I am using ActiveMQ to connect a number of application modules written in Java.
I eventually would have a web interface for the application, developed in either Grails, Struts2, or Rails.
My 2 main concerns are:
to have an external security module that is not bound to the Web Framework in use.
to have an independent security db
Any recommendations for this Architecture?
You should place all your components within a secured firewall. Then you wouldn't need to worry about any kind of security for ActiveMQ. If not a firewall, you should have a way to whitelist your components so only you can connect to them.
For the database, I recommend having one user that read data and one user that writes data. Separating this permissions will be a closer step to someone deleting you data.
You need to secure both parts of your application. For the first part go with Amir Raminfar's answer, and insure that your running on secure servers. Also make sure to use what ever security features are built into MQ to allow the components to communicate securely. For Web Security there is no good way I know of to have a framework agnostic security setup. An option for you may be Spring Security You should be able to integrate it with Struts and there is a Grails Plugin This should make it easier to do security in a relatively common way whether you use Struts or Grails but you will probably not be able to easily use Spring Security from Ruby.
Related
I've created my own JDBC realm (using WildFly 8.2) as described at paragraph 50.3 of the JavaEE 7 tutorial. My understanding is that JDBC realm authentication implies that user credentials are read and checked by the server, the application doesn't even know the coordinates for the auth-reserved DB.
For a "new user sign up", the only thing I can imagine is to implement a classic solution from the inside of my application: accessing auth DB, check if chosen username is already present, insert row in the table... but doesn't this violate the whole paradigm of "container managed authentication", and maybe insert security holes?
Is there some server-implemented mechanism that I ignore?
but doesn't this violates the whole paradigm of "container managed authentication", and maybe insert security holes?
Yes, more or less. The container managed security concept, where the application is totally unaware of the authentication mechanism and the identity store (location where the user data is actually stored) doesn't really take the use case into account where an application has its own user sign up/register functionality.
The idea seems to be more intended for integrating externally obtained applications (e.g. say a Sonar or JIRA instance) into an existing enterprise structure. There the users are created by an admin using a central system like LDAP, or in some situations even an admin UI of the application server.
Unfortunately many of your typical public web applications aren't of this variety. They are standalone apps (don't integrate with existing internal enterprise infrastructure) and they effectively manage their own users.
The classical concept is an ill fit there, and that's why the Java EE Security EG is currently exploring how to best address this.
You basically have three "solutions" in the mean time:
Just define your DB connection details twice, once at the server level, once at the app. It looks like you were indeed already doing this.
Use JASPIC, which is a container provided authentication API which has the option to let the application contain the auth module. It can use the exact same data source and possible JPA entity manager and such that the application is also using.
Do your security using an external security framework, e.g. DeltaSpike Security or Shiro, that's totally implemented in "user space".
From a Java EE perspective, none is really ideal. The first has the duplicate definition and indeed somewhat violates the principle, the second is by itself okay, but JASPIC is a tad low level, and the second is a rich solution but doesn't integrate well with existing Java EE security.
For a current application, the customer has given us the following requirements:
Use of Glassfish 4 Application Server
JEE7
PrimeFaces
Allowing for Authorization against both LDAP and JDBC database, which can be switched between after the application has been deployed
I am wondering if anyone has any ideas about how I could accomplish this as I have only worked with glassfish using the predefined realms, never having to create one. The flow of this is that after the application has been deployed, the admins can choose whether the users accessing the site authenticate against an LDAP or a local JDBC Database. This decision should not effect the flow of the front end, meaning that there should only be one login page, that goes to one function, that would then, based on the configuration, determine which realm to use to authenticate against.
Any help would be greatly appreciated.
i think you have three alternatives:
configure both glassfish realms and switch between them in web.xml:/web-app/login-config/auth-realm
pros: very simple, you can configure them with administration ui (server-config -> security -> realms) or asadmin
cons:
can only use one at a time
must be configured outside application
switch REQUIRES application reload (no redeploy, just reload)
deveop your own glassfish realm which encapsulates the jdbc realm and ldap realm
pros:
you can use both at the same time (no switch)
you can still configure them with ui or asadmin, but support is limited
cons:
requires knowledge and external development for realm and module classes
must be configured outside application
glassfish specific implementation (will not work on other containers)
some reference here and here
deveop a pluggable authentication architecture (JASPIC)
pros:
programmatic approach: maximum liberty & freedom
can be deployed within application (no external config and no reloads)
standard, can be reused in (almost) all JEE containers
cons:
VERY hard to develop, need knowledge about JASPIC and (optional, but suggested) JAAS
lacking JASPIC documentation
if you really want a pluggable auth, some references are here and the excellent article from Arjan Tijms
good luck!
I'm looking at exposing separate services inside an application server, and all services need to authenticate with the same API key.
Rather than each request authenticating with the DB individually, I was hoping I could write the authentication service and configuration once, do some caching of the available API keys, and expose that auth service to the other services on the app server (TC, Glassfish, etc). I don't think HTTP loopback is a good choice, so I was looking at Spring Integration, JavaEE, RMI, etc.
There's lots of info available, but it's still not clear to me if this is something that Spring Integration can support after reading through some documentation and projects. It looks like Spring makes the assumption you're in-app, or MQ based (external MQ or embedded MQ.) I'm also not sure if this is something inherently available in EJB implementations with Jboss or Glassfish...It seems like it might be though.
While MQ's seem possible, they seem like overkill for what my purpose is. I really just need to pass a bean to my authentication service on the same box, and respond with a bean/boolean on whether the key was approved or not.
Anyone have some guidance on accomplishing something like this? (or maybe why I'm making the wrong decision?)
You can do it via plain PCT/IP or RMI.
But I don't see problem to follow with Micro Service Architecture principles and use the Spring Integration REST ability
Any networks access you always can restrict via firewalls and HTTP-proxies.
I want to protect my JSF pages in a Java EE 6 app.
I want to store users and roles in the DB and have privileged users administer them via a web tool. The privileged users would add users to roles and set certain pages to require certain roles for access.
It seems to me that container managed security won't let me do that. Would JAAS be the way forward?
Any suggestions and links to examples would be appreciated.
The short answer is yes. JAAS will allow you manage security against a database use a LoginModule(many container implementations JBoss offer these pre-canned out of the box) and you can check out this article(http://weblogs.java.net/blog/2006/03/07/repost-using-jaas-jsf) or this book(http://www.java.net/external?url=http://purl.oclc.org/NET/jsfbook/) for more specifics how to authenticate Users and determine authorization parameters with JAAS and JSF.
For your second requirement, I can't see any reason why you can then create a separate tool that has access to those tables to modify credential information. Though this seems like a problem that has already been solved by using an LDAP provider with any one of a number of free and open source web interfaces.
Another nifty feature because of the clear separation of concerns is that you can later easily migrate to LDAP or third party services with little effort.
I recommend that you take a look at Spring Security.
Spring Security is a powerful and highly customizable authentication and access-control framework.
Here is an article that explains using Spring Security with JSF.
I've been tasked with creating a Security Proxy service. The idea is that if the backend security provider changes there is no impact on the main application. This ideally is what the backend security provider is for, but I have been tasked with creating a seperate service which will affectively be a proxy to the backend security provider.
I don't want to have to write a complete security module to do something that is already done by a dozen services. I want to be able to set up a service that can be updated if needs be.
I am wondering if anyone knows of a solution which can take care of this with minimal coding/configuration?
Any help would be useful, if you want more information please comment and I'll try and enrich as best I can.
[Front end is Tomcat Web Application written in Java (and GWT), Spring Security is preferable]
[Backend is SiteMinder (at the moment)] http://www.ca.com/us/internet-access-control.aspx
[I have been looking at CAS but wanted to ask a learned community before deciding how best to proceed]