As per the title, I am wondering what are some best practices for Web service user authentication and session management, mainly for backend implementation, especially using Java (J2EE).
Has anyone published anything on the subject? What kind of security considerations should one keep in mind when working with user authentication? What kind of design patterns are related? How should sessions be managed? What does a well-designed architecture look like?
Are there existing systems that could be used as good examples, or even bad examples?
As the Java EE specifications for web services actually consist in exposing a stateless session bean as a web service, you won't be able to implement session management without a "home-made" solution such as including a user token in each of your request.
Not specifically REST but we use same authentication mechanism for standard webservices as for any other web container request. Means send basic authentication data to backend. Over SSL. Never had any issues.
Related
I have been going through lot of documentation to understand what is the standard way (if there is any) in which the java client authenticates themselves with the applications deployed on server container like weblogic, jboss etc.
After reading about JAAS & JNDI authentication documentation for weblogic, I am able to understand the flow, but no documentation answers the below queries
Are JAAS and JNDI the only available methods for authenticating java clients ?
What I understood so far is, that each application server can provide its own abstraction layer to perform authentication, for example OPSS in weblogic, but eventually they all depend on native authentication methods available in JEE framework. Please point out if this assumption is not correct.
The confusion is greatly amplified as some article mention that JAAS security doesn't exists in JEE. Is that valid for java 7+ too?
The oracle weblogic documentation I have been going through clearly states JNDI & JAAS as the standard authentication approaches, and even goes to the extent to specifying JAAS as being preferred over JNDI authentication.
https://docs.oracle.com/cd/E28280_01/web.1111/e13711/fat_client.htm#SCPRG225/
Here is clarification I got based on the material read during last two days.
Most basic thing - All application servers provided provide an identity store, that can store users & groups. Applications can refer to this identity store, as when it is deployed on the server.
A Caller or User is an individual named identity defined in an identity store.
https://dzone.com/refcardz/getting-started-java-ee?chapter=1
How the applications execute authentication?
Based on pure JEE framework, the authentication methods can be classified based on the type of application it secures:
Web Application Authentication
Declarative:
We use either deployment descriptors or #annotations to specify these authentication enablers:
a. Which options to use for rendering authentication i.e. basic (browser popup), custom form, SSL, etc.
b. Which resources(URL patterns) need authentication and authorization.
c. Which users or roles (via groups) are permitted authentication or authorization.
Programmatic
Here we make use of security methods() in built in interface HttpServletRequest.
The application(e.g. servlet) call following methods to instigate authentication from within an "unconstrained" resource.
a. request. Authenticate: A login box pops up to collect credentials.
b. request. login: This methods takes login/password without the pop
c. request. logout: Resets the user/caller identity
There are several other methods also available, that provides more details of the authenticated user like isUserInRole(whether it's in given role), GetRemoteUser(gives user name), etc.
EJB Authentication
How EJBs are authenticated??
EJBs are can also be secured in the same way, as web based apps. i.e. Either with Declarative or programmatic security. Some caveats to this statement, but those are not relevant to current discussion.
So why do we need JAAS, and what is JAAS?
To appreciate this, let's understand a practical scenario for any:
An application may have multiple authentication requirements e.g. password, certificate, authentication users from multiple security realms, perimeter authentication, etc. Do we have to code so much for every application, and type of authentication? Now, it can be cumbersome and complex create & maintain code for authenticating users based on these different techno-business requirements.
To address above situation, there has to be a Pluggable way to writing code for authentication, wherein, developers would only be responsible for mentioning(not coding) which AuthenticationProvider has to be used, and writing code to call the loginModule of that particular provider, which eventually has code to authenticate the given user/caller.
This framework of providing pluggable authentication is called Pluggable Authentication Module in LDAP world.
"JAAS" is java implementation of PAM framework. With JAAS, either updated, or additional authentication technologies can be plugged under an application, without modifying the application code as such.
After Authentication, JAAS also enforces authorization.
JEE provides libraries to implement JAAS in applications!
Is JAAS implemented in same way across different enterprise application servers like Weblogic, JBoss, etc.
Well, "It can be", "but is usually not" implemented in same way across different application servers.
This is because application server may provide its own libraries, which can be used to implement JAAS.
Hope this clarifies the JEE security model to folks who do not have development background.
How can I secure the communication between the business logic (java) running on Tomcat, and the UI written in AngularJS. The communication obviously will be over REST services. Can anyone advise on this, or provide links to some tutorials, examples?
There shouldn't be concern about securing you REST API in the server side. Because it's just a kind web resources like static CSS or Servlet. If you're using Spring in your application, I recommend you to consider Spring security. Here is a good example.
And you should not worry about accessing secured resources from your Ajax request. Probably, they will reuse the same session information (that is stored in the SESSIONID cookie).
You can find more information about securing your REST resources from here.
General Case: A simple application that exposes its services through EJB (3.1) - most of them Stateless Sessions beans (nothing funcy here) and SWING based clients that, call through remote interfaces these services and do what they have to do.
Security: I want to authenticate/authorize this cycle of calls and of course protect my services. The obvious answer would be to use JAAS in the server and any custom wiring setup on the underlying server. That is still an option
Apache Shiro: So lots of people talk about Apache Shiro and indeed it features a very simple API and mechanism - that could potentially be application server independent.
Technical Questions:
Session: In my case I dont have an HTTP session - and from what I have understood Shiro at least needs some sort of SESSION ID that I need to pass around. Any nice way on injecting user credentials in my RMI/IIOP calls to the server with not polluting my business API?
Server side implementation: For the few resources I have gone through I think I can implement a Shiro DefaultSecurityManager by 'referencing it' from a Singleton Ejb 3.1 bean. Any other ideas?
Then I can easily create an interceptor and add it to my remote calls - so when a new call is going through my Remote EJB method - the Shiro Intereceptor to validate my user or check for specific rights.
Any comments/ tips / examples ?
Many thanks
From shiro, try to use a ServiceLocator pattern. The lookup of EJB is different between containers (JBoss, Netweaver, Weblogig, etc).
In Application Server, try to use the the container based constraints of security (#RolesAllowed, #PermitAll, #Deny...). JAAS will create the subject with principals of user, so just use the container authorization (#RolesAllowed, #PermitAll, #Deny...). Can be better when you migrate from one container to other.
Lets say we have a website that uses a web service for all of its functionality (i.e. retrieving and updating data from/to db), how does the web service authenticate requests?
As I understand it, in a traditional java "website" a user provides a username & password, and upon validation a jsessionid is assigned to the user (client browser). Every time the client browser asks the website for something, the site checks for the jsessionid ensuring that the user is registered and authenticated. Is there a web services equivalent of this? If yes, what?
Usually for web services the most easy solution is using Basic Authentication. For something more complex, "Api Key\Token" are passed with each request to authorize\authenticate the users. Another solution is OAuth.
Twitter for example use Basic Authentication and OAuth.
The web service world is governed by the ws-* standards.
See WS-Security:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
http://en.wikipedia.org/wiki/WS-Security
The wikipedia article gives a nice high-level overview, oasis is the official home of the standards, and provides the detailed specifications.
Does your web service even need to be publically accessible?
You might not need to worry about complicated authentication schemes if there is no reason to allow public traffic from even reaching the web service.
Does anyone have a recommendation about web service security architecture in Java (preferably under JBoss)? Any recommended reading?
I want to expose a fairly rich web service to the world but the data are sensitive and it requires authentication from the current client (Flex), accessed via RPC. I definitely do not want any server-side session state.
What's the best way to go about implementing security through web services in Java/JBoss and where can I read about it?
You could try:
For web services security in JBoss, I would start by reading 8.4 WS-Security of the JBossWS User Guide.
WSSE is simple and works well.
http://www.xml.com/pub/a/2003/12/17/dive.html
http://www.sixapart.com/developers/atom/protocol/atom_authentication.html