I'm trying to get to point, where wildfly 9 would be able to authenticate users with kerberos and authorize them with ldap.
I'm having rich EJB client using JAAS (having com.sun.security.auth.module.Krb5LoginModule).
I'd need some sample including the step-by-step configuration.
What I've found is:
wildfly with LDAP (https://developer.jboss.org/wiki/LDAPSecurityRealmExamples)
wildfly with SPNEGO (https://github.com/kwart/spnego-demo)
wildfly with kerberos for server management (http://darranl.blogspot.co.uk/2014/10/wildfly-9-kerberos-authentication-for.html,
http://darranl.blogspot.co.uk/2014/11/wildfly-9-kerberos-authentication-with.html)
however I have not web but rich application + I'm not using LDAP for authentication, but kerberos. And I need not only management operations to be authenticated using kerberos.
Any complete sample/references out there?
i manage to make it work with this library :
https://github.com/dstraub/spnego-wildfly
you incorpore the jar in your application (not available in MVN repository), then you have to specify the mechanism authentication "SPNEGO" for example in web.xml, configure your active directory, create your keytab, configure your standalone.xml or domain.xml and it is OK , you can also use an apache in front and a load balancer, an example with the sample-app
Related
I would like to authenticate users by LDAP credentials in WebSphere AS inside my app. I see that com.ibm.ws.security.server.lm.ltpaLoginModule is available for authenticating entire user repository including LDAP. So I think that it would be it. But I don't know how to use this login module in code. I don't see any documentation about which options I need to provide in jaas.conf and how actually use this in Java code. I know how to use some custom login modules, but I don't know what exact things I need to do in code for that specific module (any special arguments?, callbackhandlers? etc.). WebSphere AS version is 8.5.5.
How to authenticate users in Java code using some LDAP login module in WebSphere AS?
For authentication with LDAP you don't need to use any Login modules, WebSphere supports LDAP out of the box. Just configure application security via web administrative console and configure your LDAP as repository in Federated registry or in standalone LDAP.
See also:
Selecting a registry or repository
Configuring a single built-in, file-based repository and one or more Lightweight Directory Access Protocol repositories in a federated repository configuration
I'm trying to write a small servlet which is a plugin in a WebSphere application on Linux. The servlet will make web services calls to a service hosted on a Windows server that's part of an AD domain & uses Integrated authentication.
I'll be using JAX-WS and would like to use WS-Security with Kerberos Token authentication. The Kerberos authentication is being mandated by the Windows service because it relies on Windows Auth - something I can't change.
The authentication will be for a single service account in the AD domain - an account dedicated to the servlet which is permissioned within the AD domain.
Does anyone have some pointers on this? I've read the sg247771 (Implementing Kerberos on WAS), but can't locate a scenario which matches the above - same for the WAS docs online. I suspect I'm just missing something obvious. Alternatively any other docs that would explain the configuration I'm after would be great. It's entirely possible that my googling skills have failed and I'm using completely the wrong keywords.....!
I am building an android application which communicates with the web server on apache tomcat. Web server build in JAVA EE. Currently for authentication and authorization I am using username , password and for managing the session I am using tokens. So when the user logs in I will check mysql database and authenticate the user. When the user tries to do some action , based on the token the sent , I will identify the user and authorize to do that action based on the privileges given to that user. It looks bit cumbersome . I was wondering is there any standard framework which make this task easy.
Is there any tomcat container level authentication and authorization possible , so the request won't reach the web application if its not authorized to do the action ?
Or else Is there any framework which provides standard authentication and authorization in web application ?
Apache Shiro is what you are looking for:
Apache Shiro is a powerful and easy-to-use Java security framework
that performs authentication, authorization, cryptography, and session
management. With Shiro’s easy-to-understand API, you can quickly and
easily secure any application – from the smallest mobile applications
to the largest web and enterprise applications.
I used Spring security (version 3) in couples of projects, the shortcoming was the size of jars you need to deploy (it is Spring!), it's was cumbersome.
Also I have integrated Apache Shiro with magnolia-cms, as far as I can say Apache Shiro has the strength of Spring Security with the ease of use.
I am trying to implement LDAP authentication using spring security and jboss server.
Below is my environment setup:
Active directory running on company Windows server
application to be deployed jboss server running on RHEL 6.4
java version to be used: 1.6
JBoss version: jboss-eap6, jboss-as-7.1.1 Final
What i am trying to achieve is :
When the user open the application url from the windows machine in company network, he should get authenticated against the company LDAP server and be able to go the dashboard with being asked for password.
When the same url is opened from any machine outside company network, the the login page should be displayed and on providing credentials authentication should be done against the company LDAP and then the user specific dashboard page should be displayed.
I have already gone through the WAFFLE and SPNEGO documentation/tutorials available over internet, but WAFFLE dont work in OS other than Windows as it uses some Win32 api. Also What SPNEGO (PRE-AUTH) does is not exactly what i want to achieve.
In short in want to implemnent what WAFFLE do but the problem is that my application would be deployed in unix machine.
Please help me.
What you can do, is start out configuring your application using an in-memory authentication provider.
Internalisation using Spring Security In-Memory Authentication
The only thing you then have to do is change out the in-memory authentication provider with an LDAP authentication provider.
The best information I found so far is in the spring reference itself.
http://docs.spring.io/spring-security/site/docs/3.0.x/reference/ldap.html
Add the Ldap active directory address
< ldap-server url="ldap://springframework.org:389/dc=springframework,dc=org" />
Hook up the ldap bind authentication provider
< ldap-authentication-provider user-search-filter="(uid={0})"
user-search-base="ou=people"/>
I'm have the next scenario on my enviroment
Tomcat running as services in Windows server
The service is configured with a Domain Account, it is an Active Directory Account.
Now in a Spring Controller I need to acces to a site, this site is configured with Integrated Security.
So what I want is to access to this site using the same credentials that is running the tomcat account. So I'm beleave thath I need to access to this credentials and pass it to a http client.
Thanks.
There's a number of ways you can integrate a Java application into an Active Directory / Windows Authentication system:
I would start by understanding the Kerberos and NTLM authentication systems (and which apply to your environment) and reading up on the documentation: http://docs.oracle.com/javase/6/docs/technotes/guides/net/http-auth.html
Given you are using Spring already, I would strongly consider using Spring Security, which has NTLM support: http://blog.mediasoft.be/ntlm-with-spring-security-20/