I'm trying to setup a guacamole instance to manage my servers accounts. It's working well when I'm using my MySQL database to manage connection user ID and user password.
But I would like to get my password from my keepass like container through REST API, the idea is to store my password in one and secure location !
I have several ideas to do it, but to be honnest this is not very "beautiful"
Hack the JDBC extension to replace my password when guacamole try to access it. So I store in my password field something like "MY_KEEPASS:password_id" and I will do a request to my API, get the value and replace MY_KEEPASS:password_id by the password
Use the token extension to execute my api call when password will find the token ${PASS}. But I'm not sure this is possible without hack the token extension...
Do someone have a better idea to do that ?
Thanks
You can create an authentication extension for Guacamole, this is a regular way to provide more authentication mechanism to the Guacamole. The extension is essentially a .jar that can be registered to the Guacamole as an authenticator.
In your case, it would be probably sufficient to extend some of the JDBC authentication plugins and add your specific auth method.
You can find some documentation about this on the Guacamole site: http://guacamole.apache.org/doc/gug/custom-auth.html. There are also examples in the examples directory of the guacamole-client.
Related
I have been trying to use the java jdk to Couchbase. sdk v 3.2.3
However I find it strange that the examples provided never supply any password while connecting. Also I created a read-only user, and I see that the there is nowhere to provide the user-name while opening a bucket from a cluster, you only provide the password. I tried using the password for the admin and for the read-only user that I created. But it would fail with couchbase.client.java.error.InvalidPasswordException: Passwords for bucket "myBucket" do not match. It is the same password that I use when I login to the admin console, yet this password doesnot work. Only the empty password works.
I am confused and don't get the hang of it?
Anybody knows about this?
My aim was to create a read-only user and use this user credentials to only read data from couchbase for a specific module which is only supposed to read data.
At this moment, there is no read only data access to a bucket in Couchbase. Stay tuned as there will be lots of security changes in the coming versions of Couchbase.
I need to develop a web application for the Intranet users. I don't want them to enter the login credentials each time they visit the site. It should be automatically loaded from the System Username and Password.
I have successfully implemented functionality which prompt user name and password registered with active directory and validate against LDAP. I need some tips to login directly from intranet website without prompt username & password.
Here is my queries, please let me know your suggestion.
Is it compulsory to set SPN?
Do we need to create separate keytab file for each client? In my organization, there is around 800 people are working so should I need to add all client principal in keytab file & copy to client machine to perform autologin.
I have tried many API's like JESSO, Waffle, Spring Kerberos, SPNGO but failed to implement auto login.
If you want to use Kerberos/SPNEGO (which would be my recommendation) you do have to set up SPN. And you only need one keytab for AD domain. Are you running your Java program on some app server, like Weblogic, or as a standalone program? Servers do have security framework that you could use, while for standalone program you'd have to do a bunch of stuff manually.
I've found that the easiest way to do this is to use Atlassian's Crowd (https://www.atlassian.com/software/crowd/overview) instead of implementing it yourself. It's a commercial product, but last time I checked, it was dirt cheap, and it just works.
I have to create a java application wich makes a connection to a DB.
Everything is easy until this point. But I need to include a configuration option with the porpouse of allow the end user enter their own parameters (server host, user, pass, database, port, etc.) in order to connect to the DB. Another easy task. Now every time the user starts the application I need to read these presets given by the end user, in other way remember the user's connection preferences.
I found an easy way to do this using the Properties library in the Java's API. But I have a security issue. The user's preferences are exposed to be access easily (username and password mainly).
Is there a way to save this parameters encrypted?
I need a good and simpliest solution for this security issue.
I doubt it. In FileZilla Client 3.6.0.2, I found my login data easily without encrypted. If it was possible to save this parameters encrypted, FileZilla would do it.
Problem Description
I am writing application which must connect to the server and download some data from the server. The URL of the file witch must be downloaded is formatted as follow:
http://www.myserver.com/file.xml?username=xxx&password=xxx
Question
URL and password are not provided by the user, I simply keep them in the code and add to the URL where I need. My question is how can I keep securely password and username on the Android device.
I would advise against keeping any kind of credential (username) and authenticator (password) stored on your device, as well as transmitting them around; this is often considered a security flaw, since middle-man attacks can intercept the HTTP traffic and easily identify both.
I would recommend instead the creation a token engine that would associate temporary identifiers to users and devices. For example:
User ID 100 receives a temporary token, code A1S2D3F4 (randomly generated.)
The code is associated with the device ID AND200.
Whenever device AND200 tries to access the server, it would generate the following URL:
http://www.myserver.com/file.xml?t=A1S2D3F4
Notice that there is no content identifying the user, nor its credentials or passwords. You may check if the device generating the URL is the one the token was originally associated with. Adittional controls may be implemented to detect tokens being used out of their lifespan, and help identify malicious users.
In Android you can use Md5 encoding method for password encoding and if you need to save those user details then it store in the shared preference
Did you see if you can use Google OAuth2: http://developer.android.com/training/id-auth/authenticate.html
If not, do not send user name and password in the URL but in a HTTPS POST and the correct way is using SOAP web services.
Just as a hint there is a good talk on google io conference about security of android apps.
Link
They don't cover secure server communication explicitly but give some hints about it and provide an encryption library to simplify any encryption tasks.
A user is accessing a restricted web application with JAAS (on Glassfish 2.1). LDAPRealm is used, and authentication is successfully performed from LDAP. A password policy should be installed for the users, so that they are forced to change passwords, have passwords of certain complexity/length, password failures and last N passwords should be checked. Password policy of LDAP server used (OpenDS) supports all this, but it is not obvious at all how to receive this kind of information in JAAS FORM login we are using, so that the information (i.e. "Please change you password") can be displayed to the user.
Do you have any ideas how to go about implementing this? Using database only is not an option, users need to be in LDAP. What is not obvious is whether to use LDAP password policies at all, or have it all programmed in our web application. I would like to avoid this and use LDAP's native password policies.
Thank you for answers and best regards,
Bozo
Unfortunately, what you can do using JAAS is kind of constrained to a small set of operations that any login system can support. While LDAP supports a password policy, other login systems (eg keystores) may not, so JAAS cannot have code that requires this.
Hence, you'll have to talk to the LDAP server directly using either JNDI or possibly this library from Novell.
Got it. Have to use a SAM, since you cannot receive LoginException (with reason of login failure) in the existing auth mechanisms in Glassfish.
Answer is here: How to override j_security_check in glassfish?