Let's suppose that I have authentication infrastructure that provides multi-factor authentication. I want to create a service which will authenticate users for some clients. Clients have different web servers like Apache, jBoss, TomCat, WebLogic, IIS 7.0, and some other.
I need to insert an existing java front-end into my infrastructure based on some authentication protocol to interact with my clients' servers. The requirements are: existing solutions for clients' servers that will need minimal changes and settings at client side.
Upd1 : Interaction between font-end and clients' servers should be secure, based on shared secret.
Upd2 : The client's user shouldn't know anything about my service.
Please ask for more details...
Sounds like you do indeed need a SAML IDP which enforces multi factor authentication. SAML is supported across platforms (Java, Spring Security, PHP and .NET come to mind). If you're looking for a hosted solution check out our Cloudseal platform. If you want an open source solution you may want to look at CAS, although you will have to code your own integration with a multi factor authenticaton system.
Related
Using the webapp, which uses corda-webserver, how to implement authentication mechanism for RPC Users?
RPC Users mentioned in the configuration file.
And perform role based actions(Only accessible flows).
I could only find detail about authenticating RPC Users through ClientRPCOps, but couldn't find anything about web based authentication.
Web authentication is not directly related to Corda. Connecting to a node via rpc requires authentication. Anything past that is not Corda's problem.
If you want to setup web authentication, then you should look into how frameworks like Spring or Ktor handle these scenarios. Corda is not web based by default and requires integration into a "web server" application to be web-enabled.
I am wondering if there is a solution to my problem. As a summary, I need a non-intrusive Web response cache for users that authenticate via a client certificate and are authorised to see URLs based on that.
I have a JEE application and I would like to cache responses to Web requests. I am trying to do it as transparent as possible (ie. without messing with the code), so I found Squid.
My problem is that users might authenticate themselves via a client certificate (or the absence of it) getting authorisation based on this, and this is what makes things "difficult". Is there a way to configure Squid, or any other software, to cache the results after the communication has been established by Tomcat? Something like a cache that is triggered by my application right after the TLS handshake is over and Shiro has been called (because user permissions depend on their certificate). The fact that users have to be authorised by my app make me think that the only way is to create Java code for this, not using Squid or similar software transparently.
I am sure this is a problem that has happened before.
We are developing a Java based product. We need to make the authentication part to fit for major authentication services, like LDAP, OpenID, Oauth2, SAML. The idea is, when we deploying the product for a company who is having LDAP, our product should be able to cater it. If the company has OAuth2, then our product should be able to cater that as well.
I want to know, what are the better approaches and tools. I'm looking for a open source solution which support all these protocols in one place. Please share the knowledge.
I'd suggest Spring Security. It is completely independent to the Spring Core framework and with some simple configuration and some additional libraries (also developed by the same team), you can get a simple solution for most of the popular authentication methods.
With a couple of annotations, you can configure which methods or endpoints you want secured either.
You can create spring profiles, who decide which authentication method to be used.
Simple approach is to use an IAM (identity and access management) solution. Kecloak is a good open source one (and is written in java but you shouldn't mind).
By the way, your question is off-topic (recommending software or tools). Post it here
You need to separate out Identity repositories and Identity protocols.
LDAP and AD are repositories.
OpenID, OAuth2, SAML are protocols.
You need an IAM system that handles all the protocols and sits on top of the repositories.
For your product to talk to your IAM, you need a protocol stack in your product e.g. for SAML.
You then federate your IAM with other vendors e.g. if a vendor comes along and wants to authenticate with their AD, they would install ADFS and then ADFS federates with your IAM system.
So the logical flow goes:
User --> authenticate on their IAM --> trusted by your IAM --> access to your application granted.
You could also look at Identity as a Service e.g. Azure AD, Auth0, Okta etc.
We have a Java web application (using struts and hibernate) and want the users to automatically log into the Google apps domain accounts.
We have set up the Google apps for Education domain accounts and created the users in it and we have the same users in our java web application also.
The requirement is that when the users log into our application portal, their is a link to go to Google apps, once they click on this link, it should log them in without asking for password.
We are using Tomcat 7 as our server for the web application. Which SSO tool should we use for doing this? Oracle's SSO is paid, Shiboleth doesn't work with Tomcat 7.
Any help highly appreciated? Is SSO the only option or another way to do this.
Thanks
Any SSO solution that supports the SAML2 protocol should work. Apart from the expensive solutions that Oracle, IBM, CA and others provide, you can find the following solutions that definitely work well with Tomcat7 and are open source :
Apereo (ex Jasig) CAS : Used quite a lot in the education community. Simple to setup but specific configurations (like an advanced authentication module) might require some programming effort. It supports Google Apps authentication, but none other SAML2 service. If you really want to only login to Google Apps, that's a great and simple solution.
Forgerock OpenAM : Formerly Sun OpenSSO, this is used in education and industry. Many more features, supports most of the SAML2 service providers out there including Google Apps, but more complex.
Note that if you already have a portal solution, you should check if that portal does not already support SAML2 federation and could act as the SSO server.
Note also that you will need to link the portal authentication and the SSO server authentication, to make sure that your users do not authenticate twice. This can be done in two ways :
Tell the SSO server to delegate the authentication to your portal solution. This might require some light custom coding depending on your portal.
The opposite : tell the portal to use the SSO as an authentication solution. Most portals support some kind of authentication delegation so it should only be configuration?
Lastly, if your authentication is setup on Tomcat itself (that is if your portal already delegates the authentication to the Tomcat container), then you can do the same for the SSO server.
Found this article on Java-based SSO systems and was wondering if it is in any way at all applicable to secure web services.
With secure web services, you need:
A secure transport
Authentication
Digital signage
Encrypted payloads
Usually this can be accomplished with some OASIS-compliant secure framework (CXF, WSS4J, XWSS, etc.) over SSL for the transport.
I'm not familiar at all with Kerberos, JAAS or GSS, but it seems to me that if they can be used to keep secure connections between a client and multiple Java EE apps, why couldn't they be used in tangent with one of those frameworks (like WSS4J) to provide WSS.
Instead of SSL, I could use Kerberos, then let WSS4J handle all the WS-specific stuff.
This way, I could make reusable Kerberos components that could be used both in SSO and for transport layer security in web services.
Am I completely off my rocker here?
Eugie,
The requirements stated are typical. But the details vary to a large degree.
Hence it is not practical to conclude on a single approach or solution.
The requirements need to be further broken down and analysed seperately.
for eg : SSO broadly has two requriments a)Authentication b) Authorization.
You could use single solution for both or multiple solutions for each. An eloborate system could be using multiple authentications at the same time like .. form-based, certifcate based , token based , remote-auth.
In case of authorization we could have a centeralized solution using LDAP/ActiveDirectory/Domino
or a decentralized with all above co-ordinating.
Each of these solutions have limitations , for eg,Kerberos is not effective against password guessing attacks
The choice of security solutions depends on many parameters like
persived threat, cost, prrformace etc..
WS-Security project tries to address many such architectural concerns.
To answer your question -- No you cannot use kerberos for both SSO and transport layer encryption
--Kiran.Kumar