Can anyone recommend a Java Security Framework that supports authentication with OAuth and OAuth so that we can offer integration with the likes of Google/Twitter/Facebook etc. as well as other security features such as cryptography, password reset, security questions etc. I've looked at Apache Shiro which looks good but doesn't seem to have the Social side of things covered. I've also investigated Spring Security which seems to cover as lot of areas but I'm not sure whether you need to be using Spring MVC to use this (we're using Wicket + Spring for the service layer).
Any recommendations appreciated.
Spring Security covers all the areas you need (the social stuff is called Spring Social, you can have a look at it).
Also no you don't need to be using Spring MVC. Any web framework can use Spring Security.
Check Oracle Fusion Middleware (Oracle ADF 11g.)
Related
I have a Java Restful application that uses Jersey for the APIs implementation and that uses Spring for DI. I'm now trying to integrate HDIV for security.
However the official documentation has examples for the integration with Spring MVC, but not Restful Jersey applications.
Documentation here:
https://hdivsecurity.com/technical-documentation/doc.html
I read online that it's possible to integrate HDIV with REST, but I cannot exactly figure out how this is done, as I cannot find examples.
Does anyone know how this is done?
As you said Hdiv can be integrated with REST APIs, particularly RESTFul APIs that implements the whole REST specification, including Hypermedia or HATEOAS level (level 3 within Richarson model)
This REST support is included inside Hdiv Enterprise edition and that's why is not included in the link related to the technical documentation provided by you. The security level offered in that integration is exactly the same that we have been offering till now for server side MVC applications. It means that Hdiv can automate the protection against OWASP top 10 web risks in REST based applications .
Regarding JAX-RS support it can be possible if you are using the new hypermedia support included within JAX-RS 2/Java EE 7.
If you need more detail about the Hdiv support for RESTFul APIs you can review the slides presented in the last Spring I/O conference.
If you want to test within your project this support please contact using Hdiv support web form within hdivsecurity.com web site.
Regards,
Roberto Velasco
I'm developing a Java application using JPA, EJB, CDI, JAX-RS and AngularJS, running on a WildFly.
Currently I use basic authentication, but I would like to improve it with other authentication options, such as Facebook, Twitter or Google+.
Spring Social provides a nice set of features to connect with social networks, but I'm not using Spring on my application.
My questions are:
Does Spring Social play well with EJB?
Is there any example?
Is there an alternative to Spring Social in order to connect with social networks?
I'm running a web application using exactly the same stack and I'm successfully using Spring Social for Facebook authentication.
To answer your questions:
Spring Social is a class library, sure you can use it with EJBs, in
my project I've actually created an abstract interface between a
facade EJB and various Spring Social providers;
you can find code
examples on the Spring Social web page, look at Spring Sample
Projects;
every social gives you libraries and tools to connect with
them, whereas the Spring Social library gives you a uniform interface, making your code more simple and maintainable.
I´m building a web application which comunicates server and clients through REST services (I´m planning to build a mobile app in mid term).
I´ve used Spring Security in other web applications without REST services. But I´m not sure if that approach is suitable for my scenario.
Is it possible secure both access to web pages and calls to REST services using Spring Security? What would you recommend?
Backend uses Spring Data + Spring MVC.
Thank you.
Yes, Spring Security is a good way to secure both REST endpoints and traditional MVC webpages. The implementation can be similar for both your REST endpoints and MVC routes depending on your requirements.
Spring Security is a popular and effective way to add security to your Spring application. Since you already have experience with it, you should be able to secure your REST endpoints with relative ease.
Check out this detailed tutorial on securing REST routes with Spring Security to get started: https://spring.io/guides/tutorials/rest/5/
Does anyone know of any security frameworks for .NET?
By security framework, I am referring to a framework consisting of a set of libraries and APIs containing code which can be used to improve the security of the application being developed overall.
So far, I have only identified Spring.NET. I have found other frameworks for .NET such as Castle MonoRail, however it is not exactly directed towards solving security issues.
To give you an example, a Java programmer can make use of the following security frameworks:
Apache Shiro (Java)
JAAS (Java)
JGuard (Java)
JSecurity (Java)
PicketBox (Java)
Spring Security (Java)
I don't know those frameworks but from a quick glance at Apache Shiro and Spring Security I get that you are looking for something that will do cryptography, session management, authentication and authorization. Unfortunately I don't know any frameworks that will do that for you except what's built into .NET by default.
Cryptography is provided by the System.Security.Cryptography namespace.
Authentication and authorization are provided by default by ASP.Net, as Windows, Forms or password authentication. See for example the ASP.NET authentication and authorization article on CodeProject.
Session management is also built into ASP.Net. For example, see ASP.NET State Management Overview on MSDN.
I wanted to build an application based on Java EE 6, but the security mechanisms of Java EE are not sufficient and a pain to with for my needs. Spring Security seems the best way to secure my application. Now I wonder if Spring Security + EJB is a good combination or if I should be better use Spring only.
I need method interception, ACLs and possibly URL pattern access control. The main problem I see is to use EJB interception with Spring Security. It is a problem? What other areas could be problematic?
Would you prefer Spring Security + EJB or Spring Security + Spring (only)?
As skaffman said the real question is Java EE vs. Spring. There is a nice comparison from JBoss.
Spring Security is distinct from the Spring Framework. They work well together, but Spring Security does not require you to use the Spring Framework underneath.
So in a very real sense, it doesn't matter, it becomes a question of whether you prefer EJB3 or Spring, regardless of Spring Security.
I am not very familiar with EJB but my understanding has always been that it is essentially a data-access technology, or a way to distribute services.
Spring itself, and the Spring Security module, is designed to be very lightweight and unobtrusive. If you are building a web application and using Spring Security for logins/security, then it doesn't care or even know if you are using EJB vs JDBC vs remoting technologies etc.
After having spent a lot of days trying to find a way to only uses springsecurity to secure the ejb, I've adopted kind of hybrid solution: JAAS + springsecurity.
The client uses JAAS to be authenticated to the ejb on the sever, I've created a custom JAAS LoginModule which delegates authentication to the springsecurity code.
EJBs to perform their logic use methods which are annotated with jsr250 annotations (RolesAllowed), and this part is fully handled by spring security.
In this way I've achieved a clear separation between ejb and spring security so my business code, secured by springsecurity, is fully portable to any other kind of ApplicationServer or it can even run as standalone application.