We have a custom REST web app (Java based) that uses username/password to login. Call this application 'Admin'. The users of Admin also use a couple of commercial cloud based applications, call these App1 and App2.
What I've been asked to do is investigate how we can use single sign on between Admin, App1 and App2. App1 and App2 can be configured to use SAML and I have full access to the code of the Admin application. I've done some preliminary reading and understand the principles involved.
I want to prototype some code but I'm not sure where to start! For example how should I proceed with the identity provider? What interface should it implement, is there an abstract class that should be extended? Similarly for the service provider. Given that App1 and App2 can be configured to use SAML what changes/extensions are needed on the Admin app?
Many Thanks
M
Disclaimer: I'm the creator of pac4j.
If you have Java apps and want to secure them using SAML, you should definitely take a look at pac4j which is a security engine available for many Java frameworks: J2E, Spring MVC / Boot, Play and so many more.
For SAML support: http://www.pac4j.org/1.9.x/docs/clients/saml.html
Shibboleth provides both IdP and SP (implemented with OpenSAML v3) for you to test with:
https://wiki.shibboleth.net/confluence/display/IDP30/Installation
https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
If you want to integrate SAML into your own application in Java, there are:
OpenSAML v3: https://wiki.shibboleth.net/confluence/display/OS30/Home
Spring Security SAML: http://projects.spring.io/spring-security-saml/
Spring boot Security SAML: https://github.com/vdenotaris/spring-boot-security-saml-sample
Related
How is SSO with SAML 2.0 typically implemented for a Spring MVC application?
My application is required to implement SSO so the users can log in without creating a new account with my application.
My understanding is that, and correct me if I'm wrong, I need a Service Provider to communicate with the Identity Provider the third party uses in order to exchange the metadata. But how do I go about to achieve this process?
Also, what is required on the Spring MVC application side?
Thanks in advance :D
https://github.com/spring-projects/spring-security-saml implements the SAML SP and integrates into the web app via servlet filters. For SAMLv2 SSO overview look at http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
I am developing a application which uses Spring Rest services. I am using basic auth for authentication. I know that it is unsecure. My end client are capable of handling OAuth. I want to use OAuth, can any one point me to how to do OAuth in Java. I saw some examples they mention about Twitter , Google and Facebook.But I don't want to use social networking sites.
OAuth is a concept, and not any library which you can inject, (of course libraries exists to implement that)
So if you want to have OAuth in your application (i.e your application has its own OAuth), you have to setup following things
Authentication Server
Provide Provision to Manage OAuth Clients
Manage AccessTokens
Check out the OAuth 2.0 Specification to get clear understanding of how it works and how to build your own.
https://www.rfc-editor.org/rfc/rfc6749
I want to implement role based authorization and identity in my web services. i it's the first time i try to do this with j2ee. i am running jboss 6.4 nad j2ee 7.
what i a, trying to understand :
1- how to implement role based security. My web services will expose methods with certain security levels that are to be available to certain roles.
2- how to authenticate users of my web services given that the front end is HTML5 JS (mostly react and some pure JS)
3- how to throw encryption of soap envelopes and https in the mix
4- if i have a users DB, what type of security mechanisms or frameworks can i use in j2ee to enable role based security.
I appreciate if someone could give an example or point me to somewhere where i can read preferably sample code
JBoss runs good with Picketlink. This framework can give you all security features you're looking for.
I have requirement for our application where we need to implement Spring SAML within our app to enable federated SSO for one customer. However we need to maintain existing login flow using spring-security for other customer.
So my question is can we have two security mechanism for an web application so that it will be treated as multi-tenancy.
Can i implement OAuth and SAML in same application.
thanks in advance..
Yes, you can combine your existing password authentication with SAML. See the sample application of Spring SAML for details - it contains both of the methods combined. It is also possible to include OAuth use-cases, but I'm not aware of any guide for it.
I have a spring-mvc and spring-security + spring-security-social webapplication which I would like to provide restful login to allow a rest client to interact via this application. Let me explain a little bit more:
For the web application, everything is working fine. Login, roles, Facebook login, without any xml using Spring-Core version 4 and Spring-Security version 3.
Requirement
Provide a restful service in which will allow the user to sign in on the application and provide its user all the access like the web login.
I've been searching over the web, but I can only find old examples using older spring versions and with xml code.
REST is stateless. With that in mind, are you looking to still have authentication/authorization for the services in a RESTful fashion? To do this, you will have to authenticate the user on EVERY call. You can use Basic authentication to stick to strict REST principles or you can violate REST slightly by using OAuth yourself.
RESTful services are typically developed for other developers to incorporate in their code. They're not meant to be exposed directly to a user of a service.
If you need to provide client like functionality (login, allow user to access features/services, etc), then there is no need to develop a RESTful service. You can use Spring MVC in combination with Spring Security for that.