I'm trying to write a small servlet which is a plugin in a WebSphere application on Linux. The servlet will make web services calls to a service hosted on a Windows server that's part of an AD domain & uses Integrated authentication.
I'll be using JAX-WS and would like to use WS-Security with Kerberos Token authentication. The Kerberos authentication is being mandated by the Windows service because it relies on Windows Auth - something I can't change.
The authentication will be for a single service account in the AD domain - an account dedicated to the servlet which is permissioned within the AD domain.
Does anyone have some pointers on this? I've read the sg247771 (Implementing Kerberos on WAS), but can't locate a scenario which matches the above - same for the WAS docs online. I suspect I'm just missing something obvious. Alternatively any other docs that would explain the configuration I'm after would be great. It's entirely possible that my googling skills have failed and I'm using completely the wrong keywords.....!
Related
I'm working on a pure Java web application that uses an embedded Jetty and I want to integrate a Shibboleth login. To do this, I'm following switch.ch's guide for Shibboleth Service Provider Deployment, which states:
The Shibboleth Service Provider consists of a daemon shibd running on
all major operating systems and a web server module mod_shib which is
natively supported by:
Apache web servers (versions 1.3.x, 2.x)
IIS (versions 6, 7 and 8)
My question is, is there a way to integrate Shibboleth SSO in my Java web application without using an Apache web server or IIS running shibd? Maybe somebody has done this before and could provide example Servlets/Filters or the like?
I don't want an Webserver in front of the application just for Shibboleth, because it would complicate the installation. Currently, the installation is just two steps: extract the artefact and run the start script and I would appreciate if I could keep it like this.
The Shibboleth Service Provider takes care of a lot of complex use cases like key rotation, metadata refreshing, and attribute re-mapping. If you have an incredibly simple use case, where you need to authenticate users from one Shibboleth Identity Provider that rarely changes, you can consider validating the SAML 2.0 assertion in your Java code directly.
If you use spring-security already, you should probably start by looking at the spring-security-saml project:
http://projects.spring.io/spring-security-saml/
Alternatively, you can start with a low-level library like OpenSAML (https://wiki.shibboleth.net/confluence/display/OpenSAML/Home) or you can start with a higher level library like the LastPass Java SAML SDK (https://github.com/lastpass/saml-sdk-java).
Putting shibboleth sp with web server in front is the easiest way out. Additionally you can add servlet filter and check header , if you find all attributes released by idp validate them against your identity store just for assertion.
I am building an android application which communicates with the web server on apache tomcat. Web server build in JAVA EE. Currently for authentication and authorization I am using username , password and for managing the session I am using tokens. So when the user logs in I will check mysql database and authenticate the user. When the user tries to do some action , based on the token the sent , I will identify the user and authorize to do that action based on the privileges given to that user. It looks bit cumbersome . I was wondering is there any standard framework which make this task easy.
Is there any tomcat container level authentication and authorization possible , so the request won't reach the web application if its not authorized to do the action ?
Or else Is there any framework which provides standard authentication and authorization in web application ?
Apache Shiro is what you are looking for:
Apache Shiro is a powerful and easy-to-use Java security framework
that performs authentication, authorization, cryptography, and session
management. With Shiro’s easy-to-understand API, you can quickly and
easily secure any application – from the smallest mobile applications
to the largest web and enterprise applications.
I used Spring security (version 3) in couples of projects, the shortcoming was the size of jars you need to deploy (it is Spring!), it's was cumbersome.
Also I have integrated Apache Shiro with magnolia-cms, as far as I can say Apache Shiro has the strength of Spring Security with the ease of use.
We would like to implement following logon mechanism to authenticate users against AD between Java and .NET applications hosted in different application containers.
Our server setup is
One linux web server with Tomcat on it - this is where our java apps resides
One windows web server with IIS on it - this is where the legacy .net apps resides. [authentication can be done via windows integrated authentication - we don't want to change this - unless no other way]
One domain controller - win 2008
Our aim is to implement authentication mechanism where any user can login through a form via AD [Active Directory] credentials to our login page which is hosted either on .NET or Java. After authentication is completed successfully,user should browse pages without
his/her credentials being asked again.
Reason we need it is we have couple .Net apps which design to use integrated authentication with IIS - and we are designing new Java interfaces where we would like to centralize authentication with a login form where user can login agains AD and switch between .NET and Java apps where the authentication is still valid until it expires or etc.
I heard about SPNEGO project but not sure what kind of setup we need to implement above scenario.
It would be nice if we need no modification to .NET site setup since we don't want to maintain those apps anymore. All helps are welcome and greatly appreciated.
Thanks in advance,
ED
I'm have the next scenario on my enviroment
Tomcat running as services in Windows server
The service is configured with a Domain Account, it is an Active Directory Account.
Now in a Spring Controller I need to acces to a site, this site is configured with Integrated Security.
So what I want is to access to this site using the same credentials that is running the tomcat account. So I'm beleave thath I need to access to this credentials and pass it to a http client.
Thanks.
There's a number of ways you can integrate a Java application into an Active Directory / Windows Authentication system:
I would start by understanding the Kerberos and NTLM authentication systems (and which apply to your environment) and reading up on the documentation: http://docs.oracle.com/javase/6/docs/technotes/guides/net/http-auth.html
Given you are using Spring already, I would strongly consider using Spring Security, which has NTLM support: http://blog.mediasoft.be/ntlm-with-spring-security-20/
I'm looking for an example of a java desktop application that consumes a Two-way SSL secured web service. Any tutorials or examples would be great, especially if they are based on the Eclipse IDE.
Thanks.
First, if you're not familiar with SSL, (self-signed) certificates, keytool, key store, trust store, in one word PKI, I'd suggest to start with The Fifteen Minute Guide to Mutual Authentication and Java Secure HTTP Client Key Management. These resources are just awesome and should help you to get started and to understand what you'll need on the server side and the client side (and why).
Then, I suggest to check Mutual Authentication for Web Services: A Live Example.
And for the JBoss specific setup, check out the SSLSetup page of the JBoss wiki (more precisely the Authentication scenario #4).
I'm not sure what you're looking for, an actual applications that communicates via SSL to a web service provider? SOAPui is right up your alley then - except it's a general-purpose web-service tester and not some domain-specific application.
And it's not eclipse based, although there is a SOAPui Eclipse plugin.