I have three REST web applications (Java) with their own database (MongoDB).
All the applications require authentication, so I created a collection called User in each database.
Now I want the same user to be able to log in each application.
Shall I have a fourth shared database only for user?
Shall I have a sort of synchronization process of the collection User among the three databases?
What's the solution?
I think the solution is to develop some microservice (OAuth2 for example) to do the authentication and implement all login and permission check routines by its means.
If that's an overkill for your task, it is better to make a separate DB for user accounts and synchronize application databases against it.
Related
Background
I am trying to make a public facing API that is gated behind an OAuth2 workflow. I've found example database designs using JPA Repositories/Spring-OAuth2, which is the framework that I'm using. I basically have this application, which is currently using an InMemory authentication, which I'm trying to convert to pull the data from a database using JPA Repositories and a relational database design.
I did find this guy, but the problem is that it doesn't account for how the data is related to one another.
IE I was hoping that I could split the scopes into a separate table so it'd be as simple as adding additional scopes that are available for apps later on. I was also thinking of adding support for having types of OAuth clients, such as bots, website, desktop app, mobile app, etc.
I'm assuming there is some sort of a relationship between oauth_approvals, oauth_refresh_token, oauth_client_token and oauth_client_details. I want to also make sure that it's possible to map an oauth client to a user. Ultimately I'd like them to be able to have multiple clients.
For my current use case it's definitely overkill to have this flow, but I am using this application to learn about different technologies.
What I currently have
I'm sure this can be done better, if so how?
Questions
How do I properly make the relationship between the different components of an oauth client?
How can I make this so that I properly allow a user to have many clients?
How would I be able to dynamically get a client from the database, or is this handled through ClientDetailsServiceConfigurer.jdbc()?
How would I be able to add types of clients to the flow?
If you have additional questions let me know and I'll be more than happy to update my question.
I have an assignment to realize a client-server based shop whose checkout system acts like a cashier desk in supermarket. The main programming language is JAVA.
Server: I need to deploy locally a database (SQL) by using JDBC and Myadminphp (already done)
Client: There are two types of users: Cashier and Manager. The Cashier is able to access only to checkOut() function where he makes queries to the database to do the checkout process for customers. The Manager is able to access getData() to retrieve a table of available data in the shop and addItem() to permit re-stocking for a particular product.
My question is: Since I need to realize a way using JAVA language to create a login system in the client site (using Java GUI also) to do the login process in order to grant access to the functions for different types of user, what kind of methods could I use to implement the login system? And do I also need to implement the system by running another server rather than the one that keeps the database?
May be you need to create a separate server to provide Identity and Access Management (IAM). You can take a look at spring-cloud-oauth2 and an API Gateway infront of it. For API Gateway spring-cloud-zuul is a better idea.
1) problem of giving access can be solved by two ways one by using the built in frameworks like spring security or apache shiro. Other way is to verify the permissions and roles on your own by loading the union of permission available in the roles assigned to logged in user and make a check on the methods which you want to be in authorized access criteria. you can implement login using token based(oauth2.0) system.
2) Database should be deployed on server system so that multiple application instance can access to it.
I have a SQL databse on the internet which has information
I need my Android app to be able to access that information
The app needs to know the username and password of the database
How can it know?
If i code it in, anyone can get it
In general, databases should not be publicly accessible, nor should they be directly accessed by a user application, for several very good reasons:
There is generally no easy way to implement row-level access control. Views and triggers can only get you so far - in general application-level users do not map well to database users, since the latter usually have access to far more data than the former should have.
The DB clients are tied to the actual database schema. Having clients not under your control like, say, an Android application is a very good way to tie yourself up in ways that would disallow any and all future development.
Having a DB port open to the world is not considered by any means secure. Any potential security hole would give straight access to all of your data. The MySQL security guidelines explicitly warn against opening the DB port to the internet.
There is no way to protect the DB credentials or the data from a sufficiently determined and knowledgeable user. If your application can access something, so can they.
Database access protocols are mostly designed with local-area networks in mind, rather than the inherently unreliable nature of the Internet. Even encryption and security are often more of an afterthought...
The standard way to approach this issue is to create an intermediate web service with separate user accounts and a restricted set of operations on the data. The web service would let each user access only the data that relate to them, and even that indirectly. This approach separates the data from the user application layer, allows you the flexibility of storing and accessing your data however you wish and provides an additional layer of security for your DB.
Am developing a web application using Springs. To make a scalability for my application am in need of user management system. In application having different groups each groups having different users.Every user having different roles.
To implement access control mechanism any API's available?
How to assign role for every users?
I think Spring Security domain-acls is a good choice for you. You can take a look at Contacts sample first to decide whether it is fit for you.
I'm interested in the best practices of using LDAP authentication in a Java-based web application. In my app I don't want to store username\password, only some ids. But I want to retrieve addition information (Name, Last name) if any exists in an LDAP catalog.
My team uses LDAP as a standard way of authentication. Basically, we treat LDAP as any another database.
To add user to application, you have to pick one from LDAP or create it in LDAP; when user is deleted from application, it stays in LDAP but has no access to application.
You basically need to store only LDAP username locally. You can either read LDAP data (e-mail, department etc) from LDAP each time, or pull it in application in some way, though reading it from LDAP is probably simpler and smarter since LDAP data can change. Of course, if you need reporting or use LDAP data extensively, you might want to pull it from LDAP (manually or with batch task).
The nice thing is that once a user is disabled in LDAP, it's disabled in all applications at once; also, user has same credentials in all applications. In corporate environment, with a bunch of internal applications, this is a major plus. Don't use LDAP for users for only one application; no real benefits in that scenario.
For general best practices with LDAP, see "LDAP: Programming practices".
If you have more than one web based application and want to use LDAP authentication then a prepackaged single sign on solution might be better than creating your own LDAP authentication. CAS supports LDAP authentication and can pull back the data you need for your application.
At my college we actually have implemented CAS as a single sign on against our Active Directory server. We also utilize CAS to authenticate our J2EE applications and are working on using CAS to authenticate our PHP applications.
We use AD to hold the users for the domain. There are certain OUs for based on the type of user. The users each have a unique ID which happens to be their student/employee ID, so applications can use that as a primary key in their databases. We have a database driven authorization method for our PHP applications. Authorization for the J2EE application comes from a value in LDAP.
Good luck with your application.
So, you want user to enter ID only, and then grab the rest of their info from LDAP? That's quite easy.
Create LdapInitial context and connect to LDAP
Do a search for the ID (it should be stored as some attribute value) -- e.g. (&(userid=john)(objectClass=user)) -- which means "userid=john AND objectClass=user"
SearchResult object would contain all Attributes (or the ones you asked)
Some LDAP implementations (notable MS ActiveDirectory LDAP) do not let you connect with anonymous user. For those you need to have a technical userid/password to connect.
As said above, LDAP is normally makes sense when you have many applications.
P.S. For feeling what LDAP is try Apache Directory Studio.