I'm currently looking into securing jax-rs web services.
The following URL is very interesting: https://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#RESTF256.
I am especially looking at the annotations-based security of web services. Defining per method the roles that are allowed looks very straightforward.
I have however 4 questions related to this topic:
defining and mapping roles
I'm wondering: where does one define the roles of users and how does one make the mapping of users to roles when using annotation-based security?
If someone could point me to an example with code, that would be great, I'm not having a lot of luck finding one.
Libraries/frameworks
Are there any libraries/frameworks that you know of that could be used for securing jax-rs services? I don't have the impression e.g. that Apache Shiro is really suited for web services? I would prefer not using Spring security, it's a bit too heavy for what I'm doing.
Database design
Also, for an authentication/authorization scheme using RBAC, with users having roles and roles having assigned permissions, how do you design this on a database level?
Permissions
When looking at the RBAC principle, you have permissions assigned to roles. However, using annotation based security, you only define "access" to methods on a role level. How do you check if a user has permissions? Or do you just use roles and ignore permissions altogether when using an RBAC principle?
Thanks for any input you can provide!
UPDATE1: Am I correct in assuming that, if you define your users and what roles they have yourself in a database instead of e.g. in web.xml, that it is probably easier/better to use SecurityContext for checking if users are in roles, instead of web.xml or annotations?
This would allow you to use your own securitycontext object which can make calls to a database for validating role membership?
Related
In this picture I have tree structure and I want to give permission to any role above nodes.
Who can give me tips about this?
I believe what you are searching is "authorization" instead of "authentication". If you are using Spring, Spring Security is here to help you with your security needs. You can have roles and authorities to help you define what the user can access or do.
Using spring security, you can secure the endpoints using annotations like
#PreAuthorize(“hasAuthority('READ_AUTHORITY')")
or
#PreAuthorize(“hasRole('ADMIN')")
We are maintaining two versions of our application from security perspective
1. SAML based spring security
2. Spring and JDBC based application security.
As some of our customers already have SAML IDP (like ADFS and GLUU) which they want us to integrate for SSO and some customer doesn't have SAML IDP.
Is there a way that both configurations can coexist and based on the customer using the application, security is imposed on the user.
For ex: if the request is coming for customer a.myserverhost.com SAML based security configurations are imposed. and if the request is form b.myserverhost.com the other webSeciurityConfig is imposed
Yes, all of this is possible. What I would suggest is implementing your own AuthenticationManager which manages multiple AuthenticationProviders (e.g. SAML, JDBC).
That's where you can insert your conditional logic for choosing the correct provider based on certain criteria.
For inspiration, look at the default implementation ProviderManager.
Out of the box the ProviderManager will iterate over all of your AuthenticationProviders and attempt to authenticate the User. If it doesn't find the User it moves on to the next one. If that's all you need then you don't need any custom implementations.
I am creating a web application using Servlets and JPA. I have a user table that stores usernames,passwords and roles. I would like to create Login and user registration functionality for these users so that some of my content is accessible to certain users.
As I ready through the Servlet specification and also Tomcat, which is the container I use, I have come across two ways of defining users and roles of the system.
The Tomcat specification suggests I can use Realms to tie into another database so that I can choose to use SSO if I wish.
Servlets have their own way of defining users and roles using the web.xml, such as basic authentication for example, so does the Servlet container, using Realms.
But to create users and roles in the Servlet and the Container seems to be something that the system administrator would do. What I am looking for is a self-registration.
This question above highlights my confusion with these approaches, I don’t know if the way I want to proceed is correct or secure?
Can someone explain the differences between these methods of authentication?
Why choose one over the other?
Is my plan to use the self registration a bad idea or insecure for J2E Model?
If you store your user ids and passwords and roles in your database and validate user input against that, you are on your own thereafter. What that means is that later when you may want to restrict access to a particular content for a specific set of user roles, you will have to look up the role stored in your db table against the user and write code that allows/restrict the user.
However if you 'push' the user to the underlying container, then the container can do most of the stuff the application's behalf (that is where the stuff about realms and roles etc come in). A good starting point to understand this is to read a tutorial on JAAS
I think you are confused between users and roles. In your web.xml you have to associate roles to resources, for example "all the requests to /admin should have role Administrator", and then, you create users under your administration tool and asign to that users the proper roles.
I got hand-written security, simple servlet-filter which redirect not-authorized user to their login pages. Login controller redirect them to the requested URL after successfull authentication or their main page. This approach work fine, the only disadvantage, that I have to pass User object which is stored in the HttpSession through stacktrace to EJB beans.
Now I rewrote some code and use Spring-security as http based authentication. It is integrated automatically with Glassfish JAAS.
I don't need to pass User through stacktrace anymore, invocation sessionContext.getCallerPrincipal() is enough. But the principal object return me only userName, not userId, so i have to perform addition select if i need userId for example.
1) Is there anyway to extend Principal object, so it can store more properties ?
2) Why i should use JAAS or Spring Security or another security framework, why not just hand writen servlet filter ?
2) Using a standard security mechanism like JAAS has many advantages:
You can easily change the way user authenticates solely by configuring your server - without need to change anything inside your code.
You can be sure your security is up-to-date, supporting strongest algorithms, storing Principal in a secure manner and so on. Again just by staying up-to-date with your server, framework etc. Having a hand-written security module is prone to errors and to be outdated soon.
You can leverage framework security - eg. web.xml security tags, EJB security annotations. Because JAAS is a standard way to authenticate, you can be sure adopting future technologies will be easier, because all serious technologies will support JAAS (Spring security etc.). If your software is planned to grow, you will definitely need a standard.
It will save you time and effort. JAAS provides both authentication and authorization, neatly packed and configurable within minutes.
I recommend futher reading on J2EE security or you can find more resources in OWASP guides.
1) I don't know if you can extend the class Principal. But note, in your LoginModule, before you finish the authentication calling the commit() (probably in your login() method), it is possible to add credentials in the Subject. For this, just add the object to one of the lists: Subject.getPrivateCredentials() or Subject.getPublicCredentials() (with no arguments). You can add many objects like your own class, a String, or whatever you want.
To retrieve the objects in your application, use the procedure detailed in my other answer.
import javax.security.jacc.PolicyContext;
Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
We're building a GWT+hibernate+spring web app that's deployed to tomcat and postgres. Looking at http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ and http://www.owasp.org/index.php/Hashing_Java#Complete_Java_Sample, We have a User table and a Role table(4-5 roles, to start with).
Various layers of the app need access to the currently logged in user's info(like loginId, locale, etc), so I'm thinking of adding a AuthenticationFilter which will authenticate each Http request and create a ThreadLocal RequestContext which will hold various user attributes.
I'm also thinking of having a AuthCache which will store a ConcurrentHashMap of sessionIds and loginIds. AuthenticationFilter will use the AuthCache for Authentication.
I understand Spring security and Apache Shiro(http://incubator.apache.org/projects/shiro.html) are probably better ways but I have very little time to get this done so skipping for now.
Just wanted to know if there are better ways to do this ? Is there existing code which does this right so my implementation doesn't have many holes ?
Just wanted to know if there are better ways to do this ? Is there existing code which does this right so my implementation doesn't have many holes?
This is probably not the expected answer but, what about Spring Security? Spring Security requires some efforts but
it just works
it is widely used
it is very likely more secure than a custom development
And I'm not convinced that a custom development will take less time than integrating Spring Security.
Just in case you'd like to reconsider this option, here is little tutorial. Worth the read IMO.
Spring Security - Tutorial: Adding Security to Spring Petclinic