I came across a difficult scenario with my Spring MVC web application.
My application is using LDAP authentication. When I hosted this application in outside could environment, the authentication failed as there is no public LDAP url for my organization. They don't have public LDAP url due to security reasons.
Is it possible, that I create a authentication service inside my organization network and and my application hit that service every time a user tries to authenticate??
How can I separate authentication from my application?
For this You have to deploy 2 applications. First one is a service application in your organization network. This service will be called from your outside application for authentication purposes.
Related
We have a requirement of implementing SSO for a customer(OKTA is his IDP) and we also have other client asking for SSO(ADFS and One Login).
And all other clients authentication will be database authentication.
So based on each client the authentication mechanism should change. Is this possible?
My application is Multi Tenant SaaS. Where its deployed on AWS and a load balancer will switch servers randomly.
We use Angular 5 and Spring boot 2.1 for Services.
How can i achieve this? Please guide.
Using Angular JS for my front-end and Spring MVC for web services. Based on SOA architecture, front end and back end are loosely coupled.
I want to use Windows Authentication to login in the web application without asking any username and password in the login page.
I am getting struck in Spring Security Kerberos and want to authenticate from the LDAP and then Use Spring JWT oAuth protocol to continue further.
Can someone help where am I missing or what will be the robust way for this architecture.
P.S. : Spring MVC + Angular JS
High level: If your doing the authentication via the Internet i.e where you don't have access to get Kerberos tickets via Spring Security, you need to consider using SAML or OAuth. Otherwise if you have local access and can talk directly to the authentication servers from your server hosting your code you can use Kerberos.
SAML and OAuth are very different to LDAP and Kerberos. Kerberos and LDAP can generally only be used if you have direct access to the authentication servers, i.e when are you in the same windows domain.
For further help please post code samples and an outline of what your trying to achieve.
I'm creating an Authentication Server and which some of my existing applications can use to authenticate. I'm using the OAuth2 with Spring Boot by following this sample project and tutorial https://github.com/dynamind/spring-boot-security-oauth2-minimal.
But in my case my existing applications are built using Spring MVC and angular. So there is no separate Resource Server. Resources are also located in same application(Resources are my Secured Request Mappings in same application).I just want to separate the authentication process from my client applications and use a common Authorization Server. (Currently they use the Google Authentication + Spring Security to secure the application).
So I tried to use #EnableResourceServer and #EnableOAuth2Client in same application but I could not get the expected results.
What is the best way to achieve this task?? Is there any other method that I can follow to authenticate my applications from Oauth2 Server?
You need to configure your web security for form based login and Resource Server Security form REST Endpoints
See my answer to the similar question here
I am building an android application which communicates with the web server on apache tomcat. Web server build in JAVA EE. Currently for authentication and authorization I am using username , password and for managing the session I am using tokens. So when the user logs in I will check mysql database and authenticate the user. When the user tries to do some action , based on the token the sent , I will identify the user and authorize to do that action based on the privileges given to that user. It looks bit cumbersome . I was wondering is there any standard framework which make this task easy.
Is there any tomcat container level authentication and authorization possible , so the request won't reach the web application if its not authorized to do the action ?
Or else Is there any framework which provides standard authentication and authorization in web application ?
Apache Shiro is what you are looking for:
Apache Shiro is a powerful and easy-to-use Java security framework
that performs authentication, authorization, cryptography, and session
management. With Shiro’s easy-to-understand API, you can quickly and
easily secure any application – from the smallest mobile applications
to the largest web and enterprise applications.
I used Spring security (version 3) in couples of projects, the shortcoming was the size of jars you need to deploy (it is Spring!), it's was cumbersome.
Also I have integrated Apache Shiro with magnolia-cms, as far as I can say Apache Shiro has the strength of Spring Security with the ease of use.
Spring Security, JOSSO, CAS, etc, cares about authentication and authorization.
In most cases admin applications are very similar.
There are schemas for JDBC data sources, but there arent front-ends.
For example:
http://www.josso.org/confluence/display/JOSSO1/Database+Setup or http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity-single.html#appendix-schema
Does anybody know a beautiful and tested third part web admin app to CRUD users and roles on Single Sign On?
Would the Central Authentication Service project (CAS) fit the bill? It is a Java server that enables single server authentication in large multi-server application environments. It has a documented protocol that allows multiple servers to share the same authentication environment.
It includes a number of integration points. Servers in the authentication environment can use spring security integration to obtain the current authentication credentials from a CAS server. The CAS server itself can provide a login service. The CAS server can also integrate into common user databases such as LDAP/ActiveDirectory.