I'm working on a project which needs to parse some data from some protected web pages. In order to gain the access those pages, I have to overcome a SAML authetication form (Shibboleth).
Is there someone who was able to implement this standard in Android (Java)?
I already read this thread: SAML Client implementation for Android?
but it doesn't give me a good solution. In fact, I need to get the data of some protected web pages in order to parse it, not to let the user to see the content of such pages. Therefore logging in through a WebView is not what I really need..
I think OpenSAML is your best bet for handling the SAML part and then maybe HttpClient for the things you normally will do in a browser. But there will be quite som work implementing this. There is nothing lightweight about SAML.
OpenSAML is just a library helping with processing of SAML messages so it is probably good for very customised stuff like this.
After some research, I ended up building it on my own.
I carefully followed every redirect, and took note of every cookie created, edited or deleted (Opera, with its in-built option which allows to switch off redirects was the key).
The result was a flow which then I replicated in a package ad hoc: the SetUpConnection class, whose task was connecting to the host and keeping track of the cookies. SAML class, which replicated the SAML flow, and finally the Main class, from which I can gather useful information.
Hope it helps.
Related
I am trying to authenticate users with a REST service I built using drop wizard. From previous questions I found great example of authenticating with openID on github: https://github.com/gary-rowe/DropwizardOpenID
However, I don't want to deal with openID at the moment and simply want users to 1. Signup, 2. Signin
My questions/confusions are:
For Signup: I'm thinking about sending users's username/password as a POST request with the credentials as either form parameters or part of JSON body. However, isn't there a security risk here of sending password in plain text?
For Sing-in I'm thinking about using Authenticator in Dropwizard.
I don't want to store passwords in plain text. What strategy should I follow after I get the users' password in the POST as plain text? I'm looking for some java libraries that can assist in password salt and MD5
Thanks for the shout out for the Dropwizard OpenID project. Glad it was able to get you started.
If you want a pure web form type approach, take a look at another of my projects MultiBit Merchant which provides multiple authentication methods (web form, HMAC, cookie).
You'll need to dig around to really see it working since this project is not designed as a demo as such and is very much a work in progress.
After loading the project, look for WebFormClientAuthenticator which will get you in the right area.
The general principles involved with Dropwizard authentication are discussed in this blog article. Although it targets HMAC you can easily adapt it for web form or cookie using the source code referenced earlier.
It's all MIT license so just use it as you need.
Looking at the docs, we can see that Dropwizard supports a standalone OAuth2 implementation:
http://dropwizard.codahale.com/manual/auth/#oauth2
OAuth2 has several advantages, many of which can be read about here: OAuth 2.0: Benefits and use cases — why?
Things to note:
when dealing with authentication, you should always host over HTTPS to ensure transport encryption
Dropwizard claims their OAuth2 implementation isn't yet finalized, and may change in the future. As a fall back, they do support Basic auth as well, which when used over HTTPS would be still reasonably secure.
Implementing this does not involve using any third party "social" authentication services such as Google or Facebook.
Can someone please share the complete Java code to create an AuthnRequest for web browser sso based SAML2.0. We have a service provider to use a 3rd party IDP. I am working with a J2EE component in the DMZ that wouldn't let any jar files to add, so I am looking at writing complete Java code to produce an AuthnRequest and redirect the user to the IDP.
Thanks in Advance
I strongly doubt there is any implementation out there that does this without any external dependecies.
I suggest you look into the implementation of simplesamlphp. The code is quite easy to understand but to implement this correclty and securly at your end I would recommend that you have a good understanding of the SAML 2.0 protocol
I would advice aginst this as there is a big risk of introducing security issues. This will take time and should be thoroughly tested
I have a website that sends dynamic information to users via servlets. It is stateless and there are no logins. This specific site uses a decent amount of doPost() and doGet() calls from client browser to server.
My question is, if someone reads my source, they can easily just rip out my public facing servlet URL's and have a free API at my web servers expense.
How can I keep this from happening? Is there some kind of authentication package I can use between JavaScript and Java that doesn't add noticeable delays? I would only like users on my webpage to be able to call the public facing servlets.
Not an expert but this may help : http://oauth.net/ as I know big web API's like twitter use this.
Two ideas:
REFERRER HTTP header to make sure the client is coming from an
authorized source
require authorized users of your service to provide an API key tied to their website.
I have made a Java EE 6 application where a user can browse a set of questions, add new questions and so on. The user can optionally log in so that he/she gets "credit" for adding the question or reporting it as bad.
Now I want to make a iPhone application where the user can do pretty much the same. So the answer is web service I assume. I have not worked with web service before but I see there are at least to alternatives: SOAP and REST.
Which one should I choose? I want the user to be able to log in from the application as well a as browse the questions in the database...pretty much many of the actions you can do on the web site.
I don't know much about the security and overhead they introduce.
Also I want the user to be able to retrieve the list of questions thorugh the web server and have the option to save it, so he/she won't need to have internet unless he/she wants to update it. Can I achieve this with both web services?
REST has less overhead than SOAP (WSDL contract, XML messages, supporting frameworks) so when the client is a mobile device REST seems more suitable. You could use JAX-RS (Jersey) to easily create REST services on the server side. The client request consists of the url structure and/or parameters like http://yourserver/questions/view/342 (to view question 342) or http://yourserver/questions/search?q=REST+vs+SOAP (to search for questions about REST vs SOAP). The response can be anything you want, but XML or JSON is pretty common.
Choosing REST means you will be leaning heavily on the HTTP protocol. For security a common approach is to use HTTP Basic authentication in combination with https. Basic authentication means you add an 'Authentication:' header to your HTTP request containing a Base64 encoded username:password pair. Note that Base64 does not encrypt anything, it just obfuscates. To avoid eavesdropping you need to use at least https meaning requests are encrypted using the server's public key. These requests can only be decrypted with the server's private key. To use https you need to set up the server with a certificate. If you want to avoid warnings about the certificate being 'untrusted' it needs to be issued by a recognized SSL certificate provider. For testing you can just generate it yourself.
Finally you asked about saving a list of questions for offline usage. This is a concern of the app, not of the service. To do this you need to store the retrieved data on the device and access that data if the device goes offline. I am not an iPhone developer, but I can imagine you could use a flat file or some lightweight database to store the data. When the device is offline, the app component that retrieves data should switch from network access to local storage access. Also some app functionalities like adding a question might need to be disabled. If you don't disable these, you would need to temporarily store any data entered by the user and send it to the server when the device comes online again. This could be a bit tricky to get right so my advice would be to leave this for later.
You can take a look at this previous SO post for some guidance. I would recommend using REST, it seems to be less messy than SOAP and Java has support available for it as shown here.
Through the use of annotations, you can simply created a facade to which users will connect. In turn, this facade will call the relevant logic which I am presuming you already have.
Well on a simple search REST vs SOAP, you will eventually get to this
There are plenty of other articles and even in-depth research papers, so it's only a matter of - do you really want to get serious with your research VS not really
Good luck!
Short answer: Yes, you can achieve that with web services.
Web services are only a facade to your system - they can expose (or not) any behavior you want to. If you have security concerns, you'll have to approach them anyway in both methods.
Personally, I'd use a RESTful approach as its usually simpler to implement and use. From Wikipedia:
A RESTful web service (also called a RESTful web API) is a simple web
service implemented using HTTP and the principles of REST. It is a
collection of resources, with four defined aspects:
the base URI for the web service, such as http://example.com/resources/
the Internet media type of the data supported by the web service. This is often JSON, >XML or YAML but can be any other valid Internet media type.
the set of operations supported by the web service using HTTP methods (e.g., GET, >PUT, POST, or DELETE).
The API must be hypertext driven.[11]
So you'd have a URL, say http://mywebsite.com/users and perform HTTP actions (GET, PUT, etc) on them. A GET request on /users/17 could return user 17, for instance, while a POST request on it would update said user.
As for login, when your users "log in" you would call a GET method that sends username:password (probably encrypted) and returns a login token. Every time the user executes an action, you would send said token with the request as an additional parameter.
first poster :)
As the title says, I am looking to create a desktop app which will notify me of changes on facebook and new emails, and the facebook part (the first part I've tried) is baffling me. I've never worked with an api before, and have no idea how to integrate facebook's api with this desktop helper I want to create. I will be using java to create this desktop helper.
Thanks in advance!
Here are few pointers for you to get started. Please feel free to ask for clarifications and I will edit my answer accordingly:
For facebook, you can actually pull all those info via their API. There are a lot of types for API, but Facebook specifically use REST API over http.
To simplify, think of it as making an http call with specific parameters and you will be getting an output back.
In order to use facebook API you need to understand their protocol including authentication/login and how to request for things that you want. This would require some reading to their documentation which is pretty complete and available at http://developers.facebook.com/docs/.
For the description of their API URL and the input/output documentation, you could directly jump to Graph API Documentation http://developers.facebook.com/docs/reference/api/.
In order to call their API via HTTP from Java, you could leverage HttpClient library from Apache Http Components project http://hc.apache.org/. They have plenty of tutorial and examples for how to make http call using HttpClient
For combining with all other emails accounts (per your question), you need to deal with SMTP or IMAP (whichever email protocol that you are planning to combine with Facebook). This is already built-in to Java via their Java Mail API collection
You then can poll this data on interval basis to get an update from Facebook and your mails
Once you have figured out how to get the data, the rest is just following a good MVC framework. That means separating out your presentation, data and controller (application logic). Make sure that you are separating the classes for #1 and #2 and each of them put their data to normalized data format that then get feed to your View (presentation layer)