I have a Web Service (JAX-WS), a WSDL, a desktop application Client, and a Weblogic 12c server. I am trying to implement basic authentication between the Client->Web Service->Weblogic->Active Directory. I have been able to set everything up by putting the Username/Password in the header of the SOAP message when sending it from the Client to the Web Service.
Weblogic automatically pulls that header info and authenticates a user against Active Directory. Great. But the issues at hand are thse:
Should I not send credentials in the header at all, it doesn't authenticate but allows full access to anonymous users.
I need to send a proper error message and prevent anonymous usage.
Should I send invalid credentials it throws a socket read exception on the client.
I need to send back a proper error message; rather than having it bomb out on the client.
Should I send valid credentials but invalid authorization; I have setup #RolesAllowed({"SomeRole"}) on each of my Stateless EJB methods. It throws a security vilotion exception on the Web Service side of the house.
I need to somehow catch this exception and send back a proper message to the client
Is there a way to do all of this without customizing the Weblogic Domain? It feels like I need to manually take control of the Basic Authentication of Weblogic but then I feel like I am stepping the JAAS Login Module of weblogic -- which customizes the domain and I want to avoid.
Use Handlers to intercept the incoming and outgoing requests.
Related
i'm currently working on a OAuth2 Authorization Server using Spring Boot and the Spring Security OAuth2 Autoconfigure library.
Everything works so far except the fact that I need to authorize the client every time to access my protected resources. Is there any way to suppress the prompt or remember that i've already authorized the client?
Adding &prompt=none to the request params of my URL didn't work as expected.
I already tried to add a custom AuthorizationRequestResolver and adding prompt=none to every request, but that didn't work also.
Thank you in advance.
Usually after you are authorized by the authorization server, as a result you get an access token.
The resource server verifies against the access token to determine your client has the right to retrieve the requested resources.
With this background, one possible case is that:
Your client doesn't store the access token. So that everytime it hits the resource server, the resource server redirects the client to the authorization server to get the access token.
A solution of this is your client can store the access token. For the subsequent requests to the resources server, the access token has to be provided in an expected way. (like Aurthorization request header)
You may also find storing a refresh token is useful. Since there is no much background about your client app, cannot give a concrete recommendation for you.
If this is the case, you can log your outgoing request from the client to the resources server, you will see the access token missing in your request.
I am implementing oauth2 server using Springboot
I have four microservices
Sales (sales)
Inventory (inventory)
IAM service (Authorization Server, with Oauth2) (http://iam:8089)
Gateway (gateway on http://www.gateway.com)
All these services are behind the Spring clould gateway, and its deployed under K8S, And Gateway is exposed as external interface.
Now if I try to do authenticat user using oauth2 throught gateway like below.
Step 1 :
Http Request http://www.gateway.com/oauth/authorize
So in Response header I am getting like
Location: http://iam:8089/v1/oauth/login (But expectation is http://www.gateway.com/oauth/login)
and because of that browser
redirect me to http://iam:8089/oauth/login
Where Ideally I am expecting that also routed through gateway service something like
http://www.gateway.com/oauth/login
Can someone please help me to solve this.
Thanks
Alpesh
Sounds like a good setup in line with what we recommend at Curity in our IAM Primer Article, with the Authorization Server (AS) behind a reverse proxy or gateway.
In your case the AS listens at http://Iam:8089 but that is an internal URL. The AS also has a 'Base URL' that is used by internet clients, and this is the URL of the gateway, which is http://www.gateway.com in your example:
It will be returned to clients in OpenID Connect discovery requests
It will be returned to browsers in browser redirects during authentication
There should be somewhere in Spring OAuth2 Server where you set the Base URL, similar to that in the Curity Identity Server (see image below). The process should be to set this value and then verify that it is returned in a metadata request. You should then be configured correctly.
In Spring I expect the setting you need is in the fluent configuration somewhere - maybe one of the Configurer classes. I find it pretty hard to find what I'm looking for in Spring though.
I have 2 web applications:
Resource Server (#EnableResourceServer)
auth app (#EnableAuthorizationServer)
They are mapped to one database.
I would like to split database for 2: one for client app and the second one for tokens.
Question: How client app should be configured correctly with oauth?
My current flow:
Resource Server get request with token
spring security checks token in database
May be the best flow is to isolate auth app and database and flow should be something like this:
Resource Server get request token
and Resource Server makes a request to auth web app (OAuth Server) to verify token
auth app (OAuth Server) spring security checks token in database
?
Let me know if I misunderstand any point about oauth. Thanks.
If you want use the auth server for checking tokens you need a RemoteTokenServices (or the equivalent). If the server is a Spring Oauth sever (using #EnableAuthorizationServer) there should be a /check_token endpoint.
N.B. It might be a good idea to read the spec and get the terminology straight (your "client app" is a "resource server".
I have an ADF application (adf_1) and another one for authentication (auth_1).
When a user requests for a login through adf_1, the latter posts the data to auth_1, then auth_1 will take from there and communicate with the user through authentication steps.
After authentication is finished, it redirects through post back to adf_1.
My application is under development and I canĀ“t deploy to the prod/test server yet so I can't use it with auth_1 for testing purposes.
I have an Oracle Service Bus (osb_s) server deployed under my control.
How can I use osb_s so that it would act similar to auth_1 and receive and redirect urls to and from adf_1?
Any suggestion would be appreciated.
You can expose the OSB proxy service either as an http/https service and make your ADF application post to this and do the required function.
Regards,
Sajeev
I have an application deployed on a Weblogic domain which gets a request from the browser for login.
The actual login process occurs on a SECOND Weblogic domain which resides on the same machine.
I need the following:
- Identify on the first domain that a call was made for login.
- Forward the login request to the second domain.
- Send the response from the second domain to the first one so it will continue the process; e.g. if the user was authenticated successfully, then need to open a session for him, return a response to the browser etc.
NOTES
- I assume that I should use filter in web.xml for identifying that a login request has arrived and if I'm right I would like to hear how it connects to the call to the second server.
- I'm interested in how to implement the communication between the 2 domains.
- How would you prevent fake "successful authentication" calls to the first domain; i.e. I want to make sure that if my first domain got a successful authentication call then I want to be sure that the call indeed passed through the authentication server, (i.e. the second domain).
I would appreciate any idea or help on this, Thanks !!!
Well,I have two ideas,just for your own consideration!
First,just use digital certificate to sign the request,for webserivce https is the option,this is the common way to deal with fabrication problem.
Second,Implement your custom security provider is a more standard way than do it in the filter,it's typcially a JAAS LoginModule implementation,which call the webservice on the second domain for authentication.By this way ,authentication is delegated to weblogic server and the application for on first domain has loosely coupled with the second domain.
By the way, check the weblogic documentation for detail of how to implement a custom provider,this is for weblogic version 10.3.2
Developing Security Providers