I am looking for a Java based REST server which support following authentication mechanism. Also please let me know the best resources for the REST based authentication
Token
Certificate
Kerberos
Oauth
Open Id
I am an architect from WSO2... so my reply could be biased...
You can use the open source WSO2 Application Server to deploy your RESTful services and WSO2 Identity server has the support for 2-legged OAuth...
Thanks...
Partial answer for method 2) Certificate:
If you're planning on using certificates for authentication, I must assume that the API will be consumed by a limited number of trusted client applications. I've recently developed and deployed a REST API for internal use within an organization, and we use server-client certificates for authentication. This solution delivers a really high level of security, but is very impractical to use in an externally exposed API. This post gives some information: Java HTTPS client certificate authentication.
Any Java container should support these with either:
Apache / IIS as a reverse proxy deployed for SSO (Single Sign On)
Authentication plugins
Related
I'm working on a very simple REST API using the Quarkus framework. I'd like to use client authentication, but after a few tries I eventually found the what I'm trying to achieve doesn't seem possible out of the box.
The API is dockerized and published on an azure app service environment. Unfortunately, I can't get the azure load balancer to talk to my app via SSL. Azure App Services passes the client certificate as a base64 payload in a header field dubbed X-ARR-ClientCert.
Maybe I'm missing some very important piece of knowledge here. Is there any way to leverage the TrustStore and Trust / accept the client certificate straight from the header field?
Should I implement my own Security Identity Provider for doing so
extracting the Certificate from the header
create a Security Identity instance
I have been asked to create an oauth2 server to access multiple webapps of our company. And I am following this github project.
I dont have nay idea about creating Oauth2 server.And stuck while Getting Access token via authorization code (followed given process in link).
When you speak about an OAuth2 server you mean the interface between user storage (f.e. LDAP) and the web aplications?
The easiest way to have an OAuth2 server would be to install WSO2 IS and configure your LDAP as a secondary user store.
I have not coded the server side of OAuth2 but Apache OLTU is a project that has been very helpfull for me. It includes libraries for the server part.
Spring Security OAuth2 provides some sample code, one of which is an Auth Server.
http://projects.spring.io/spring-security-oauth/docs/oauth2.html
By default, it supports a single user. But it could be modified to be a more fully-featured Auth Server. But it does show how to use Spring Security inside the Auth Server as well as implement the OAuth server endpoints and return JWT
I want to host REST APIs over https. REST web services will be written in java probably using spring framework.
These web services will be accessed by java clients (not web browsers), probably using org.apache.http lib.
I am not getting clear picture of working with SSL certificates.
My questions are -
What configurations will be required to host REST web services over "https"?
What configurations will be required at client side for accessing these "https" URIs?
Do I need to buy trusted SSL certificate for REST server or open java keygen will do?
Do I need the same/different certificate copy on REST client too?
No particular configuration, you just need https activated.
No particular configuration, you just need to take care to use libs that check the certificate.
If you write the client, you can use a self signed one, and customize the client to check if it's your certificate. If anybody can write a client, it's better to have a publicly trusted certificate. WARNING : the free let's encrypt certificate are NOT trusted by java !
Why do you want a certificate on your client ?
Side note: if your API is publicly accessible, I strongly advise you do NOT redirect http to HTTPS but instead makes HTTP systematically answer an error. If you don't do so, a developer that use by mistake the http will NOT see the error and that will create security risks.
Please explain what, why and how of kerberos authentication. I am using spring 3+.
Also please elaborate on how to implement it in my java spring project.
There's an official Kerberos extension for Spring Security: http://projects.spring.io/spring-security-kerberos/
First step is to configure Spring Security for your project. Try that with for example a temporary in-memory authentication configuration, with some hardcoded users - just to check that the rest of the configuration is O.K.
Then, proceed with adding a Kerberos authentication provider, configuring the Spnego configuration and etc (everything is described in the documentation).
Check out the example (uses Java-based configuration, but it's easy to translate that to XML config): https://github.com/spring-projects/spring-security-kerberos/blob/master/spring-security-kerberos-samples/
And the documentation: http://docs.spring.io/spring-security-kerberos/docs/1.0.0.RC2/reference/htmlsingle/
I have tried to explain the what and how part of the Kerberos protocol in my blog at: Kerberos. Please feel free to checkout. A summary of the same is as follows:
Kerberos is s a trusted third-party authentication protocol designed for TCP/IP networks which is based on symmetric cryptography.
Kerberos provides encrypted transport and authentication using security tokens and secure session keys, in order to secure the communication between the client and the server.
The kerberos model basically consists of a kerberos server which authenticates the client and provides security tokens in order to interact with a ticket granting service or the TGS. The TGS then is responsible for authenticating this client for access to the actual server.
I have tried to describe it in a pictorial and step by step way in my blog.
I have a Java EE web application from the web app I have to consume a SharePoint web-service which expects Kerberos/NTLM authentication how can I achieve. I am using CXF for consuming web-service and the web application it self uses Windows Integrated Authentication for authentication.
Take a look at the SPNEGO protocol, this is what Sharepoint ( technically IIS ) uses for Single Sign On authentication. I am not familar with CXF, but generally most of the WebServices platforms allow you to supply additional headers with your request. Basically what you need is:
1. Get authentication token for the sharepoint from user session
2. Use JAAS to generate tokens.
Look here http://appliedcrypto.com/spnego/spnego_jaasclient.html and here http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html for more details.
For the case when you want to authenticate browser users to sharepoint. You have to implement SPNEGO protocol in your web app for example you can use this package do it you. Most of the modern app servers support SPNEGO protocol [ JBoss, WebSphere ]. After you implemented SPNEGO protocol, you can grab the kerberos token from 'Authorization' header.
Then you have two options:
In case you run your web-app with the same identity as the SharePoint front-end you can just resend the same token to the sharepoint.
In case you running as a different identity, you have to use the user's token to go to active directory and request a ticket for sharepoint service on behalf of your user. The account that your web-app runs under has to be trusted for delegation in Active Directory
Also, I am not sure that SharePoint accepts kerberos tokens within SOAP headers, I believe you have to authenticate using HTTP headers.
This question might help you
If you want to use single sign on feature meaning using current user identity take a look
here