I have an application that using ldap acegi-security-1.0.2.jar . I able to authenticate the user with active directory. I wanted to add NTLM auto login feature for my application. May i know what extra acegi library do i need to do this? is there any example on acegi+nltm on this?
Spring Security 2 supports NTLM, if you canĀ“t upgrade the library try Jespa.
Some of the things that you can do with Jespa include:
Implement NTLM Single Sign-On (SSO) for HTTP servers
Check Windows group membership
Enable NTLM authentication with AD using a JAAS LoginModule
Add NTLM to the builtin HTTP stack or another HTTP client
Use NTLM with SASL clients and SASL servers
Add NTLM to the standard JNDI LDAP client
Easily authenticate and encrypt network communication
Create advanced and custom solutions using our intuitive "security provider" API
Here's another open source library, http://spnego.sourceforge.net, that can support integrated windows authentication/sso (no prompt).
The library is installed as a servlet filter.
Waffle is drop in solution that can be used with springsecurity/acegi to achieve this: https://github.com/dblock/waffle
Drop in meaning not have to do all those things in the above list - but having to add a SPN.
Related
I want to access a REST service from Java. The service runs under Windows and uses probably a "default" authentication mechanism. I was told it was Kerberos with a fallback to NTLM. I am able to access the service by a plain HTTPS GET request using Firefox (works with HttpRequester, too) - without specifying any credentials explicitely (obviously my Windows account is used).
How can I access the service from Java? A naive attempt to read using java.net.URL fails with status code 400.
Even the JDK (JVM implementation of Oracle) offers this, you may have a look at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html
This provides the high-level steps for the solution. You'll need Active Directory in order to leverage Kerberos with Windows. Then what you will do is use Java Spring Security for Kerberos in order to access the REST service from Java. The below are the more concrete steps.
The Java Spring Security for Kerberos library will do the heavy lifting for you, this provides a class to inject a Kerberos configuration into the HTTP client: org.springframework.security.kerberos.client.KerberosRestTemplate
You define some Kerberos properties within a client configuration .properties file. Here's the most important snippet from the file with respect to Kerberos:
KERBEROS.FLAG=Y
KERBEROS.DEBUG=true
SERVICE_ACCOUNT_PRINCIPAL = HTTP/some.hostname#YOUR.REALM
KEYTAB_LOCATION = file:///C:/path/to/filename.keytab
KDC = server.fqdn.name
KDC_DOMAIN = YOUR.REALM
KRB5 = file:///C:/path/to/krb5.conf
EDIT:
Kerberos keytabs are not required with a Java client on a Windows AD domain-joined machine. Since you want to use the credentials of the person who is running the Java program, you wouldn't use a keytab (since the keytab itself contains only one credential).
Refer to the official Spring Security Website
I recently did a quick mock up of a web service using C# on IIS. All users are using Windows so, in the web service, I was able to get the current user via NTLM.
Now I have to migrate this to a Java web service running on Tomcat or WebSphere.
What authentication options are open to me? I see that Apache HttpComponents has an NTLM feature but I can only find instructions on how to use it on the client side. Can I use it in my web service to determine the current user? (Remember, all users will be Windows users)
Just to clarify: this is for use in a company intranet and all users will be logged in to Windows. This is why NTLM seems to be the right way to go.
Try WAFFLE windows authentication framework.
(http://waffle.codeplex.com/)
It is one of the third party libraries suggested in the tomcat documentation. (https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html)
It comes with zero configurations and all you have to do is to modify your web.xml to you waffle as in this tutorial (http://code.dblock.org/2010/05/20/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffle.html)
Please explain what, why and how of kerberos authentication. I am using spring 3+.
Also please elaborate on how to implement it in my java spring project.
There's an official Kerberos extension for Spring Security: http://projects.spring.io/spring-security-kerberos/
First step is to configure Spring Security for your project. Try that with for example a temporary in-memory authentication configuration, with some hardcoded users - just to check that the rest of the configuration is O.K.
Then, proceed with adding a Kerberos authentication provider, configuring the Spnego configuration and etc (everything is described in the documentation).
Check out the example (uses Java-based configuration, but it's easy to translate that to XML config): https://github.com/spring-projects/spring-security-kerberos/blob/master/spring-security-kerberos-samples/
And the documentation: http://docs.spring.io/spring-security-kerberos/docs/1.0.0.RC2/reference/htmlsingle/
I have tried to explain the what and how part of the Kerberos protocol in my blog at: Kerberos. Please feel free to checkout. A summary of the same is as follows:
Kerberos is s a trusted third-party authentication protocol designed for TCP/IP networks which is based on symmetric cryptography.
Kerberos provides encrypted transport and authentication using security tokens and secure session keys, in order to secure the communication between the client and the server.
The kerberos model basically consists of a kerberos server which authenticates the client and provides security tokens in order to interact with a ticket granting service or the TGS. The TGS then is responsible for authenticating this client for access to the actual server.
I have tried to describe it in a pictorial and step by step way in my blog.
What I am looking for is a Java servlet implementation of an OpenId provider for LDAP ... something I can plug into TomCat, point it at an LDAP directory server, and provide OpenId style authentication from those user accounts in the directory server.
I have been using OpenID4Java for years and it works fine, but it is just an API, and does not provide the user interface required for a complete OpenID provider.
I want to be able to write a large number of small web-based utilities, and allow people SSO access to all of them using OpenID, but these people already have accounts in the directory server, and I do not want to make them create a new password. They should use the same old password they are used to.
I tried OpenID-LDAP, but it is based on PHP. I am looking for one I can install into TomCat and manage consistently with other JSP based applications. I looked at JOIDS which seems to have capability to register and manage users, but nothing to link to LDAP. This excellent Wiki Page lists other options, like Atlassian Crowd, but I need open source.
I am asking at this time to see if I have missed anything. If there is nothing, I will probably write one.
You may try using WSO2 Identity Server which provides OpenID provider that can be plug in with LDAP and provides UI as well.
I am looking for a Java based REST server which support following authentication mechanism. Also please let me know the best resources for the REST based authentication
Token
Certificate
Kerberos
Oauth
Open Id
I am an architect from WSO2... so my reply could be biased...
You can use the open source WSO2 Application Server to deploy your RESTful services and WSO2 Identity server has the support for 2-legged OAuth...
Thanks...
Partial answer for method 2) Certificate:
If you're planning on using certificates for authentication, I must assume that the API will be consumed by a limited number of trusted client applications. I've recently developed and deployed a REST API for internal use within an organization, and we use server-client certificates for authentication. This solution delivers a really high level of security, but is very impractical to use in an externally exposed API. This post gives some information: Java HTTPS client certificate authentication.
Any Java container should support these with either:
Apache / IIS as a reverse proxy deployed for SSO (Single Sign On)
Authentication plugins