. Most of the libraries even your container is already embedded, and you only need to focus in your Application Logic. Once it's done, you just need to run a single jar file and your client can start talk to the server app, through network. The drawback is that you need to follow the spring boot standard.
You can also Secure your Rest API by Spring Security framework (Which is totally separate topic), but you can simplify it to, token exchange between your server-client for each REST call.
So in this scenario, let say someone decompile your client application, he would
see nothing but, some rest API links, which can not work without login and token.
Also keep in mid that you also need to Secure the communication between Server and Client Throw the Network by TLS.(Which is totally separate topic)
If you're giving out db access then deal with the side effects of that choice. I think mysql offers some kind of row level security option. Check the docs.
If you want some level of backend obfuscation then put it between your users and backend via REST or some other scheme.
I've got a Liferay Portal (6.2 CE) with some Portlets (let's say Portlet A and Portlet B)
I'll be called from outside the portal (a third party from the internet) with some params (http://myUrl/myPath?param=X&email=myUser#email.address&info=moreUserPersonalData), and depending of the value of one of those params I need to display one or another portlet. Following the example, if param=A, go to portal page with Portlet A; if param=B, go to portal page with Portlet B.
Some of the params will be sensitive data and I need them to reach the final portlet A or B.
So, I've got different doubts...
Wherever I'll be called, I can decide its technology. I've managed:
A servlet. The main problem is that I cannot share the session between the Servlet and the Portlet, so I can't set there the params. I don't want to send it by GET (it's personal information) and any way to avoid that (like ciphering the data or saving temporarily in a database) looks too much complicated for such a simple task.
A landing portlet. I need to make the redirect with no user action needed, so the lifecycle of a portlet doesn't help me. The render phase (the one called when I land there) doesn't have the redirect method (looks like it goes against liferay's portlets politics) and I don't want to make a javascript autosubmit to reach the action phase.
So, in summary, I need to:
Be called from a third party
Manage some of the data sent by that third party
Redirect to a portlet, sending sensitive data not seen at the url
Decide the better technology to do that
Can you give me any suggestion?
Thanks in advance.
Secure IPC in Liferay
This is mostly a placeholder until you clarify your requirements and functional specifications. I am going to present some security essentials related to the Liferay platform and associated technologies. I will make the advice as general as possible however full disclosure the bulk of my experience is 6.2 EE.
Proposed solution
I think the most obvious way to do this is to have one, or many, web services exposed to clients outside the portal. I would suggest you stay away from trying to accept all the data into a single web service and then routing it accordingly. Instead I suggest you create a web service for every particular end point (wherever you are routing data to) and call that point directly. Your client should be configured to send the data to the appropriate place. However, if for whatever reason you absolutely need to have a single end point to call, then I would suggest you create that end point by registering a jsonws through service builder and then using Liferays internal Spring AMQP bus to route the message accordingly.
To register a JSON WS simply create a service builder entry as follows:
<entity name="Entity" remote-service="true" local-service="true">
In your JSR-286 Portlet that will create the following modifiable files
EntityLocalServiceImpl.java
EntityServiceImpl.java
EntityImp.java
Your EntityServiceImpl file will generate code in EntityService (which will be the service you invoke externally). I generally suggest in EntityServiceImpl you write code that has to do with Liferay's permission checking / resource framework, and once that is successful you then call a method by the same name in the EntityLocalServiceImpl method. The local service method alone should be where you write to the message queue or database.
To invoke your web service you can reference the million Liferay documents online related to JSONWS. Is is just a brief architectural overview, but I have general hardening steps for the entire stack below.
Liferya Tech Stack Hardening
Let's talk about how you currently have your portal configured. I am going to assume you are running one or many Tomcat application containers behind an Apache web server. However, if you are not running these specific technologies, the advice I am giving is interchangeable.
1. Portal Version
Make sure you are at least running the Enterprise Edition at 6.2 or DXP. Verify that your portal is at the most recent batch level for that release branch. I would suggest you go even further and make sure that you have every single hotfix as well (you can be at the highest patched version but still missing a hotfix).
2. Portal Installation and OS
I would suggest your harden your Tomcat server / portal installation by doing the following things.
Install inside a chroot jail.
Owner and group should be a non root user
Run your Tomcat instance with Java security manager, develop a java policy file specific to the needs of that Tomcat instance.
Enable, correctly configure, AND ENFORCE SSL at the Tomcat layer
Override all the default error pages (404, etc). Create a new page to display for any page that returns a java.lang.Exception
Protect your shutdown port
Make sure tomcat doesn't server index pages when welcome page's arent specific.
Changer permission bits on your portal_home/conf folder to 400/read only.
Remove server version in HTTP response headers
Strip and repackage ServerInfo.properties in the catalina jar.
Set secure flag for cookies
Add HTTPOnly for cookies
Make sure that you have iptables or some other firewall that closes all ports from the outside. SSH only from the inside. Only enable port 80 from outside (if its public facing) and drop the rest.
Deactivate the JSP deployment engine
3. Web Server layer
The web server layer will have general security measures similar to your Tomcat instance. It may be much more difficult to run your web server in a chroot jail or with a non privileged account though. It would be nice to have a real, enterprise IPS sitting in front of your web server (or load balancer if one exists).
Enable and properly configure SSL (for best security do this at the app container and web server layer). Disable ssl v2, v3, etc. This topic is way to big for a single bullet point
Remove information gathering abilities by removing/disabling ETag, directory listing pages, server name response headers,
Run your web server from an apache user with apache group (or whatever account you choose). You can attempt to make this a non privileged account but again it might be difficult.
Change the permission bits on the configuration folder to 750
Limit what type of Request methods you want to allow here (you can disable request methods like put, post, etc here). What do you obviously will determine how you configure this
Disable http 1.0
Disable trace requests
Set set your httponly and secure flag for cookies at this layer as well
Enable protection against click jacking, xss, etc.
4. Liferay properties hardening
There are several properties that you can toggle to harden your Liferay platform. Some very obvious ones (and their descriptions):
Always keep the following two enabled
auth.token.check.enabled=true
json.service.auth.token.enabled=true
This relates to the p_auth get parameter you will see in the portal. The client is responsible for generating this token. If your client is outside the portal environment.
If your client is outside the portal environment you can ignore tokens for particular origins
auth.token.ignore.origins=.....
Basically this will allow you to ignore the auth token requirements for particular origins. This is much better than ignoring for all.
I would definitely suggest you forcing HSTS and again filtering based on request methods
jsonws.web.service.strict.http.method=true
jsonws.web.service.invalid.http.methods=DELETE,POST,PUT
# Not necessarily filtering the above methods just an example
To secure the webservice I would likely require basic authentication
basic.auth.password.required=true
With basic authentication you also need to make the specific web service endpoint public
jsonws.web.service.public.methods=.....
Then a this point you need to configure basic authentication and user account on your tomcat/web server.
I would further restrict access to the jsonws page, servlet, and services by using
son.servlet.hosts.allowed=....
json.servlet.https.required=true
jsonws.servlet.hosts.allowed=....
jsonws.servlet.https.required=true
You might also want to check out the AccessControlled annotation
For basic authentication done right you need to look at the authentication pipeline examples.
4. Additional Liferay hardening
In addition to securing the web service I would probably secure your portal by:
Disabling the default administrator account using the default.admin.*properties,
Block the following pages
/c/
/api/
/usr/
/group/
Disable all the default portlets by filtering based on p_p_id
Seriously consider restricting WebDAV Servlet, Spring Remoting Servlet, Liferay Tunneling servlet, Axis Servlet.
Disabling unwanted/unused struts actions
Use JNDI of JDBC
I realize this is basically just a big dump of information without much context but when talking this broadly about security its all applicable. I didn't even touch the data layer because you didnt mention persistence. StackOverflow is more helpful when you do the preliminary research, try to implement a solution, and run into a very particular problem. Hopefully this will put you in the right direction to a more pointed question
Create a website made with SSL/TLS security encryption.
I have the following problem. The customer have a Java EE web application running in EAServer 5.5.0 with a custom loggin. The loggin is very simple, when the application validates the credentials entered by the user through a web page, stores the user name and profile in a session variable. That way the application knows if the session is still alive. Now, the customer have another Java EE web application running in jboss server 7.1 and wants when the user log in the web application running on EAServer, at same time login in the application running in Jboss Server whitout any further steps.
My first idea was send the credentials via ajax call from EAServer to Jboss web application and stored the credentials in session, same way as the EAServer do. That seems to works fine on Internet Explorer, but in chrome or firefox the ajax call is done and the session variables are created in jboss, but when the user tries to see any view on the Jboss Application the session variables just gone.
Can somebody please tell me what is the best way or practice to do this? or what kind of problem I'm facing whit chrome and firefox that doesn't keep the session variables after ajax call?
One way you can do is the single sign-on that Leonardo Luiz suggested in the comment.
But I have another suggestion. Just install Redis and use it as a session store. This is very standard nowadays and it's broadly used in Ruby on Rails, NodeJs and Java as well.
Some libraries that might get you going:
Spring Session
Tomcat Redis Session Manager (I know you are using different servlet server, but still you can take a look to get the idea)
Or you might opt to use memcached. In that case you might use:
memcached-session-manager
The feature you need is called Single sign-on. I believe it's better to integrate an existing solution on your environment than create a custom one.
I already used two solutions for that:
http://picketlink.org/federation/ (Deprecated)
https://www.apereo.org/projects/cas
It will not be a ease task and requires some knowledge of security concerns.
If you really wanna to create a custom solution there is some information here: http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on-solution/
We have already created 2 JAVA web applications A & B and hosted it on 2 different
servers using TOMCAT on both these servers. These applications have already been moved
to production and we cannot make any major changes or move it to a single server as it is not in our control.
The authentication is being done through a common LDAP server which is being used by many other applications also.
Now, the client wants us to create a new application C and once logged in, the end users should be able to access the above 2 Applications A & B(through links) without having to
re-login again(SSO).
Pls advise on how to implement the same.
CAS seems the right solution for this but I don't see how you could do to avoid touching anything.
You will at least have to touch some config files.
Look at:
- Spring Security and CAS Integration
Regards
I have a Java web application designed to be deployed on the internet. It needs a database connection. Depending upon hosting environments it may not be possible for the deployers of the web application to configure appropriate data sources so the application needs to store it's database connection information somewhere to be reloaded if the application is restarted.
I also need to give one user administrator privilileges. If this is just the first user account created there is the small possibility that the admin account could be hijacked in between the time that the application is deployed and the time that the installer logs in.
I need to do both of these tasks securely and in a way that is lowest common denominator for a web application.
Clarification: Upon first use I want the application to set up an admin user. That admin user will have all security access in the system. Somehow I need to determine what that user is called and what their password will be. If the application gets deployed on a shared web host the application will be live from the moment it is deployed. If I allow the site to be configured through a web interface there is the small possibility that an unauthorised person will do the web configuration before the site owner effectively hijacking the site. I am looking for an elegant way to avoid this.
Ok, to answer your revised question...
There isn't really that much you can do. If you don't want the admin to configure their account during installation on the server, then there will always be a small window where someone else might create it via the web before they do.
All the solutions involve modifying something on the server (as this is how they prove they are the real admin). Yes, that can mean a config file...
Upon first connect, give the user a
token. Basically a hash of some
salt+theirIP+theirUserAgent, etc.
Then ask them to log into the server
and feed this token to your app,
probably in a config file. If the
generated token next time matches the
one in the config, allow them to
proceed.
A simpler solution is to let them put
their IP address in the config from
the start, and just allow this IP. (Assumes they know what their IP address is)
Alternatively, allow account
creation, but refuse to do anything
else until some file is removed from
the server. Many PHP apps do this
with an install.php, but the file
could be anything you test for.
The most common way to do this is through a static configuration file, in some simple text format.
The file resides on the same system as the application, and should be just as secure as the code (eg. if someone has access to modify the configuration who shouldn't be able to, couldn't they just as easily modify the code?)
For one of our Java web apps, we're using Spring dependency injection to configure most of the app. If you create a "Configuration" class with all of the configurable properties exposed, you can wire up a bean in Java that is configured via Spring XML context file. You can then create different versions of the XML file for your different environments, and have them automatically built into specific packages, which can be deployed all-at-once. If you want to go all-out, you can basically configure every single class in your application using Spring, which is really useful.
There's a little bit of overhead to get Spring setup, but it's actually not too hard, there are plenty of tutorials out there.