We currently have a simple portal kind of functionality built based on ASP.NET Forms-based authentication. All the existing apps that make use of this authentication mechanism are ASP.NET based (and run on the same domain). So, all works fine. We have a new requirement to get some new Java-based web applications make use of the same authentication as well. All our apps are accessible over HTTPS.
Can someone advise here please?
Thanks
We opted to use the ASP.NET Application Services for a proof of concept and the output looks promising.
Thanks all
It's hard to understand the specifics of your question, however in general I would guess that Java has the equivalent of Forms/cookie based authentication mechanism in its' web layer, you could then point that API to the same data source as the one your Forms Authentication uses today.
Related
Is there a security Framework available for Java Desktop Applications? When I searched on google I saw persons talking about Spring Security, however it seems to be chiefly web-based. I have been using ordinary java code(Login forms, jdbc) to implement User Level security but I am not comfortable programming this way. Thanks for your assistance
I have decided to use Apache Shiro Security Framework. It is very easy to use and the website host good documentation. Thanks all for the help.
you can still use rolebased access and some sort of directory service for desktop applications and you could do that with spring it's not necessarily only for web access. not that i'm pushing spring specifically.
regards
It's hard to really answer you without knowing what threat model you're thinking of.
Do you doubt that the signed in user has permission to open your application?
Does the application talk to a server and get data from there?
Are you concerned with the user tampering with code?
In the first case, this seems like something that is better handled with OS level permissions.
In the second case, handle your security on the server, you can't trust the client anyway.
In the third case, good luck.
We have legacy applications written in asp and asp.net on IIS using form based authentication against the Database (Not AD). We are writing a new Java app sitting on glassfish and we want a single sign-on solution to authenticate users so they can move seamlessly between the two without having to sign on again.
Are there any secure solutions to this problem?
I think the best approach in the long term is to decide on a SSO technology / implementation, and then change the legacy applications to use it. I know that changing legacy apps can be painful, but provided it is practical you should do it.
UPDATE
You don't necessarily have to do a complete rewrite of your legacy apps. If you can identify an SSO tech which supports the legacy language too, you can maybe just get away with rewriting the login page and (maybe) access control and/or local account management.
Take a look at spring security (if you're not opposed to using spring for your java app). They support dozens of solutions, probably whatever you're using for your ASP app. http://static.springsource.org/spring-security/site/
Alternatively you could use apache shiro http://shiro.apache.org/ which also supports just about anything out there for security.
I'd advise looking to see if one of these supports what you are using already on your legacy app, it would probably be easier to make the java app support your existing security mechanism rather than trying to backport a new security layer into ASP.
If I started a new project to execute on the Java EE platform and I wanted to be able to do user-friendly login (say pop up a modal dialog for credentials when needed, or have login option available all the time like twitter or SO), what would be the best approach and tools to implement that?
I've found it quite difficult to retrofit an existing project that uses security constraints, so I'm wondering how I can make my life easier in future!
By default, I'd be looking to use Dojo as my JavaScript framework and deploy to a Java EE appserver like WebSphere.
Best approach and tools?
Go for JSF libraries like PrimeFaces!
Check this example
IMO, this is fastest and easiest way to make a rich web application
See the second answer here: Automatic login to JSF application on revisits, after once logged in
If you're using Spring Security or Apache Shiro, both of them support
this with the proper filter. On the backend Spring Security works by
having a persistent store of remember me tokens, and Shiro I think
signs a hash value.
Here's the spring guide:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html
Here's the shiro guide:
http://shiro.apache.org/java-authentication-guide.html
If you're using Java EE Security (please tell me it ain't so), you're
limited to what your container can support, unless you want to design
a customer login filter. An customer filter could sign a cookie with a
MAC code and validate it against a database. I don't believe tomcat 7
has this built in, you'd probably need to check out GlassFish (which
supports SSO, I don't think it supports remember me).
Some years ago I made a Swing application that uses a MySQL database. Now I must change this app to work through Internet.
I can connect directly to a MySQL server through Internet, but I think that it's insecure, so I'm thinking about using webservices.
I know I must change lots of code in my current application, and I don't worry about that. But my problem is that I have never used webservices nor server side technologies in Java, and I don't know where to start.
Do you know any good "webservices for dummies" tutorial? I need authentication (and ACL or similar) and database access.
Thank you!
Easiest adaptation: have a look at apache axis2, it has everything you need for webservices. That would offer to extend you current applicatino by webservices functionality.
If you need to re-engineer everything, either spring or Java EE should be your friend.
Adding web services won't make it any more secure. The best you can do is to enable SSL with JDBC.
Take a look at the core servlets site. There is an EJB tutorial and an AXIS tutorial. As mentioned by Andreas_D, spring and Java EE are both options. I suspect you want a simple REST implementation, in which case, spring is a good option.
This is a very beginner question. I have tried to search for advice but am overwhelmed by the amount of information and would like some help with ideas on approaches to server design or what to search for!
What I would like to set up is a backend server that provides search capabilities and business logic and validation across some fairly basic data. It wont get too large.
I would then like to be able to plug in a website as a front end or a mobile app or a facebook app or even a desktop app..
My question is what is the best way for front ends to hook into the backend? I would like to have various user accounts with permission levels so authorisation would be important.
I generally only code as a hobby so whilst technically I have built a spring based website before the exact semantics of the client server relationship weren't clear to me. Now I want to separate the backend so that is is agnostic of how the data is displayed or entered completely and can run on a separate machine.
Thanks,
Rob
There is a ton on options. I had good expirience with apache CXF rest services (logic encapsulated in java beans, spring configuration) and pico web remoting ( more exotic,
but also rest service and plain java objects providing business logic)
if you ar already using spring, I would recommend to stick with CXF - it integtrates seamlesly ( and is spring configured itself )