We are currently implementing a portal to our web based services. The portal and services are written with Seam and we are using OpenLDAP to store the security data such as users, groups and permissions. So far we have looked at writing our own code to access LDAP but are there any existing APIs that we could use?
If you're a Spring user, I'd look into the Spring LDAP modules. They're beautifully done; they follow the idiom laid down by their JDBC implementation. Very clean, very nice.
We did this for our web application a while ago and investigated the following:
http://developers.sun.com/sw/docs/examples/appserver/ldap.html
However, we ended up just using the LDAP support built in to Tomcat, since basic authentication was enough for us.
Here is an example on how we set up out authentication in tomcat:
http://blog.mc-thias.org/?c=1&more=1&pb=1&tb=1&title=tomcat_ldap_authentication
JLDAP
The LDAP Class Libraries for Java (JLDAP) allow you to write applications to access, manage, update, and search for information stored in directories accessible using LDAPv3.
Related
I am working on a java application having Database authentication using spring-security.
It is very usual that, this application is used with other applications on similar domain.
Requirement: The need is that all such partner apps should be able to share common authentication with my application.
Also it is required to continue supporting DB authentication as well.
One way I found is to embed LDAP server like ApacheDS in my application so that other partner apps can use it to get authenticated.
In this case, I need to load ApacheDS with related Database records and keep it in sync programmatically.
But disadvantage on this is to have redundant copy of authentication data - one at DB and another at ApacheDS LDAP.
Question: Is there any way to avoid such duplication. By googling, I found option of having virtual directory server Penrose or Oracle Virtual Directory. But unfortunately they cannot be embedded in application. Is there any way to provide embedded LDAP support on top of existing Database authentication?
Disclaimer: I know very little about Spring Framework and even less of Spring Security
Having said that. I did face a similar situation, in my case, it was Apache DS as my app authentication source and client AD as the other.
My deployment environment was Tomcat and I used Tomcat Combined realm, which nests more than one realm for authentication. My app realm was configured to be one and client's AD was configured to be another.
Users could authenticate from any one of the realm, it worked. However, I did have to replicate client's AD users every night (including AD tombstones to mark them inactive), for authentication is one thing but other client information was also required, e.g. email, roles etc. and inclusion of new users.
I am kind of sure that Spring Security will also have the concept of Combined Realm.
I understand that this answer is not really an answer and more of design approach and many years too late at that; however, I wished to share my experience.
I am using Websphere Application Server, that has administrative and application security enabled, which uses LDAP to interface an Active Directory for authentication.
The web application that is deployed to the server is required to be able to retrieve information from this AD, as well as modify information in this AD (such as adding a new user to the AD). I could use JNDI to achieve this, however I need the application to use the settings configured in Websphere to do the connection so that I don't have to maintain multiple sets of LDAP information (one in the application and one in Websphere).
I have searched around but couldn't find anything concrete. The closest I saw was I can configure it as a federated user repository instead of standalone LDAP registry, after which I can retrieve some attribute values, but it does not explain if I am able to modify them.
Any help would be appreciated. Thanks!
If you will use federated repository, then you can use VMM API. It is quite complex comparing to JNDI or ldap related libraries, but should provide you with features you need.
Start by looking at this page - Developing with virtual member manager - and subpages, you will find some code examples there also.
Was just wondering at the current point in time, what is a good combination of tools/frameworks/libraries for implementing a REST API on top of J2EE that integrates to a backend RDB and using OpenID for authentication.
What I am looking to implement is a server component that provides a set of services, all of which will utilise OpenID authentication, and the services will retrieve or update information to/from a backend relational database environment.
What I'm interested in are:
* application server options available (e.g. Tomcat, Glassfish etc.)
* IDE's (e.g. Eclipse, Netbeans, IntelliJ etc.)
* additional components useful for implementing REST (and JSON payloads)
* what is best practice/good technique/options available for database integration from the services (hibernate via spring, hibernate directly, raw jdbc connections ... )
* for integrating authentication via OpenID - what is an appropriate integration point for any custom authentication mechanism within the J2EE environment - are there any commonly used solutions/plug-ins available for OpenId etc.
Also any pointers to good, current tutorials, books etc.
Edit:
Unfortunately I haven't had as much time to research the results to this question as I'd have liked.
At this stage I've found that installing/setting up REST with Jersey was very quick and I believe I can use a ContainerRequestFilter to provide the OpenID support as per the article here: http://plaincode.blogspot.com/2011/07/openid-authentication-example-in-jersey.html
I intend on using OpenId4Java for the OpenId support, with the PAPE extensions to get users email address returned. I don't need OAuth as I don't need to access any of the users other OpenID details or info on their OpenID site from my server app.
I've had a look at the latest Spring, it looks very good and if I were needing to build a web client with my solution, or had more time to look at both, I could easily have ended up leaning that way.
Thanks for the good answers and replies, hard to pick a single correct answer. I've accepted yves answer because it is correct and the way I'm going at the moment with minimal time to research properly, but awarded the bounty to cfontes answer, as it is also correct, and he's replied with additional information and justification.
Make it simple and modern (Spring is neither one nor the other for RESTful web-services):
Jersey – the JAX-RS reference – defines resources and supports OAuth; its code is compact, easy to use & to plug to libraries (backends, etc...).
Take a look at this project on GitHub, it produces JSON from static data. Its web.xml and ProductResource are good places to start.
Every server will do the job, Jetty is my favorite, Tomcat, the standard
The choice of an IDE is up to you, the 3 you're giving are great, well integrated with Maven and source control tools. I use Eclipse from habit
I would go for
Spring 3: this can be useful to wire things up with Dependency
injection and other things.
Spring MVC: Restful support and Request mapping, a request based
framework that integrates very well with Spring
Apache Tiles: to make the HTML templates easier to make.
Spring Security: it's a JAAS implementation and for me it's better and
easier than Standard JAAS.( doesn't need a full web server, tomcat will do fine)
This can help you decide which Persistence provider you want : Persistence Provider comparison I would go for Hibernate, because it have a lot of great features like Criteria API, hibernate Search and it's widely used.
Of course your app should be using JPA 2 for the sake of interchangeability instead of using a Persistence provider directly ( it's not easy to chance from one to another but with JPA2 it's possible, also should be giving you a lot of trouble but it's possible)
I would go with NetBeans 7.0.1 and GlassFish as explained here
From the linked tutorial:
The IDE supports rapid development of RESTful web services using JSR 311 - Java API for RESTful Web Services (JAX-RS) and Jersey, the reference implementation for JAX-RS.
For authentication, I would use the GlassFish JDBC Realm (have a look at this tutorial) but I have never worked with OpenID, so I don't know if this approach can be used together with OpenID.
I want to protect my JSF pages in a Java EE 6 app.
I want to store users and roles in the DB and have privileged users administer them via a web tool. The privileged users would add users to roles and set certain pages to require certain roles for access.
It seems to me that container managed security won't let me do that. Would JAAS be the way forward?
Any suggestions and links to examples would be appreciated.
The short answer is yes. JAAS will allow you manage security against a database use a LoginModule(many container implementations JBoss offer these pre-canned out of the box) and you can check out this article(http://weblogs.java.net/blog/2006/03/07/repost-using-jaas-jsf) or this book(http://www.java.net/external?url=http://purl.oclc.org/NET/jsfbook/) for more specifics how to authenticate Users and determine authorization parameters with JAAS and JSF.
For your second requirement, I can't see any reason why you can then create a separate tool that has access to those tables to modify credential information. Though this seems like a problem that has already been solved by using an LDAP provider with any one of a number of free and open source web interfaces.
Another nifty feature because of the clear separation of concerns is that you can later easily migrate to LDAP or third party services with little effort.
I recommend that you take a look at Spring Security.
Spring Security is a powerful and highly customizable authentication and access-control framework.
Here is an article that explains using Spring Security with JSF.
I come from an ASP.NET background. In ASP.NET, there is built-in support for users and roles. My question is, does JSP have anything similar or is everything built from scratch? I have not been able to find a good resource to answer this application structure type of question.
The Servlet API supports user/role based authentication and security. Tomcat (among others) includes built in support for authenticating using a variety of sources: xml file, database, LDAP, etc.
You could also consider using Spring MVC as a fairly lightweight web framework over JSP. Spring has a very capable authentication & authorization model (right down to method level on objects) using Spring Security (was Acegi) interceptors which can use the sorts of sources that Asaph talks about. You don't need to use Spring MVC in order to use Spring Security if you don't want to.
If you're going to be running your JSPs in a full J2EE server like JBoss, WebLogic or WebSphere there are a whole load of security options that come with such containers incl. integration with AD users and groups.