We have an application which uses Jersey RESTful web services to communicate with the frontend. The services are secured with SPNEGO, so running on JBoss 5, we have a SPNEGO security domain configured. However, for a couple web services, the client is not the front end but non-Windows clients (hence SPNEGO will not work). I would like to override the security domain with a BASIC auth scheme for these services. I am searching for a way to do this preferably without Spring Security (this is not in our technology scope). But if it has to be Spring Security, so be it. I am looking for a way to do this with annotations if possible.
Related
We have a requirement of implementing SSO for a customer(OKTA is his IDP) and we also have other client asking for SSO(ADFS and One Login).
And all other clients authentication will be database authentication.
So based on each client the authentication mechanism should change. Is this possible?
My application is Multi Tenant SaaS. Where its deployed on AWS and a load balancer will switch servers randomly.
We use Angular 5 and Spring boot 2.1 for Services.
How can i achieve this? Please guide.
I intend to secure provided SOAP web services by means of applying particular WS-Security policies, in particular "SAML 2.0 Bearer" and "SAML 2.0 Sender Vouches". The credentials provided in the SAML tokens should be used to initialize an EJB Security Context to apply proper user authorization in the EJB part of the application.
I've been successful in leveraging the embedded Apache CXF to secure the web services as such and also to initialize the web service security context (WebServiceContext.getUserPrincipal()). However, I fail to propagate the user context from the web service context to the EJB session context (SessionContext.getCallerPrincipal()).
Any advice on how to achieve this is highly appreciated.
So far, I'd expect to need to realize functionality similar to the documentation here: https://docs.jboss.org/author/display/JBWS/WS-Security#WS-Security-Authenticationandauthorization, that is, create a CXF interceptor similar to https://github.com/jbossws/jbossws-cxf/blob/master/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreatingPolicyInterceptor.java that uses the credentials provided in the SAML tokens to create an EJB security context.
my web application based on standard OSGi with three different bundles that expose the API Rest (CXF library) for back-end otherwise Play framework for Front-end that calls the api exposed from three bundles before cited. Actually there is already authentication process by SSO and password with in front of an Apache proxy configured with virtual host listened on a port defined. How and where can I insert authorization layer to cover all three bundles that expose the API services ? What is your advise ?
You can add a CXF interceptor . Just implement/override the common CXF interceptors to customize the authentification process.
I´m building a web application which comunicates server and clients through REST services (I´m planning to build a mobile app in mid term).
I´ve used Spring Security in other web applications without REST services. But I´m not sure if that approach is suitable for my scenario.
Is it possible secure both access to web pages and calls to REST services using Spring Security? What would you recommend?
Backend uses Spring Data + Spring MVC.
Thank you.
Yes, Spring Security is a good way to secure both REST endpoints and traditional MVC webpages. The implementation can be similar for both your REST endpoints and MVC routes depending on your requirements.
Spring Security is a popular and effective way to add security to your Spring application. Since you already have experience with it, you should be able to secure your REST endpoints with relative ease.
Check out this detailed tutorial on securing REST routes with Spring Security to get started: https://spring.io/guides/tutorials/rest/5/
I am building an android application which communicates with the web server on apache tomcat. Web server build in JAVA EE. Currently for authentication and authorization I am using username , password and for managing the session I am using tokens. So when the user logs in I will check mysql database and authenticate the user. When the user tries to do some action , based on the token the sent , I will identify the user and authorize to do that action based on the privileges given to that user. It looks bit cumbersome . I was wondering is there any standard framework which make this task easy.
Is there any tomcat container level authentication and authorization possible , so the request won't reach the web application if its not authorized to do the action ?
Or else Is there any framework which provides standard authentication and authorization in web application ?
Apache Shiro is what you are looking for:
Apache Shiro is a powerful and easy-to-use Java security framework
that performs authentication, authorization, cryptography, and session
management. With Shiro’s easy-to-understand API, you can quickly and
easily secure any application – from the smallest mobile applications
to the largest web and enterprise applications.
I used Spring security (version 3) in couples of projects, the shortcoming was the size of jars you need to deploy (it is Spring!), it's was cumbersome.
Also I have integrated Apache Shiro with magnolia-cms, as far as I can say Apache Shiro has the strength of Spring Security with the ease of use.