I'm actually improving the authentication system of an existing app (JAVA+JAX-WS+Hibernate+GWT). I found the OWASP Enterprise Security API Project and I liked it (except for the documentation). My application needs to be scalable and it requires to balance load between multiple web servers. To be able to do this, I'm thinking of using a signed cookie with session information, instead of using the usual server side approach. I've been looking the source code and examples, but all of them take a server-side session approach.
The question is then, ¿is there something within the ESAPI project to implement this signed cookie mechanism to handle sessions? The idea to use this project is not to reinvent the wheel, but I can build everything if necessary.
If there isn't something useful in ESAPI, are there any similar java security projects that you recommend.
Thanks a lot.
Related
I'm using the Play! framework v2.3 (Java) and I want to add some user authentication to my web app, ie username/password for each user and a registration process.
I found some information on the docs on how to do this for v2.1 and v2.2:
http://www.playframework.com/documentation/2.1.0/JavaGuide4
https://www.playframework.com/documentation/2.2.x/JavaGuide4
But I can't find any updated info on v2.3. I've already tried looking at the API for play.mvc.Security.Authenticated but it doesn't help (http://www.playframework.com/documentation/2.3.x/api/java/play/mvc/Security.Authenticated.html).
Anyone know how to do this properly?
There are a number of authentication libraries that already exist which cover many use cases. It'd be best to use something that's well established in the community.
Secure Social - This seems to be the most popular, with lots of documentation. (For both java and scala)
Deadbolt 2 - There are many implementation examples linked from that git repo. It seems a little more geared for java.
Play2 Auth - This is for scala only, but it is well documented and very flexible. (I personally use Play2 Auth)
Out there is another greate authentication library called Silhouette for Play Framework applications (Scala) that supports several authentication methods, including OAuth1, OAuth2, OpenID, Credentials, Basic Authentication, Two Factor Authentication or custom authentication schemes. http://silhouette.mohiva.com
It is very well maintained and the stable version 3.0.0 got announced just a couple days ago: http://silhouette.mohiva.com/blog/stable-release-of-silhouette-300
The cooles thing is, the project is named after the fictional crime fighter character Silhouette, from the Watchmen graphic novel and movie.
I found this Play template which covers logging in, resetting password, etc...
https://typesafe.com/activator/template/PlayStartApp
Our company have published an OpenSource Cloud Platform As a Service Web UI (for Play Framework 2.2.2).
We are planning to migrate it to 2.3.X over the next few weeks, even though we had some incompatibility at first that we need to look at.
You can view short video's of our work at http://www.acentera.com/opensource/ ; from there you will be able to find our Public Git Repository of the code, which in some cases need improvements but hopefully can be a good start for you to use this great web framework.
We used shiro as authentication with a custom "SampleRealm" that does the JDBC Authentication and get proper "permissions", with memcache as sessions store in order to keep stateless connections.
Regards,
Eric M.
ACenterA Inc.
Play authenticate is since beginning not only for scala but for java too, it have deadbolt embedded... Social secure, stateless with plenty of examples :
https://github.com/joscha/play-authenticate
it is the best customizable authentication module to use
I'm currently working on a web application based on Java EE 7, PostgreSQL and the application server GlassFish 4.
I need to implement a form based authentication, and to secure some URL knowing that :
the users and the roles/groups (whatever they are called) are stored in the database.
I wanted my application to be as "standard" as possible (i.e I am currently using JSF and JPA, and no other framework like spring, struts ...)
After some research, I found that Java EE provided a standard authentication mechanism called JASPIC. So, I focused my research on JASPIC and I read multiple Stackoverflow Q/A and those articles written by Arjan Tijms (It's almost impossible to find a Stackoverflow Q/A related to Java EE without one of his answers or comments, thanks to him by the way) :
http://arjan-tijms.blogspot.fr/2012/11/implementing-container-authentication.html
http://arjan-tijms.blogspot.fr/2013/04/whats-new-in-java-ee-7s-authentication.html
http://arjan-tijms.blogspot.fr/2014/03/implementing-container-authorization-in.html
My question is : will JASPIC allow me to do what I need (form authentication + URL restriction with roles) and is it worth the effort to use it ?
What I mean is : it's perhaps safer and easier to use another mechanism.
Arjan Tijms also says that whether or not using JASPIC is "a kind of chicken-and-egg problem" and if JASPIC is safe to use (It doesn't create more problems than it solves), no matter the amount of code I need to write, I really want to be "one of the first chickens".
I'm using JASPIC for my authentication, but JASPIC has one limitation you need to contend with (if you want things standard). You're limited to having no dependencies outside of the Java EE 7 API. This means access to JDBC resources which require a driver is not a capability that is explicitly stated in the standards.
In my OpenID Connect implementation I used Google as my secure store, which also presents me with the Google login form. That is a larger example of using JASPIC though.
For yourself, you can expose an EJB to the global namespace and use InitialContext to get the EJB. There'd be some code duplication in that you have to copy the EJB remote interface code in two places and ensure the serialVersionIDs are the same on both. The EJB can be used to connect to the JPA resources to get your authorization data.
Use EJBs, because the other two options you may think of are REST and SOAP which would be exposing something on your web ports and would require some extra configuration to prevent unauthorized access or require they be placed on a different system.
A simple JASPIC implementation I created in case you want to learn is the HTTP Header JASPIC module which is intended for integration with more complex systems like SiteMinder.
I do no know JASPIC but may I suggest you take a look at the shiro framework
It let's you do pretty much everything you need based on your post with minimal configuration.
For Form based authentication and authorization, you need JAAS. go through follwing url-
linK
I want to implement a SSO Framework. My requirement is thus:
Once a user log's into particular website and he clicks on an external link, he should not be asked to verify his credentials again.
EDIT: Here, I have control over the 'external link' that I speak of. The first link that the person sign's into can provide me credentials or other information that I require, but I have no control over it.
I researched a bit, and found CAS to be relevant for my requirement. But, I don't want the end user to login to CAS initially, I need a framework that receives the credentials from the currently logged in website and uses the same to login to the other external site. Security is, of course, an important factor. Can you please give me some pointers/ ideas as to how to go about designing such a framework?
Based on what you're describing, it sounds like an Identity Provider (IdP) initiated SAML profile would meet your requirements (a good visual representation of this is here). The original web site your user is logged in to will function as the Identity Provider. Once a user is authenticated with that application, they will then be able to access your external application by clicking a link. Instead of being directed to a log in page for your application, the original app will instead forward the user's authorization details via SAML to you where the signature will be verified and possibly checked with the identity provider. If everything checks out, the user will be redirected to the requested resource from your app without having to sign in.
Note, that the above describes the protocol of the SSO. There are many different frameworks that support SAML that you can use. Two that you can research are Shibboleth and, as already mentioned, OpenAM.
This is a rather simplified explanation based on limited details, but hopefully it will help lead you towards a solution. I would recommend doing a good bit of research on the protocols and frameworks available before making your decision. Also, a proof of concept never hurts to prove out the solution will work for you before investing in it to a point of no return.
Good luck.
OpenAM should help you:
OpenAM provides open source Authentication, Authorization, Entitlement
and Federation software. Through OpenAM, the community actively
continues development of OpenSSO.
OpenAM provides core identity services to simplify the implementation of transparent single sign-on (SSO) as a security
component in a network infrastructure. OpenAM provides the
foundation for integrating diverse web applications that might
typically operate against a disparate set of identity repositories and
are hosted on a variety of platforms such as web and application
servers.
On the wikipedia page List of single sign-on implementations you can find a list of SSO implementations, there is a column indicating the licence.
Read about jboss sso from here.
I'm looking to roll my own simple user authentication as part of a iOS / GAE app. I'm not wanting to use 3rd party libs such as spring.
I have an iOS client from which I'd like to offer the option to create a profile (hashed UDID, password). Store the login details (keychain?) and auto-login to GAE each time my App starts.
I'm thinking simple HTTP basic-authentication. B64 decode (GAE API for this?), then use the hashed UDID as Key into my various datastore Entities via low level data store API. Then generate some kind of unique session ID (GAE API for this?) to pass around as a URL parameter.
I have fairly good Java/Objective-c experience, but it's my first 'cloud' type app and I have a security concerns about the above approach. Not least because I didn't find any java examples of solving what must be a fairly common problem, which makes me think I'm missing something :)
Some things I'm not sure how to solve;
The URLs could easily be 'network sniffed' or 'binary scanned' from the App opening me up to the possibility of DOS/GAE app abuse.
Is it worth to try and secure the traffic via HTTPS, and is there a way to do this between iOS and GAE (I've never used SSL)
Could I combine this approach with an administration page that would use google authentication.
Does GAE have any built in DOS protection or would I also need to combine that into my authentication approach?
Without GAE threads how do I invalidate a session after a certain amount of time, taskQueue?
I'm new to GAE and excited to get past this first hurdle, so any tips advice is much appreciated!
Some of my experiences though I'm using python you might find some of the observations I make helpful:
You might want to consider OAuth 2.0 as authentication model since it works with most providers.
I first chose a Javascript / OpenID + custom login and now I use serverside OAuth 2.0 + custom login. (I had considered using http://www.janrain.com/ if you're thinkning altenatives to rolling your own.)
A third option for you is to take a custom authentication that is already included with a Java CMS for app engine that already has an authentication system.
You can make a completely custom /admin interface completely separate from the user experience so app engine will be preferable for you since it gives you a lot of control over the code.
If you want to look how a larger Java CMS for GAE does it then you could check in http://www.vosao.org/
Which one is the best approach/method to implement security in Java EE?(JPA/JSPs)
I'm working on a personal project so I can learn Java EE and I am a little confused on how to approach the AUTHORIZATION and AUTHENTICATION process on my website.
I have different roles and I don't want certain users to access certain parts of the website. So I've been searching for docs and tutorials and etc, but everything I find dates to more than 3-4 years ago. Is there anything more recent that I should look into?
Here are some of the things I found:
http://www.oracle.com/technetwork/developer-tools/jdev/oc4j-jaas-login-module-083975.html
Any help would be greatly appreciated!!! :)
Spring Security. Although it is branded as Spring, you might find it useful for web applications; do note that you don't need to write a Spring app to use Spring Security.
If you wish to stick to JAAS, I would suggest using one of the container's login modules, just to get started, before you attempt to write your own login module. Be forewarned that you might end up writing one, if the container supplied modules do not meet your requirements. And, there is a good book on JAAS to help you understand it in detail.
Moreover, take a look at Servlet spec 3.0, to see how annotations can be used declare the roles (#DeclareRoles, which came in servlet spec 2.5) in the servlet itself, before defining what roles have access to what HTTP method (using #RolesAllowed). You can also employ annotations like #DenyAll and #PermitAll, to permit or forbid access to all users. #TransportProtected will ensure that the HTTP method is accessed over HTTPS. All one needs to do, is to map these roles in the source code, to actual roles in the JAAS realm; this often done using a container specific descriptor file.
ADDENDUM
Since you are using JSPs and not Facelets or any other technology for the presentation tier, you might be interested in the JSP tags offered by Spring Security. It is much cleaner that maintaining all of the authorization metadata in a humongous web.xml file.
As far as JPAs are concerned, well, the underlying access to them is usually enforced at the servlets or EJBs. Of course, you can build in more programmatic security, based on your needs - using entity listeners would help in this process as you would be able to intercept load, update and persist operations (if you are that particular, but for the most part building security before your business logic is executed usually is sufficient).
And oh, take a look at JBoss Seam (and Seam security), for it is a complete application development framework built on Java EE.
Something more recent than JAAS is the Spring Security framework. It supports JSR-350 (EJB 3) and thus would work fine in Java EE.
I worked on a Java EE application recently with JAAS. It's pretty current, you can check it's home page at Oracle.
It works with roles, authentication, etc.
You can use it in JBoss and Glassfish, probably the rest of the ASs too.
Spring security tutorial https://www.packtpub.com/spring-security-3/book. Highly recommended.