I come from an ASP.NET background. In ASP.NET, there is built-in support for users and roles. My question is, does JSP have anything similar or is everything built from scratch? I have not been able to find a good resource to answer this application structure type of question.
The Servlet API supports user/role based authentication and security. Tomcat (among others) includes built in support for authenticating using a variety of sources: xml file, database, LDAP, etc.
You could also consider using Spring MVC as a fairly lightweight web framework over JSP. Spring has a very capable authentication & authorization model (right down to method level on objects) using Spring Security (was Acegi) interceptors which can use the sorts of sources that Asaph talks about. You don't need to use Spring MVC in order to use Spring Security if you don't want to.
If you're going to be running your JSPs in a full J2EE server like JBoss, WebLogic or WebSphere there are a whole load of security options that come with such containers incl. integration with AD users and groups.
Related
Our team has a REST server and a web application developed using Jersey. Currently we support only authentication in our application using OpenID [1]. We're planning to introduce authorization. In my research I found that role based authorization is one way we can implement this. This approach is to have our own tables like user, privileges and user_privileges and we assign users the required privileges (one to many mapping).
I have the following questions:
Since we have a web application and a REST server. Should the authorization be implemented “inside” the REST server, or in the Web Application Server.
Would like to understand the benefit of using Java's security frameworks like JAAS, Apache Shiro, OACC, Java security annotations [2] (#RolesAllowed) apart from code reuse ability, easy implementation.
Would also like to receive recommendations on which framework to choose from the above mentioned (JAAS, Apache Shiro, OACC, Java security annotations) if suggested.
Thank you.
[1] https://en.wikipedia.org/wiki/OpenID
[2] https://docs.oracle.com/javaee/7/tutorial/security-javaee002.htm
As to your question: "Should the authorization be implemented “inside” the REST server, or in the Web Application Server": My recommendation is to implement it in neither! Instead, implement security inside the services that are called by your REST layer. In other words security is implemented in the very heart of your services, and is enforced regardless of how the service is called.
As for the security frameworks you mentioned, I am biased/partial to OACC. OACC provides a fully implemented API, uses an innovative design to seamlessly integrate with your application, supports a number of database back-ends to persist the security data, and is extensively tested with 1000+ integration tests.
This is a good article that discusses the OACC security model: https://dzone.com/articles/a-different-kind-of-java-security-framework
(Disclosure: I am the creator/chief architect of the OACC framework)
Given these techonologies: Java, JAX-RS (either RESTEasy og Jersey), Javascript and jQuery. The servlet server is either Tomcat or Jetty. The GUI will be made as an "application" using jQuery and Javascript. MVC or MVP patterns will be used to separate view from model. The plan is to load the application after login. I need some recommendation on how to make a secure login and manage access (roles). So far I know about SSL, encryption, Security Annotations (to guard methods) - but still, I need some overview and tips. So far my plan is to start reading the Java SE documentation at:
http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html#overview
Some input would be appreciated.
Apache Shiro for JAAS - http://shiro.apache.org/
I'd recommend taking a look at the Spring Security library. It is highly customizable, documented well, and often used and discussed on the web. You may have heard of it before under its old name, Acegi.
Was just wondering at the current point in time, what is a good combination of tools/frameworks/libraries for implementing a REST API on top of J2EE that integrates to a backend RDB and using OpenID for authentication.
What I am looking to implement is a server component that provides a set of services, all of which will utilise OpenID authentication, and the services will retrieve or update information to/from a backend relational database environment.
What I'm interested in are:
* application server options available (e.g. Tomcat, Glassfish etc.)
* IDE's (e.g. Eclipse, Netbeans, IntelliJ etc.)
* additional components useful for implementing REST (and JSON payloads)
* what is best practice/good technique/options available for database integration from the services (hibernate via spring, hibernate directly, raw jdbc connections ... )
* for integrating authentication via OpenID - what is an appropriate integration point for any custom authentication mechanism within the J2EE environment - are there any commonly used solutions/plug-ins available for OpenId etc.
Also any pointers to good, current tutorials, books etc.
Edit:
Unfortunately I haven't had as much time to research the results to this question as I'd have liked.
At this stage I've found that installing/setting up REST with Jersey was very quick and I believe I can use a ContainerRequestFilter to provide the OpenID support as per the article here: http://plaincode.blogspot.com/2011/07/openid-authentication-example-in-jersey.html
I intend on using OpenId4Java for the OpenId support, with the PAPE extensions to get users email address returned. I don't need OAuth as I don't need to access any of the users other OpenID details or info on their OpenID site from my server app.
I've had a look at the latest Spring, it looks very good and if I were needing to build a web client with my solution, or had more time to look at both, I could easily have ended up leaning that way.
Thanks for the good answers and replies, hard to pick a single correct answer. I've accepted yves answer because it is correct and the way I'm going at the moment with minimal time to research properly, but awarded the bounty to cfontes answer, as it is also correct, and he's replied with additional information and justification.
Make it simple and modern (Spring is neither one nor the other for RESTful web-services):
Jersey – the JAX-RS reference – defines resources and supports OAuth; its code is compact, easy to use & to plug to libraries (backends, etc...).
Take a look at this project on GitHub, it produces JSON from static data. Its web.xml and ProductResource are good places to start.
Every server will do the job, Jetty is my favorite, Tomcat, the standard
The choice of an IDE is up to you, the 3 you're giving are great, well integrated with Maven and source control tools. I use Eclipse from habit
I would go for
Spring 3: this can be useful to wire things up with Dependency
injection and other things.
Spring MVC: Restful support and Request mapping, a request based
framework that integrates very well with Spring
Apache Tiles: to make the HTML templates easier to make.
Spring Security: it's a JAAS implementation and for me it's better and
easier than Standard JAAS.( doesn't need a full web server, tomcat will do fine)
This can help you decide which Persistence provider you want : Persistence Provider comparison I would go for Hibernate, because it have a lot of great features like Criteria API, hibernate Search and it's widely used.
Of course your app should be using JPA 2 for the sake of interchangeability instead of using a Persistence provider directly ( it's not easy to chance from one to another but with JPA2 it's possible, also should be giving you a lot of trouble but it's possible)
I would go with NetBeans 7.0.1 and GlassFish as explained here
From the linked tutorial:
The IDE supports rapid development of RESTful web services using JSR 311 - Java API for RESTful Web Services (JAX-RS) and Jersey, the reference implementation for JAX-RS.
For authentication, I would use the GlassFish JDBC Realm (have a look at this tutorial) but I have never worked with OpenID, so I don't know if this approach can be used together with OpenID.
Preferably something that integrates well with a Flex front end. Yes the Spring Security guys say this is possible, but all examples seem to use legacy jsp tag libraries making them half useless as examples. I don't want to spend a month setting up and learning how to use a security tool. I would like a tool which supports using annotations (#RolesAllowed etc), MINIMAL XML, and 'remember-me' features (not cookie based).
Apache Shiro seems to support Flex/Silverlight/Swing as well but I'd like to know if there are any other alternatives that are NOT container specific.
Turns out Apache Shiro is actually a simpler and easier to learn solution than Spring security. And no stupid xml configuration is nice.
Spring Security is by far the best tool out there.
BlazeDS is no magic. It is ultimately just a call to the server over HTTP. The Blaze application is just a war file, and has traditional urls. So, to protect the services, you have to protect the urls in your web.xml / spring configuration files.
Essentially, read the documentation of Spring Security/JAAS, and substitute the jsps with the urls of your blaze services.
Spring Security also has support for Roles and authorization. It also has a remember-me functionality, but that absolutely uses cookies. You cannot have a remember-me functionality without cookies.
Regarding authentication, it is possible to pass the authentication token as a request parameter instead of a cookie. But cookies are recommended, and are a lot easier to get right.
And finally, security is pointless without using https. You absolutely must use https throughout your application if you care about security.
I don't see why Flex should authenticate anything, after all that is the client side. Whats stopping someone from decompiling your flash/flex?
For most people Apache Shiro is overkill and they just roll their own. Which isn't the best idea to be honest. I have seen a lot of horrible authentication systems over the years. Cookies are meant to keep track of the session for the client, why use anything else?
Edit:
Use spring secuirty for authentication.
We are currently implementing a portal to our web based services. The portal and services are written with Seam and we are using OpenLDAP to store the security data such as users, groups and permissions. So far we have looked at writing our own code to access LDAP but are there any existing APIs that we could use?
If you're a Spring user, I'd look into the Spring LDAP modules. They're beautifully done; they follow the idiom laid down by their JDBC implementation. Very clean, very nice.
We did this for our web application a while ago and investigated the following:
http://developers.sun.com/sw/docs/examples/appserver/ldap.html
However, we ended up just using the LDAP support built in to Tomcat, since basic authentication was enough for us.
Here is an example on how we set up out authentication in tomcat:
http://blog.mc-thias.org/?c=1&more=1&pb=1&tb=1&title=tomcat_ldap_authentication
JLDAP
The LDAP Class Libraries for Java (JLDAP) allow you to write applications to access, manage, update, and search for information stored in directories accessible using LDAPv3.