I am considering using AWS for a project that will have an IOS application as a client and a server side using a custom developed REST API using Java Spring. I have been reading about the need to sign all requests to AWS services using a signature version (version 4 for most services) and would like to leverage the mechanism in order to secure my REST services. There is plenty of documentation for using the REST wrappers in the AWS SDK for services such as S3 or DynamoDB, however I am having trouble getting a clear answer on how to validate signature from a custom REST API running on Elastic Bean stalk (for example a WAR deployed on Tomcat implementing Spring REST)
1) IOS client calls a REST service using RestKit (or can I use a class in Amazon SDK for IOS that I can use instead). As part of the call it specifies the token string and the AWS access key.
2) Server side, a Java program running on Tomcat on Elastic Bean stalk, receives the REST call and processes it by first validating the signature. If the signature corresponds to the re computed signature then allow the request, otherwise reject it.
Could anyone point me into the right direction in terms of what is available in the AWS SDK for ObjC and Java to do this REST signature validation (again not using pre boxed services such as S3)?
Thank you much.
This is an excellent question and a very popular feature request from our customers. As of today, there is no AWS API to validate an AWS Access Key / Secret Key based signatures for your custom web services.
However, everything AWS does is based on customer feedback and your feedback helps to setup our development priorities. We are hearing that requirement a lot.
Related
Can someone give me a piece of java code to get id_token on GCP using google account?
I've got a restful api endpoint service deployed on GCP to test. I can use my google account to get the id_token using command "gcloud config config-helper"(e.g. id_token: eyJadhI6....). This id_token is then placed in the header as the value of authorization. The REST request is fired as expected. But I need to do the same using Java instead of from console command line to get a valid id_token.
I encourage you to use one of the Google-provided client libraries (SDKs).
These are open-sourced and tested by Google and provide you with a much better platform for your development.
See:
https://cloud.google.com/apis/docs/cloud-client-libraries
https://github.com/googleapis/google-cloud-java
and:
https://github.com/googleapis/google-cloud-java#authentication
Using these SDKs you will avoid the complexity in navigating your way through the underlying REST APIs directly.
Couple of useful tricks|pointers:
Google APIs Explorer enables you to use the REST APIs from the browser
If you append --log-http to any gcloud command, the REST calls are logged.
NB There are 2 flavors of APIs (API Client Libraries and Cloud Client Libraries) see explanation. The Cloud Client Libraries are more modern, are idiomatic and are preferred if you're mostly using GCP.
HTH!
Situation:
I have java background process service running that needs to access a secured REST API endpoint.
The API endpoint an AWS lambda function running behind Amazon API Gateway, using the Serverless framework. It is secured with a Amazon Cognito User Pool Authorizer.
I have created an App Client for my Java background service, which is attached to the user pool.
I have successfully retrieved the client authentication token and accessed the API endpoint using both cURL and HttpClient.
Question:
Is this functionality available in the AWS Java SDK (v1 or v2)?
I have been going through the SDK documentation and have found nothing so far. Is there something I've missed, or not found yet? Or is this just not currently available?
There is no raw API call in the AWS Java SDK(any version) for Cognito for the Client Credentials Authentication flow. However, you could manually write your own logic to implement this flow, as the sequence of steps involved in the Client Credentials(Machine-To-Machine flow) can be done with vanilla Java. This flow requires a POST request made to Cognito's OAuth 2.0 TOKEN Endpoint[a]. Since this flow essentially requires an Endpoint request, I do not think the Cognito developers would develop an accessible API to achieve the flow.
For more details, I would request you to have a look at this official documentation[b], and this non-AWS published tutorial[c].
References
[a]. https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
[b]. https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
[c]. https://lobster1234.github.io/2018/05/31/server-to-server-auth-with-amazon-cognito/
I suggest you to use google-oauth-java-client, you can look for example in my blog I published.
http://shaikezam.com/#/machine_to_machine_cognito_auth
I'm new to SAML, SalesForce and PingFederate and have a need for integrating a Java based server with SalesForce and PingFederate using SAML assertions. Essentially what I need is to be able to do is to allow a SalesForce authenticated user to use the Java based server without having to re-enter user/pass info when the directed to the Java server from SalesForce. In turn, changes made from the Java server will need to be pushed back to SalesForce as well.
I've been trying to find Java code to handle authentication that I can incorporate with the Java based server, but I find bits and pieces here and there, but not a complete solution.
Are there any good Java sample code for authenticating against SalesForce with PingFederate using SAML?
TIA
There are a couple things you need to clarify first, the solution would follow.
Who's going to be the Identity Provider, Salesforce or PingFederate?
Is the Java Application going to be a standalone SAML 2.0 Service Provider or directly integrated with PingFederate, which takes care of federation?
Salesforce as IdP
Either configure a SAML 2.0 Connection between the Salesforce IdP and PingFederate as the SP. (Salesforce doc, PingFederate doc)
Or use the Salesforce Cloud Identity Connector for PingFederate, which provides an IdP adapter. (doc)
Salesforce as SP:
Either configure a SAML 2.0 Connection between PingFederate as the IdP and Salesforce as the SP. (PingFederate doc, Salesforce doc)
Or use the Salesforce Connector for PingFederate, which simplifies the configuration. (doc)
Java App as standalone SP:
Use one of the many SAML 2.0 Libraries for Java, then configure for PingFederate as the IdP.
Java App integrated to PingFederate:
Also called the "last-mile integration", PingFederate has several Integration Kits available which can be used for this purpose, the Java IK and the Agentless (or RefID) IK being the two coming to mind. Both of these include Sample Applications which can be leveraged. (Java IK doc, Agentless IK doc)
For your use case, there are three subsystems, mainly (1) PingFederate as the Identity Provider (IdP), (2) Salesforce as an application, and (3) your Java based server application. Single sign-on (SSO) occurs via PingFederate issuing SAML tokens to each application. Once a authenticated session occurs by accessing one of the two applications, the second will not be challanged to re-authenticate granted SSO p[olicy has not expired.
There are two SAML connections here, mainly the Salesforce connection and the connection to your Java Application. There are many tutorials on the internet to configure the Salesforce-PingFederate SAML connection. Your question asking "how to setup a connection to your Java based application from PingFederate". There are a couple of options here using PingFederate. I recommend you download the Agentless (also known as reference ID) integration kit and the Java Integration Kit. Both of these integration kits allow "last mile" integration to your Java based server application. Both of the kits have documentation and samples. My preference is the Agentless integration kit since it uses REST API and does not require any libraries being compiled into your application.
I know App Engine uses the Jetty servlet container to host applications ,right now we are using Endpoint which uses the RESTful services by which mobile app(android) and web client can communicate with app engine and can perform insert update and remove operation on datastore using JDO or JPA.
This same operation can also be used if a java servlet on app engine app,it also uses JDO or JPA to communicate with data store ,
SO with app engine which is more advisable Endpoint(RESTful services) or servlet?
Any clarity on this will be really helpful.
thanks in advance!!!!!
Depends on what you want to achieve.
When you use endpoints, you can get autogenerated client-code and you can possibly end up with less boilerplate code. The endpoint code will handle all marshalling/unmarshalling of the data you send to the server. But you will also have to use the auto-generated code for all clients using the endpoint.
Using servlets you will have to do a bit more boilerplate coding and do all the marshalling yourselves, but you will have full control of what happens and you do not need to use the autogenerated code.
I am a Java SE programmer and exploring implementing JAX-WS web services for the purpose of integrating with our web server. To this date, I have not had experience with web-services thus would like to get everyone’s expert opinion.
The background is that my company has a POS system developed and hosted in-house using Java SE. We are planning for e-commerce capabilities, which will be implemented in HTML/PHP, via external web development company and hosted externally.
Thus we are exploring implementing JAX-WS web services on our endpoint for the purpose of integrating with our e-commerce server running PHP endpoint.
I’ve done some research and my understanding is that:
it is possible to implement JAX-WS without Java EE containers
JAX-WS Web Services Without Java EE Containers
it is possible to mix end-point technologies, and specifically in my case JAX-WS as our endpoint and PHP SoapClient on our e-commerece end-point
PHP SOAP Client to consume JAX-WS with Basic Http Authentication
Using PHP SoapClient with Java JAX-WS RI (Webservice)
I am now wondering what’s is the proper approach when discussing implementation with the external web development company that is building our e-commerce platform. Most web sites and forums’ examples assumes Java on both endpoints and that both endpoints are implemented by the same developer/team.
Based on my limited understudying, I gather the process would be:
Me/my company creating the web service (coding the web services methods in Java)
Me/my company creating the server program
The wsdl generated from the URI (http://:/md5WebService?wsdl )of my server program is then used as the interface contract between our internal POS system and the external e-commerce platform
The web development company that is implementing the e-commerce platform then uses the wsdl to implement the PHP SoapClient endpoint on their side.
And in the case where our internal POS system need to consume a web services created by the external web development company, they will pass me the wsdl and I use that to make the call to them.
Is this the correct way to do proceed?
Many thanks.
Cheers,
Arthur
In Java you have actually two ways to start your design of your web service. You can either create the WSDL (Web Service Description Language) contract first (contract first approach) and then let Java or some framework tools create Java skeleton classes for you which you can use to implement the logic of each operation or you can start by code first approach and implement each web method and its logic and then let Java or some external framework tools generate the WSDL contract for you.
Either way you start, the result should be very similar and platform independent. The standard message format used for WSDL based web services is SOAP (Simple Object Access Protocol) which is based on XML (eXtensible Markup Language) which is by definition platform and programming language neutral.
So, after implementing your service and starting a server for the WS endpoint adding ?wsdl to the end of the endpoint URL should return the WSDL contract to the invoker, which can be used to create client side stubs for the required programming language which furthermore simplify the sending and receiving of messages from and to the web service. Note however that creating stub files might not be needed as all the information may be parsed from the WSDL contract directly. As of lack of knowledge concerning PHP I can't give details on how to call a WS from PHP directly or if stub file creation is required/recommended.
In order to call an other WS from your service you need to create a WS client within one of your web methods and invoke one or more of the operations offered by the remote WS and process the response within your web method.
As I am not sure if you are using any (Java) frameworks like f.e. Apache CXF I am not giving any code examples here. For integrating external web services within your service you might also have a look at Apache Camel which offers integration support for numerous Java based frameworks including CXF. Here your web service is treated as a Consumer while other external services you need to invoke are handled as Producers. The interaction between your internal and the external services is modeled here within a route where you can apply various Enterprise Integration Patterns (EIP) like splitting multiple elements contained within a response into distinct objects which you furthermore can process in parallel.
In general your enumeration of steps involved does look right if you follow the code first approach but as mentioned earlier you can also start by defining your contract first. Depending on your knowledge of the WSDL/XSD syntax (the less you know the exact syntax the more you should use code first approach), crating the contract first might enable PHP side integration sooner while you still develop the internal logic of your implementation.
it is possible to mix end-point technologies, and specifically in my case JAX-WS as our endpoint and PHP SoapClient on our e-commerece end-point PHP SOAP Client to consume JAX-WS with Basic Http Authentication Using PHP SoapClient with Java JAX-WS RI (Webservice)
This is the exact purpose of introducing webservice concept. You don't have to worry about on which platform or language your client and server is implemented. Client and server will simply exchange xml messages (platform independent) as agreed upon within wsdl.
Go ahead with your understanding.