I have an external SOAP web service that attaches to our services layer inside the application. For the Web 2.0 application, the services layer uses the session to store the user's "key chain" or the things a user can do in the system.
Now I'm trying to figure out how to do the same thing with my web service client to our services layer. The problem is that the web service URL can't contain a cookie that holds the session ID. (If I'm wrong, please say how and I'll do it that way.)
When the web service client connects the first time, I require a login and generate a security key that uniquely identifies that user and will expire within a certain period requiring them to login again.
I'd like to find a way in my endpoints to re-attach to the proper session for that security key and then the security will work automatically.
My endpoints are currently being served from tomcat.
How can I get there from here?
All input appreciated.
I ended up using REST to come back into our webapp through the URL so that I have a session. I connected to it that way.
Related
I have been trying to read through existing information about this topic. I even installed KeyCloak server locally, configured the realm, the client and used Postman to send some requests to KeyCloak, and received some json response.
My problem is that - unless I misunderstand something - none of the descriptions seem to fit my goals.
Our application already has user management and we rely on user identity and roles / access rights configured in the system. The backend runs inside Tomcat and we run a Polymer 1.0 / Javascript frontend to call the REST services of our backend. I cannot get rid of user management as our DB is highly dependant on user to object assignment when deciding the scope of the objects for which the particular user is responsible.
All we need is an extension of our system by the possibility of foreign authentications (like social logins) in the future.
We have now explicit login that delivers a session cookie, Servlet filters to check the presence of this cookie, etc. In the server we use the login token / user identity in each REST call to filter the results from the DB to those available to the particular user.
What I need is a flow like:
in the fronted we check if we have active session (existing code)
if not we redirected the user so far to our own login page, logged in, created the session cookie on server and then returned it. On client side we saved this and added to every REST request as authoriation token.
Now with OIDC I'd like to insert a new unprotected query that checks if OIDC is configured. If not, we keep the old solution. If yes, I'd like to get redirected to KeyCloak login, and - and this is the most important for me - I'd like to get back the user identity (or some role that we associate administratively to the user - using which I could identify one of our configured users.
I tried experimenting with the Tomcat solution but that simply blindly hides the authentication procedure and merely allows or blocks REST access to the backend resources. This is not enough for me, I need some kind of user identity which I can use in the server side.
Also a javascript solution only provides communication between frontend and keycloak, but we need the backend to know who has logged in.
I think this topic and all the used lingo is too complicated for me. Could anyone give me some easy advice how to solve this with best practices?
Thank you very much
I have different java web applications running on tomcat as different modules and one java web application as an addon running on the same tomcat server as another different module. I want to use the addon within the different applications (which essentially appears as a popup and is just one javascript file with a few URL-mapped controllers at the back end). I have allowed cross domain requests for the addon within the Tomcat realm, so the applications can access the popup and retriece the data.
Eg. in WebApp1, [http://localhost:8080/page1.html]:
ajaxGet(http://localhost:8081/getPopup, function(html){
showPopup(html);
});
The architecture of all applications is a simple JSON based request-response driven UI with javascript at the front end and URL-controller/servlet mappings on the JAVA-backend.
It works fine, but of course, it will also work for any requests from within the applications in the realm even if they are not authenticated. ie, even from the login page, I can request the popup.
How shall I take care of the authentication? Considering the addon doesnt need to be connected to the database for separate authentication, its authentication depends on whether the calling application is already authenticated or not.
Thanks in advance for your inputs. :)
Actually you need authorization, which usually depends on authentication. Authentication is the process of telling the service who is making the request, while authorization is the process of deciding if the principal is allowed to make the request.
The first thing you should do anyhow is adding authentication and authorization to the service which makes the popup content (/getPopup). Once you have secured that service, you actually have a number of choices:
implementing some single-sign-on framework
employing a federated authentication technology
forwarding requests from the calling application with a custom authentication scheme
...
Obviously, the simplest solution would be shipping everything together in a single deployment unit.
As a side note, mind the cookie session name when testing on localhost: cookies are bound to the hostname, not hostname + port, so the JSESSIONID issued by one service at localhost:X will be overwritten by the JSESSION id of localhost:Y
I have a legacy application. The login system is very simple like it takes username/password from user and runs a database query and validate the user.Now, i have created a link inside that legacy java application, that lands to a completely separate Java application dashboard page (written in Spring MVC).As of now, the new spring application as completely separate application and no user validation is implemented there. I want something like if somebody click the link(he can only access the link after logging in to the legacy application), it redirects to the new application along with user session data. So that user also sees himself logged in to the new application. And if he log out from the new application, I want him to be logged out from the legacy application too.
Legacy application- Simple servlet jsp based java application, runs on tomcat 5.5
New Application - Written in Spring MVC 4 and runs on tomcat 6
Both the tomcat containers reside on the same red hat box.
Any help will be highly appreciated. Thank you
You could try to develop a AuthenticationSuccessHandler for the legacy application and have it set the Autentication from SecurityContext in a shared memory between the two application on success. On logout, destroy the object.
For the new application, develop a filter or a handler that for a request checks to see if there is an Authorization in the shared memory associated with the SESSIONID from the request. If it's no longer there, force spring to destroy this session, logging you out.
AuthenticationSuccessHandler: http://docs.spring.io/autorepo/docs/spring-security/3.1.7.RELEASE/apidocs/org/springframework/security/web/authentication/AuthenticationSuccessHandler.html
SecurityContent: http://docs.spring.io/autorepo/docs/spring-security/3.2.2.RELEASE/apidocs/org/springframework/security/core/context/SecurityContext.html
shared memory: http://hazelcast.com/
Of course, this is only a fragile link between the two applications and maybe you should think about redeveloping the legacy application in a way that it best serves it's purpose of a CAS, such as exposing a webservice for login, and have a login handler for the new application call the webservice for an attempted login and decide using the answer whether to login the user or not. This way, you only have one session (on the new application) and you can scale easier the legacy app (if needed and not blocked by other restraints).
This is only an oppinion and without a more detailed look at your application, it might prove useful or total rubbish :)
Let's say your are connected on server A. On server B, you have your Spring MVC app.
You should develop on server B a webservice that create a Secure Token, encrypt it with a symectric algo. Send the token to the server A.
Server A then calls an other webservice on server B that use the token to authenticate.
When you will use the token to login server A can decrypt it to verify that it's the one issued previously.
You can find various documentations and examples on the web for token based authentication.
I am building two separate project , Rest services using spring 4.0 and a dynamic website using ZK and Spring .
I want to secure both Rest Services and the Website so user need to be authorized before browsing the website or requesting the Rest Services .
I am wondering if we can have one place for authorization , is this possible and how to share the identity of user between both sites ?
I am thinking of Shiro ?
Any Ideas
BR
Shahbour
Check out Spring Security, it integrates really easily with Spring (as the name would suggest). As far as how to keep user signed in across both apps, there are a few options. The simplest would probably be to have a central database where user information is stored that both apps can access. Add Spring Security to both apps. Web app would require user to authenticate and then any time it calls the REST service it provides current user's username/password. REST service would accept username/password and authenticate the user again. This approach would also work if you ever wanted to use your REST services directly without your Web UI.
I have a client - server application which uses cxf DOSGi [1]. Now I want to authenticate the clients from the server and create a session for the client. The client will have a cookie which is used to access the service once authenticated. I would like to know what is the best way for the server to access the HTTP session and the best way to store a cookie at the client end once authenticated.
I was thinking of making a custom Session object at application level once authenticated and send a Cookie object to the client. So when the client accesses the service methods, it will pass the cookie as an argument. The client will be validated in every service method. But I dont think this is the best way to handle this since every service method must have a separate argument to pass the Cookie.
I came across this when I was googling [2]. Is it possible to get "WebServiceContext" in the service in DOSGi? Even if I get it, how would I store the cookie at client end and make sure the client sends the cookie in every subsequent web service call?
[1] http://cxf.apache.org/distributed-osgi-greeter-demo-walkthrough.html
[2] How can I manage users' sessions when I use web services?
Any help is highly appreciated.
Thanks.
You can use a custom intent to control authentication. Basically an intent is a CXF feature that is applied to the webservice by DOSGi. You create the feature in a separate bundle and then publish it with a special property for its name: See the DOSGi reference guide.
In a project we created a feature that read a threadlocal containing the authentication context and used the credentials stored there to populate the CXF authentication. So you just have to store the credentials once into the threadlocal at the start of you application and all calls work.
Currently there is no simple documenation or example for this case but I plan to create it in the near future as authentication is a common problem. I plan to use shiro as an authentication framework and write a generic adapter for CXF. I will add a comment or another answer as soon as I got it ready. In the meantime you can try to do the same yourself.