I am working on a java web project where a manager logs into a system and then completes activities on behalf his subordinates. Depending on what AD security group the subordinate belongs to an email may be sent for notification purposes. I am looking for a java 'hasRole' function that will allow me to pass a network id and security group name as parameters and return a boolean to indicate the membership in the group. The app is currently using UserPrincipal to authenticate and check for group membership but this requires user credentials. I would need to connect to AD via a service account then check for membership at that point. Has anyone seen anything like this before? All I have found online are ones simliar to my current setup that only check for the user with the active session.
You can inspect the source code of my Tomcat ActiveDirectoryRealm. I does exactly what you are looking for.
Related
I am writing a Spring Boot application where I want to authenticate users against a LDAP server. I have seen solutions and API documentation where an Admin Users credentials are hardcoded in the code.
My question is: Why can't I simply use the credentials for the user that I am trying to authenticate in the first place? If the binding succeeds, I can confirm authentication and get the list of groups they belong to. Is there some good reason why I shouldn't do that?
The reason LDAP examples often include admin users is because LDAP isn't always used for authentication (i.e., to determine if a particular username/password is valid), but sometimes for authorization only (i.e., to retrieve user's assigned groups, to determine if they should have access to the protected resource), when authentication part is done elsewhere (e.g., via Kerberos SSO). If your only use case is bind, then yes, you shouldn't need the admin user.
EDIT: one caveat, though - the LDAP server might have a restriction on binds (see this question, for example), in which case you'll need to have an admin user regardless.
Typically you want to have a service account, specific to the application:
Perform the bind
Lookup user
Return user's group membership
Application authorizes user based on the results
This helps with managing access controls on the authoritative backend because you only have to create ACIs for the service accounts rather than each individual user. It's also more secure because you are granting permissions to a single account, and thus reducing the likelihood of mis-configuring a single user's permissions.
I am using vim25 library to established connection with vCenter and I am able to login with following code,
vimport.login(serviceContent.getSessionManager(), username, password, null);
Now, I want to check whether this user has admin privileges or not, How can we achieve in Java with the help of vSphere client SDK?
vSphere Client SDK is used to build UI plugins so I assume you want to filter out a plugin extension based on the user privilege.
This is done via the <privilege> metadata tag used on the extension definition in the plugin.xml manifest.
SDK documentation with explanation and example: Filtering Extensions, "Filtering Based on User Privilege Level" section.
There are two aspects to the vSphere permission model:
vCenter privileges, which are combined into roles which are then assigned to users or groups as permissions on particular pieces of the vCenter inventory. Normally each vCenter operation is validate against the actual permissions for the operation that the user has on an object. So what you want in principle is to check whether has a specific permission instead of whether he's an administrator. The second is more of a secondary concept coming from the built-in Administrator role that has full set of privileges, but which may not be granted at all to the user on certain parts of the inventory. What I'd suggest is to figure out what is the actual permission you care about and what parts of the inventory you need to check. There are certain APIs (the ones on global singleton Managed Objects such as TaskManager) that simply check what is granted at the rootFolder level.
SSO Groups - some of the services check whether the SSO token contains claims about specific group membership. This is usually done by services related to authentication that cannot piggy-back on vCenter permissions. Given your example I assume you're not getting an SSO token and don't care about this model.
I am trying to use java code mention on link: http://www.nexttutorial.com/faq/azureAD/1/Azure-active-directory-graph-api-user-authentication-in-java - but I get below error:
java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS50055: Force Change Password.\r\nTrace ID: 7596cf92-f3d6-4baf-a0c9-d166a92d1500\r\nCorrelation ID: 8cccb074-4ae4-4c9b-932b-1f4ddcb514cb\r\nTimestamp: 2017-05-05 08:20:28Z","error":"user_password_expired"}
I haven't used the Java APIs, but I can tell you two things that are the core of the problem:
The user's password has expired
You are using Resource Owner Password Grant flow
You need to change the application to instead show a browser window so the user can reset their password. If you just want to test the code as is, you can open a new Incognito/private/InPrivate window and sign in to e.g. portal.azure.com with the user. That will allow you to make sure they have a working password.
But I would advise against using that sign in flow because of potential problems like this one.
The reason you get the error is that the user needs to set a new password, but the flow you are using cannot support that scenario. It also cannot support the scenario where the user account has MFA enabled/is a Microsoft account etc.
And by the way, if this app is intended not to be used by a user, but just run as is, I would suggest making it a daemon with application permissions on the necessary APIs and then use client credentials flow for authentication. No user account needed then, since the app has the needed rights.
I am working on an application that is authenticated by Google for the login part. The application is on AngularJS and is managed by Java RESTful services. The domain that we are using is managed by Google. The requirement is that I need a service from back end to check with Google if the email is still active or not. Let us say that the Admin disabled or suspended a user while the user was logged in. I need a way to check with Google if this email is still active or not. The only way that I found so far is by having the user name and password.
I wanted to know if it is possible if Google can call my service for me to disable the user from my end and if it was not possible how can I check the user status without the need of using the password.
Thanks in Advance
i am working on a java/j2ee based web application where i have one module called leave management in which when the employee request for the leave the manager approves or reject leave by log in to the application,Here log in into the application creates an extra overhead for the user , so i am trying to implement a feature where the manager can approve or reject the from his/her mail itself as mail is sent to the manager every time the employee request for leave based on the parameters in the url in the link like this
without log in to the application
https://my.xyz.com//LEAVE#LeaveReq#123#1545#State
So my question is
Is it possible to achieve this without log in to the application and saving values to the database and without breaching the security.
2.If yes, how can i implement this?
Yes you could. Just pass in some other parameters like say we call it token which would contain a "random" string which is currently in your database.
Each request that doesn't require authentication should also pass in this token. You check the token in your database if it is there then do the request, if not, you know what to do. If a token is consumed, you could either delete it from your DB (meaning each token is one-time use only).
EDIT: Regarding whether the correct manager approves/reject, well that's difficult without something like authentication to identity the manager.
We just rely on the fact that that URL can only be used once, and that it can only be seen on the email of the appropriate person.
is it possible? Certainly.
Is it desirable? Maybe not. What prevents someone else from sending that confirmation email? You need to find a way to secure it all.
How to do it? A REST webservice comes to mind, with the manager just clicking a link in that automatically generated email which launches a webservice request.
Or you set up a system where the server can receive emails, and the manager can then just forward the leave request to either of 2 email addresses.
There should be at least single authentication like a pin code or password before manager approve or disapprove the leave. Don't think about overhead, for such circumstances security is equally important.
Is it possible to achieve this without log in to the application and
saving values to the database and without breaching the security.
When the manager gets an email & he clicks on the approve. Ideally a request is fired from manager's system carrying an authentication token or something like a remember me token. In this case the application won't prompt the manager to login. It will tally the request token with token stored in the db & would let manager in.
Check how remember me works in web applications. You can create a remember me token for manager for an indefinite amount of time. This way the app will never prompt the manager for a login. But there is a caveat, this approach is a little vulnerable for attack. If there is a man in middle attack the hacker will get hold of the manager's client side cookies & would always login with ease. The auth token should be changed periodically. You can always implement remember me, it just depends on what level of security you require.
Bottom line: Yes it is possible, generate a remember me token which will always be included in the manager's email request for approving employee's leave request. Just follow the best practices to implement a remember me token.
Another way is
If your application is implementing security using filters. You can bypass the request for leave approval. Just put a secure none attribute for that particular request in ant style say "yourapp/approval" resource. Now the server side code would let all the requests in this pattern pass without security check. But this approach is a strict No No. If this happens a hacker which intercepts the leave request from the employee's browser can approve his leave by himself. No need of manager's authentication.
If yes, how can i implement this?
Implementing remember-me for a website
You can also integrate Spring Security with your code. It's hell of a framework, one stop solution for all the security related features which your app would require. You don't have to write the login for implementing auth token & stuff from scratch.
Is it possible? Certainly.
Is it desirable? Yes
Use a one time hash(sha1 hash may be) in the link to approve and after approving the email, send an email to the person who approved the email saying that "He/She has approved a leave for this particular person"
So the manager/authorizer is aware about it.
How password rest with an email link works could be a good analogy.
I think login is not critical for this scenario assuming that cancelling a approved leave is not that critical.(It happens usually in many companies)