Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
I have multiple java web applications all having their login functionalities. I want to apply SSO(Single Sign On) on them irrespective by any method.
I have spent last 2 days on finding a solution to it, but I have no result.
Please anyone can help me on that.
My requirement is:
1.If user logs onto a single application he would be automatically logged onto other applications.
Sorry for my English and Thanks in advance.
If applications are in a Windows intranet and use windows logins, Waffle will do the job. Otherwise develop your own simple ticket granting service to provide SSO among your applications.
Update:
All of your apps have to have filters. Filter sends the session/cookie data(if available) in order to verify, to your SSO service whether the incoming request with the principle is already granted or not. If the session or cookie is not associateed with a ticket, then you redirect to the login page. If the request is about to login, then filter sends them in to SSO service, verify user and password with your database, and add an entry to SSO MAP, saying "this user just logged in". So it will send a ticket for that login. Ticket means just a random generated id. If the SSO service could not able to validate the user, then no entry will be there in the SSO MAP and will send failure error to your filter.
So your user validation goes in to a separate service which I just named as SSO service.
You will have to remove idle entries from SSO MAP.
Read about how SSO works, you will understand.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
I'm developing TAI for OpenID Connect purpose. So, I want that user auth in
My main mission: on main page of WebSphere Portal (WSP), user press button "Login using Google" (Google just for an example of OpenID Connect Auth), than user redirecting to page, where he is write his credentials of service, next service redirects him to my WSP again where he would be auth success.
I asked about technology (mechanism of WAS) which let me implement this scenario in WebSphere Application Server (WAS) and WebSphere Portal (WSP), the answer is TAI. Now I can't understand how I can redirect user in TAI to specific page and waiting for response. If I wrong with mechanism, please tell me how I can implement it.
WebSphere Portal already supports out of the box log in using OpenID Google, Yahoo, Facebook and others check Integrating with OpenID authentication
and here for earlier versions How to Configure and Use OpenID, Facebook integration on WebSphere Portal
Have you seen those? Any reasons you want to implement it by yourself?
UPDATE
Try the following code in your TAI (this is only a fragment of TAI, showing only redirect, since complete TAI might be quite complex):
public class MyTai implements TrustAssociationInterceptor {
#Override
public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest req,
HttpServletResponse res) throws WebTrustAssociationFailedException {
// pseudo code
....
if(requestShouldRedirect) {
res.sendRedirect("URL_TO_REDIRECT");
return TAIResult.create(HttpServletResponse.SC_CONTINUE);
}
else // finalize authentication
....
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
There is an email portal : email.me.com. To login into the portal,we need a set of credentials namely username and password. If the credentials are correct, we are able to login with a success message else a failure message is thrown.
Is there a facility available in Java/or is there a way, I can check if the credentials are correct. I want to check by sending the username and password over the code? Is there any way I can do it?
code ------> login server (email.me.com) ---->Auth/Failed
|
|
\ /
message<-------------------------
Java doesn't try to implement telepathic insight into web servers mostly for security reasons but mainly because no one could demonstrate such a technology is feasible.
What you can do is use a HTTP client framework like Apache's HttpComponent to talk to the server as if you were a web browser, fill in the form and submit it.
Or you can contact the site's owners and ask if there is an API which you can use (IMAP, REST).
Note: Your request sounds like "I want to crack accounts on this server". So don't be surprised if you run a few tests and suddenly find your IP address being blocked.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
last.fm API authentication
I need to connect to a URL, let user authenticate, and then proceed. How do I do that? I have the part for opening the URL, but do not know how to wait.
// 3. Request authorization from the user
String authURL = "http://www.last.fm/api/auth/?api_key=" + key + "&token=" + token;
java.awt.Desktop browser = java.awt.Desktop.getDesktop();
java.net.URI uri = new java.net.URI(authURL);
browser.browse(uri);
It's my first time working with web API's. I tried looking on Google and SO but didn't exactly find what I was looking for.
I'm sorry you chose this as your introduction to APIs. 5 seconds in the docs revealed that the question you have is a design flaw in their code, from the documentation:
If the user is not logged in to Last.fm, they will be redirected to the login page before being asked to grant your application permission to use their account. On this page they will see the name of your application, along with the application description and logo as supplied in Section 1. Once the user has granted your application permission to use their account, the browser-based process is over and the user is asked to close their browser and return to your application.
That's right. They don't ping you after the user completes the authentication. They just instruct the user to close the browser. That's pretty lame for obvious reasons: how do we know if the user completed it? We don't.
You're going to structure your application so the code continues after the user comes back, perhaps giving the user a button to press that says "I'm done". Later, you'll have to handle the possibility that the user never authenticated in your other code that calls the API.
Yes, it's broken. oAuth for example will at least call you back with a token after the user completes the browser based auth step. When using oAuth in a desktop app, you can just fire up a local webserver and receive your callback there (requires your LAN to be configured properly, obviously)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I'm starting to work on a SSO solution for 3 different webapps we've produced and still maintain for the same client.
Thing is, all 3 store their users and login information in the same place through a fourth separate application which provides just basic restful api services.
Which basically means that when one tries to log into, we actually call the rest service asking whether this username and password are correct.
In a way this fourth restful thingie already does at least half of the job we need.
What we need now is a way to let users log into webapp A, then follow a link (or simply type its url) to webapp B (or simply type its url) and get there already logged (or viceversa).
I've been reading a lot about CAS and openID or even oauth but can't really make up my mind about it.
Is this pattern centralized? Decentralized?
My ten-thousand foot view suggests I would somehow just need to add this "missing feature" to our restful api server.
But how?
ps: these 3 are completely separated. deployed on different machines (2 of them run on glassfish, the other one runs on tomcat). different domains too.
pps: they're all spring-driven webapps (hence they use spring-security)
ppps: as of today, there are other webapps using our restul api (non spring, non java).
this sso solution might have to be ready to handle those too.
Yeah it sounds like you need a "true" single sign on system rather than just a centralized credential repository. As you mentioned there are several options:
OpenId - more suited to an internet type application in which you
want to allow users to log into your systems with credentials that
are maintained by a third party. Stackoverflow is a classic example.
You can sign in with your google account etc.
Oauth provides Pseudo authentication and sso - whereas OpenId says
"this is user x" oauth says "this user has access to x's
information" ... so you can assume that the user is x.
CAS, Cloudseal, OpenAM etc all provide true single
sign on and are suitable for an intranet or extranet environment.
CAS and Cloudseal have especially good Spring support.
Trusted site (relying party (RP) in white list - app a,b,c in your case) make request (redirect) to main site (provider - "fourth separate application") with a return url.
Main site make sure request (returnURL) is from white list of domains
Log user (if not logged, displaying login form), mark user as logged in database and add temporary token to user database.
Main site return (redirect) to RP with token.
RP look into database using token, logs user and deletes token.
SSOff also easy: just check on every request into user database into bool record (userLogged). NO REDIRECTS. On logout simply change record (userLogged) to false and every site will know.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
i am trying to created a JAVA program that will get my windows users credentials, then connect to the kerberos on my unix box and authenticate and allow me to use a service, for an example an LDAP server.
All examples i have found tend to on run ask me for my password, i do not want this - I wish to be able to run the program and 'if by magic' im kerberos authenticated.
Any links and example are appreciated.
We have successfully setup SSO using Kerberos with a Java EE application and authenticating against a Windows Active Directory after many weeks of trials and web crawling.
JBOSS Negotiation and Spring Kerberos have both worked for us. However, both sets of documentation are not accurate enough to get you off the ground running. Put simple for either solution...
Create Service User in Active Directory.
Use ktpass to create a keytab file for this user. (Many gotchas with ktpass as listed below)
Use setspn -A to fix ktpass.
Ensure your krb5.conf (linux) or krb5.ini (windows) is correct.
Ensure you are not running the client on the same box as a server.
Ensure your times are in sync across your domain.
Test Kerberos using kinit in the JDK.
Configure your web application to delegate authentication via the provided filter.
Configure an XML file to use the appropriate service principal user as created initially.
Run your service as the principal user!!!!!!!!!
If using Spring, you can then implement a UserDetailsService to query LDAP (active directory) and set roles on the user principal.
From within your application the user principal should !=null.
ktpass problems:
Ensure your service user is set to user cannot change password in Active Directory.
Ensure you provide the password in the command line.
Ensure that you can still open a command prompt as that user after generating the keytab.
Ensure you specify the KRB5_NT_PRINCIPAL.
Format should be ktpass /out c:\service.keytab /mapuser userservice#TESTDOMAIN.SERVER.COM /princ HTTP/hostname#TESTDOMAIN.SERVER.COM /pass /ptype KRB5_NT_PRINCIPAL
Add the fully qualified service principal using setspn -A as follows:
setspn –A HTTP/hostname.testdomain.server.com userservice
DO NOT RESET THE SERVICE PRINCIPAL USERS PASSWORD (You will have to regenerate your keytab).
Finally, before every single test, use kinit purge to clear cached tickets.
Also, duplicate SPN's will break things badly! setspn -X in windows server 2008 will detect this (or google for script), if in doubt when doing this, start afresh with new service user and principal name every time!
Hope this helps someone avoid the pain I've had.