I'm using the Play! framework v2.3 (Java) and I want to add some user authentication to my web app, ie username/password for each user and a registration process.
I found some information on the docs on how to do this for v2.1 and v2.2:
http://www.playframework.com/documentation/2.1.0/JavaGuide4
https://www.playframework.com/documentation/2.2.x/JavaGuide4
But I can't find any updated info on v2.3. I've already tried looking at the API for play.mvc.Security.Authenticated but it doesn't help (http://www.playframework.com/documentation/2.3.x/api/java/play/mvc/Security.Authenticated.html).
Anyone know how to do this properly?
There are a number of authentication libraries that already exist which cover many use cases. It'd be best to use something that's well established in the community.
Secure Social - This seems to be the most popular, with lots of documentation. (For both java and scala)
Deadbolt 2 - There are many implementation examples linked from that git repo. It seems a little more geared for java.
Play2 Auth - This is for scala only, but it is well documented and very flexible. (I personally use Play2 Auth)
Out there is another greate authentication library called Silhouette for Play Framework applications (Scala) that supports several authentication methods, including OAuth1, OAuth2, OpenID, Credentials, Basic Authentication, Two Factor Authentication or custom authentication schemes. http://silhouette.mohiva.com
It is very well maintained and the stable version 3.0.0 got announced just a couple days ago: http://silhouette.mohiva.com/blog/stable-release-of-silhouette-300
The cooles thing is, the project is named after the fictional crime fighter character Silhouette, from the Watchmen graphic novel and movie.
I found this Play template which covers logging in, resetting password, etc...
https://typesafe.com/activator/template/PlayStartApp
Our company have published an OpenSource Cloud Platform As a Service Web UI (for Play Framework 2.2.2).
We are planning to migrate it to 2.3.X over the next few weeks, even though we had some incompatibility at first that we need to look at.
You can view short video's of our work at http://www.acentera.com/opensource/ ; from there you will be able to find our Public Git Repository of the code, which in some cases need improvements but hopefully can be a good start for you to use this great web framework.
We used shiro as authentication with a custom "SampleRealm" that does the JDBC Authentication and get proper "permissions", with memcache as sessions store in order to keep stateless connections.
Regards,
Eric M.
ACenterA Inc.
Play authenticate is since beginning not only for scala but for java too, it have deadbolt embedded... Social secure, stateless with plenty of examples :
https://github.com/joscha/play-authenticate
it is the best customizable authentication module to use
Related
I am building a Website where a user can later on register to use some features. I wanted to use Java-Spring boot for Registration and Login now I learned about Keycloak for authorization, I searched the web a bit but could not find anything which helped me in that matter.
So my Question is it possible to use keycloak as a registration/Login form? As far as I know keycloak is used company intern to give the employees users to different services or am I wrong?
Keycloak is a full solution for authentication and authorization. You can register users, login users, change privileges and so on. What I recommend is to use their official docker image to spin up a local instance, and have a look what the admin console offers.
There are too many features to list in an answer here, but I recommend this getting started guide, to maybe give you a better understanding of the basics.
In addition, there is a good Spring Boot integration available, as well as numerous adapters for the countless front-end frameworks.
I am developing a mobile app and its backend (Java). How shall I authenticate the users (using our own account system, not things like Google/GitHub accounts)? One way is to create an OAuth2 server. However, my backend is not a giant, and I only have one "third-party application" in the definition of OAuth...
So I wonder what is the best way of authentication in such an mobile app? Thanks!
P.S. Another idea is to use cookies, just like the old days when developing browser webpages. But I seldom see apps doing this way. I see most of them sending Authorization: Bearer the_token_values...
P.S.2 I am using Flutter and Java Spring.
If your authentication system supports OAuth by all means use it. The advantage of OAuth is standardization. Using standard protocols has a lot of advantages. The most important one is that it is very hard to come up with a bullet proof authentication system. A lot of high profile hacks in the last decade are attributed to home grown authentication protocols.
Another advantage of using OAuth or another widely accepted protocol, is availability of the libraries. You can find an OAuth library for any platform and any language these days.
Just keep in mind OAuth is not the only game in town. There are other fine protocols out there. Probably the most bullet proof out there is a mTLS. It requires robust Public Key Infrastructure, but it is probably the hardest to hack. If you are in the old school environment with Active Directory and writing an internal app, consider Kerberos. And finally there is SAML which is very enterprisy and a pain to work with, but it is a bit more flexible than plain OAuth.
I'm actually improving the authentication system of an existing app (JAVA+JAX-WS+Hibernate+GWT). I found the OWASP Enterprise Security API Project and I liked it (except for the documentation). My application needs to be scalable and it requires to balance load between multiple web servers. To be able to do this, I'm thinking of using a signed cookie with session information, instead of using the usual server side approach. I've been looking the source code and examples, but all of them take a server-side session approach.
The question is then, ¿is there something within the ESAPI project to implement this signed cookie mechanism to handle sessions? The idea to use this project is not to reinvent the wheel, but I can build everything if necessary.
If there isn't something useful in ESAPI, are there any similar java security projects that you recommend.
Thanks a lot.
I want to implement a SSO Framework. My requirement is thus:
Once a user log's into particular website and he clicks on an external link, he should not be asked to verify his credentials again.
EDIT: Here, I have control over the 'external link' that I speak of. The first link that the person sign's into can provide me credentials or other information that I require, but I have no control over it.
I researched a bit, and found CAS to be relevant for my requirement. But, I don't want the end user to login to CAS initially, I need a framework that receives the credentials from the currently logged in website and uses the same to login to the other external site. Security is, of course, an important factor. Can you please give me some pointers/ ideas as to how to go about designing such a framework?
Based on what you're describing, it sounds like an Identity Provider (IdP) initiated SAML profile would meet your requirements (a good visual representation of this is here). The original web site your user is logged in to will function as the Identity Provider. Once a user is authenticated with that application, they will then be able to access your external application by clicking a link. Instead of being directed to a log in page for your application, the original app will instead forward the user's authorization details via SAML to you where the signature will be verified and possibly checked with the identity provider. If everything checks out, the user will be redirected to the requested resource from your app without having to sign in.
Note, that the above describes the protocol of the SSO. There are many different frameworks that support SAML that you can use. Two that you can research are Shibboleth and, as already mentioned, OpenAM.
This is a rather simplified explanation based on limited details, but hopefully it will help lead you towards a solution. I would recommend doing a good bit of research on the protocols and frameworks available before making your decision. Also, a proof of concept never hurts to prove out the solution will work for you before investing in it to a point of no return.
Good luck.
OpenAM should help you:
OpenAM provides open source Authentication, Authorization, Entitlement
and Federation software. Through OpenAM, the community actively
continues development of OpenSSO.
OpenAM provides core identity services to simplify the implementation of transparent single sign-on (SSO) as a security
component in a network infrastructure. OpenAM provides the
foundation for integrating diverse web applications that might
typically operate against a disparate set of identity repositories and
are hosted on a variety of platforms such as web and application
servers.
On the wikipedia page List of single sign-on implementations you can find a list of SSO implementations, there is a column indicating the licence.
Read about jboss sso from here.
I'm looking to roll my own simple user authentication as part of a iOS / GAE app. I'm not wanting to use 3rd party libs such as spring.
I have an iOS client from which I'd like to offer the option to create a profile (hashed UDID, password). Store the login details (keychain?) and auto-login to GAE each time my App starts.
I'm thinking simple HTTP basic-authentication. B64 decode (GAE API for this?), then use the hashed UDID as Key into my various datastore Entities via low level data store API. Then generate some kind of unique session ID (GAE API for this?) to pass around as a URL parameter.
I have fairly good Java/Objective-c experience, but it's my first 'cloud' type app and I have a security concerns about the above approach. Not least because I didn't find any java examples of solving what must be a fairly common problem, which makes me think I'm missing something :)
Some things I'm not sure how to solve;
The URLs could easily be 'network sniffed' or 'binary scanned' from the App opening me up to the possibility of DOS/GAE app abuse.
Is it worth to try and secure the traffic via HTTPS, and is there a way to do this between iOS and GAE (I've never used SSL)
Could I combine this approach with an administration page that would use google authentication.
Does GAE have any built in DOS protection or would I also need to combine that into my authentication approach?
Without GAE threads how do I invalidate a session after a certain amount of time, taskQueue?
I'm new to GAE and excited to get past this first hurdle, so any tips advice is much appreciated!
Some of my experiences though I'm using python you might find some of the observations I make helpful:
You might want to consider OAuth 2.0 as authentication model since it works with most providers.
I first chose a Javascript / OpenID + custom login and now I use serverside OAuth 2.0 + custom login. (I had considered using http://www.janrain.com/ if you're thinkning altenatives to rolling your own.)
A third option for you is to take a custom authentication that is already included with a Java CMS for app engine that already has an authentication system.
You can make a completely custom /admin interface completely separate from the user experience so app engine will be preferable for you since it gives you a lot of control over the code.
If you want to look how a larger Java CMS for GAE does it then you could check in http://www.vosao.org/