wso2 identity server is installed and running. I was able to create a policy in it and test a simple scenario. There seems to be a lot of connecting pieces in into this.
it's not clear how to access policy from a Java program and programmatically pass in role, resource and check if logged in user is authorized for performing a particular action or not. I also have requirement to add/remove roles and resources programmatically. Couldn't find much info. Any pointers/examples would be appreciated.
Here are some tutorials on writing client
https://svn.wso2.org/repos/wso2/people/asela/xacml-samples/pep/SamplePEP/src/main/java/org/wso2/carbon/identity/entitlement/samples/pep/EntitlementServiceClient.java
http://hasini-gunasinghe.blogspot.com/2011/12/entitlement-service-xacml-pdp-as-web.html
http://insightforfuture.blogspot.com/2012/09/xacml-policy-definition-pointpdp-proxy.html
Related
We are developing a Java application that is supposed to show models from users store.
initially, I'm trying to allow users to login using their autodesk account, and check if they are entitled to access my app.
I couldn't find any good example to show how it is done, I just want to confirm that what I will be doing is the recommended thing or if there is better options.
First, on app start, I will show an embedded webbrowser that will open
"https://developer.api.autodesk.com/authentication/v1/authorize?response_type=code&client_id=XXX&redirect_uri=XXX&scope=XXX"
the app will get the url from our server (so not saved locally) and the call back is pointing to an api on our server. then as user login and consent, will get the code from the url, close the login dialog and continue to get the bearer token using plain rest apis to /authentication/v1/gettoken.
As I said, not 100% sure if this is approved way or not or even if it is doable or not. so thought to check before we implement it.
After that I will just use rest apis to browse and get the model.
any thoughts or complains ?
Thanks in advance
Rest assured that the workflow being proposed here is actually orthodoxical and well “approved” by our official tutorials:
https://forge.autodesk.com/en/docs/oauth/v2/tutorials/get-3-legged-token/
http://learnforge.autodesk.io/#/oauth/3legged/
Unfortunaly the code sample for that bit is in node and we are still working on a Java equilvalent
Some of our endpoints require 3-legged oauth to access personal data - see here for an example and you can always refer to the authentication context section of each endpoint for the oauth flow required.
Hi everybody,
well, here it is my problem.
I have a corporation gmail user, lets say developer-user#mycompany.com, and I would like to list all the gsheets I have in my gdriver trhough the google API for Java applications, so I generated the credentials I supposed to need:
the email, which was auto-created by google with a different domain,
in this case something like 1234567890#developer.gserviceaccount.com
then I created the p12 key file.
After that I tried the connection and everything ran fine, but It did not list the spread sheets I had, and I figured out that I can not list all the gsheets I had 'till I shared them with the 1234567890#developer.gserviceaccount.com mail/user, but the problem is that I can NOT share anything outside of the #mycompany.com domain, even though the email (1234567890#developer.gserviceaccount.com) created for the authentication is linked to my developer-user#mycompany.com account.
I am not sure if I was clear enough, but what I need is a solution for that. did someone figur out something? may you help me?
Anyway, thank you guys and I appreciate your time.
You'll have to ask your Google Apps Admin to enable sharing outside your domain on Google docs, that's the only way Drive will allow the service account to reach existing docs.
The only alternative is to recreate the docs using the service account (programatically) and share them with your account.
Your admin can delegate domain wide access to your app which will then be able to impersonate you.
Alternatively, don't use service accounts and simply generate a refresh token for your own account (which is by far the easiest solution).
I am trying to write an external Java application that collects posts from Yammer using its REST API and I am experiencing issues with the authentication part.
To extract the data I want a regular yammer user (I do not have admin permissions) to be authenticated automatically from the Java application without any prompts. Does anyone know whether this is feasible and moreover - whether it is feasible in a SSO-enabled network? If yes, what kind of authentication libraries should I use? Is there some documentation/sample code snippet describing how to log in to Yammer via Java and not via a Yammer app?
I've seen that there are similar questions here, but are still unanswered.
I will appreciate any know-how on the topic!
Thanks!
The only way to authenticate to yammer without any prompt is to pass a persistent oauth token as an authorization bearer token in your request header. The caveat is, users cannot be dynamic.
It is pretty simple to generate the access token. For that you need client Id and client Secret.Steps are available in https://developer.yammer.com/v1.0/docs/test-token.
But if you don't have that information, go to https://developer.yammer.com and log on with the credentials and try some Rest API(Try It Out section) in the developer site. Copy the Authorization code from the Request Headers and you can use it in your application.
Note: Access Tokens for users are long lived, expiring when users are suspended, change their Yammer password (non-SSO networks only), or users manually revoke them
I need to develop a web application for the Intranet users. I don't want them to enter the login credentials each time they visit the site. It should be automatically loaded from the System Username and Password.
I have successfully implemented functionality which prompt user name and password registered with active directory and validate against LDAP. I need some tips to login directly from intranet website without prompt username & password.
Here is my queries, please let me know your suggestion.
Is it compulsory to set SPN?
Do we need to create separate keytab file for each client? In my organization, there is around 800 people are working so should I need to add all client principal in keytab file & copy to client machine to perform autologin.
I have tried many API's like JESSO, Waffle, Spring Kerberos, SPNGO but failed to implement auto login.
If you want to use Kerberos/SPNEGO (which would be my recommendation) you do have to set up SPN. And you only need one keytab for AD domain. Are you running your Java program on some app server, like Weblogic, or as a standalone program? Servers do have security framework that you could use, while for standalone program you'd have to do a bunch of stuff manually.
I've found that the easiest way to do this is to use Atlassian's Crowd (https://www.atlassian.com/software/crowd/overview) instead of implementing it yourself. It's a commercial product, but last time I checked, it was dirt cheap, and it just works.
I am trying to build an application for android that uses Amazon SimpleDB. I have viewed the source code of the example code provided by Amazon. However in the demo, the credentials are just stored in a Constants.java and I believe this method is not secure at all as potentially there are people that could decompile the apk to expose the credentials even with Proguard on.
Therefore i went to read up on Amazon article regarding this and I could not quite understand as I am not very familiar with cryptography in android/java.
How am I supposed to actually allow access to Amazon SimpleDB from my application while keeping the access key safe from external parties?
Edit 1:
I want to use the application to retrieve data from the SimpleDB, showing in listview. For example like a simple review on food and other users will be able to retrieve the same review that other users posted. Maybe if the user wants to post a review, they would require to sign up an account and log in.
AWS offers a couple of solutions for delivering credentials to the device outside of hard coding them, one or both may meet your specific needs:
Token Vending Machine. AWS offers example TVMs for both Anonymous and User Authentication that can be customized to meet your needs.
Web identity federation which uses identities from Facebook, Google, and Amazon.
Our samples repository includes samples for integrating with both of these technologies, though not specifically in the SimpleDB example.
There is no foolproof way to do this. Whichever way we do, somebody taking your APK can potentially reverse engineer and crack the password (You make it difficult by obfuscating the code, but it is just making difficult and not foolproof).
If your app requires users to login (with some credential from your backend or using openid), then use this to let users access your server. Then on the server code, you can provide the AWS credentials using IAM Roles (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html).
So your web (REST) API access is allowed by using user-provided password and your server code gets the access by IAM roles. This is the most secure way.
If you dont want to have your server / backend, then there is no real foolproof way.
Answer from #Bob above is precise how to achieve this:
https://stackoverflow.com/a/21839911/2959100