Does anyone know of any security frameworks for .NET?
By security framework, I am referring to a framework consisting of a set of libraries and APIs containing code which can be used to improve the security of the application being developed overall.
So far, I have only identified Spring.NET. I have found other frameworks for .NET such as Castle MonoRail, however it is not exactly directed towards solving security issues.
To give you an example, a Java programmer can make use of the following security frameworks:
Apache Shiro (Java)
JAAS (Java)
JGuard (Java)
JSecurity (Java)
PicketBox (Java)
Spring Security (Java)
I don't know those frameworks but from a quick glance at Apache Shiro and Spring Security I get that you are looking for something that will do cryptography, session management, authentication and authorization. Unfortunately I don't know any frameworks that will do that for you except what's built into .NET by default.
Cryptography is provided by the System.Security.Cryptography namespace.
Authentication and authorization are provided by default by ASP.Net, as Windows, Forms or password authentication. See for example the ASP.NET authentication and authorization article on CodeProject.
Session management is also built into ASP.Net. For example, see ASP.NET State Management Overview on MSDN.
Related
We already have an IDP. We already have a metadata.xml.
The Application uses Netbeans, Tomcat and Apache. It is not Maven. Just Java.
We need to implement SAML SSO into this non-Maven application.
What is the most straight forward solution?
There are a number of Java libraries that allow one to integrate with a SAML IdP. Here is what comes to mind:
Spring Security SAML: https://github.com/spring-projects/spring-security-saml with a sample application demonstrating the functionality: https://github.com/UniconLabs/spring-security-saml-java-sp
Note that SS SAML uses OpenSAML v2 which has been long deprecated. There are plans to get it updated "soon", but nothing official yet.
You may also use pac4j: http://www.pac4j.org/2.2.x/docs/clients/saml.html This is a Java library based on OpenSAML v3 that provides most if not all of SS SAML functionality in its own ways.
I have a Java Restful application that uses Jersey for the APIs implementation and that uses Spring for DI. I'm now trying to integrate HDIV for security.
However the official documentation has examples for the integration with Spring MVC, but not Restful Jersey applications.
Documentation here:
https://hdivsecurity.com/technical-documentation/doc.html
I read online that it's possible to integrate HDIV with REST, but I cannot exactly figure out how this is done, as I cannot find examples.
Does anyone know how this is done?
As you said Hdiv can be integrated with REST APIs, particularly RESTFul APIs that implements the whole REST specification, including Hypermedia or HATEOAS level (level 3 within Richarson model)
This REST support is included inside Hdiv Enterprise edition and that's why is not included in the link related to the technical documentation provided by you. The security level offered in that integration is exactly the same that we have been offering till now for server side MVC applications. It means that Hdiv can automate the protection against OWASP top 10 web risks in REST based applications .
Regarding JAX-RS support it can be possible if you are using the new hypermedia support included within JAX-RS 2/Java EE 7.
If you need more detail about the Hdiv support for RESTFul APIs you can review the slides presented in the last Spring I/O conference.
If you want to test within your project this support please contact using Hdiv support web form within hdivsecurity.com web site.
Regards,
Roberto Velasco
I'm working on a pure Java web application that uses an embedded Jetty and I want to integrate a Shibboleth login. To do this, I'm following switch.ch's guide for Shibboleth Service Provider Deployment, which states:
The Shibboleth Service Provider consists of a daemon shibd running on
all major operating systems and a web server module mod_shib which is
natively supported by:
Apache web servers (versions 1.3.x, 2.x)
IIS (versions 6, 7 and 8)
My question is, is there a way to integrate Shibboleth SSO in my Java web application without using an Apache web server or IIS running shibd? Maybe somebody has done this before and could provide example Servlets/Filters or the like?
I don't want an Webserver in front of the application just for Shibboleth, because it would complicate the installation. Currently, the installation is just two steps: extract the artefact and run the start script and I would appreciate if I could keep it like this.
The Shibboleth Service Provider takes care of a lot of complex use cases like key rotation, metadata refreshing, and attribute re-mapping. If you have an incredibly simple use case, where you need to authenticate users from one Shibboleth Identity Provider that rarely changes, you can consider validating the SAML 2.0 assertion in your Java code directly.
If you use spring-security already, you should probably start by looking at the spring-security-saml project:
http://projects.spring.io/spring-security-saml/
Alternatively, you can start with a low-level library like OpenSAML (https://wiki.shibboleth.net/confluence/display/OpenSAML/Home) or you can start with a higher level library like the LastPass Java SAML SDK (https://github.com/lastpass/saml-sdk-java).
Putting shibboleth sp with web server in front is the easiest way out. Additionally you can add servlet filter and check header , if you find all attributes released by idp validate them against your identity store just for assertion.
Can anyone recommend a Java Security Framework that supports authentication with OAuth and OAuth so that we can offer integration with the likes of Google/Twitter/Facebook etc. as well as other security features such as cryptography, password reset, security questions etc. I've looked at Apache Shiro which looks good but doesn't seem to have the Social side of things covered. I've also investigated Spring Security which seems to cover as lot of areas but I'm not sure whether you need to be using Spring MVC to use this (we're using Wicket + Spring for the service layer).
Any recommendations appreciated.
Spring Security covers all the areas you need (the social stuff is called Spring Social, you can have a look at it).
Also no you don't need to be using Spring MVC. Any web framework can use Spring Security.
Check Oracle Fusion Middleware (Oracle ADF 11g.)
I currently have a Google App Engine app consisting of two parts:
A website using old school JSPs
A RESTful service implemented in Jersey
I've been trying to figure out how to shoehorn authentication into the web service but am rather lost since I've never used Spring before, and it sounds like that's the way to go.
Must I use Spring, or can I use Java EE? Are there any examples of how to accomplish this with Google App Engine?
Also, if I can get a high level description of some best practices for securing web services, that would be cool.
Thanks
Mark
app engine has built in OAuth support, which should do what you want.
I recomend you use apache shiro instead of spring because performance more over if you haven't got experience with spring. Apache shiro is a security framework and it could be integrated with GAE. You also can find a example in githubhow integrate the framework in GAE with Guice library.
Anyway for use Spring in GAE you also can find same best practice on Google Cloud Platform documentation