Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed last year.
The community reviewed whether to reopen this question last year and left it closed:
Opinion-based Update the question so it can be answered with facts and citations by editing this post.
Improve this question
Warning! I'm on a bit of a fishing trip here, and I'm not even sure if the questions that I'm asking entirely make sense. Please be kind with your responses! :)
I recently took over a project that is currently based on a Java + Linux + Tomcat + MySQL. Right now, the system is basically just a website with a few cron jobs in the back-ground to move some data around, etc. In working with the product manager to develop a prioritized backlog, it’s clear from what he wants to do that I need to start developing a service-oriented architecture (SOA <-- buzz word warning!), and I will end up with a blend of web servers and application servers. Note: I’m strongly considering moving to Glassfish v3.
Currently, authentication and authorizations are handled in Java code with user information being stored in the MySQL database. At the bare minimum, it seems to me that I will need to split this out into a separate authentication service (otherwise, will end up with a bunch of duplicate code all over the place to handle user authentication and authorizations).
I’ve been looking into single sign-on (SSO) type solutions and doing some research. From what I can gather, OpenSSO has been officially dropped by Oracle, but picked up by ForgeRock and now is called OpenAM. This appears to be very close to what I want, but since I already have a MySQL-based system, I would prefer to have something that supports it (or some other kind of RDBMS). I found this on Stack Overflow and it seems to indicate that it’s basically LDAP or nothing.
Is there a way to make OpenSSO/OpenAM talk to Database for its authentication and authorization?
My questions are:
What other options are out there to OpenSSO/OpenAM? Is LDAP the way to go? Note: doing a “OpenAM vs” google search doesn’t yield much. Do people tend to just “roll their own”?
Any thoughts/suggestions/links on this topic that will help educate me will be greatly appreciated. Thanks in advance for your patience and help.
Are you integrating existing applications, or do you just want to support your own applications?
Are you looking for actual SSO or simply shared credentials? SSO is logging in to a single application, and having that credential propagate to another application (such as logging in to Gmail and being automatically logged in to Blogger). Shared credential is you can use the same login name and password across applications, but the credential itself is not automatically propagated.
LDAP is a common system used to manage a shared credential. Many systems allow you to point their authentication store to an existing LDAP server.
For example, if you had several apps deployed in a Java EE container, and also, say, an email server and web based email client, all of these diverse applications could be pointed to the same LDAP server and your users would have a single login and password for all of the different systems, all written in different languages, all deployed on different machines. This is a bread and butter use case of LDAP, and pretty much every system can handle this out of the box. Glassfish and Tomcat can both readily validate against an LDAP server. So can Apache (Web server), Postgres (Database), Postfix (email), etc. etc.
So if you want simply a shared credential, you get that "for free", right now, by installing an LDAP server. LDAP is a bit of a different beast than something like a DBMS, but once you study it a little and "get it", it's really quite nice. OpenLDAP is a popular LDAP server, but I'm partial to ApacheDS.
The way to set that up in a Java EE container is to set up a "Realm". GF and Tomcat both have LDAP realms out of the box, I imagine the rest do to. But the nut there is that you need to use Java EE security to leverage the Realm.
See, the detail with a Java EE Realm is that it's an aspect of the CONTAINER, not the application. Just like a connection pool is a container resource that your application leverages. Most people want security to be a part of their application, where they feel they have more control over it.
That's all well and good until you start getting a bunch of different applications and everyone is configured differently and has separate user lists, and password policies, etc. etc.
LDAP can fix a lot of that, since you configure them all to use the same credential store.
The Realm fills that need on a Java EE server. Your application is configured to use a Realm provided by the container. If you have several applications, and a single Realm, then they all get to share the credentials within that Realm (regardless of the Realm type).
Realms can be anything: file based, db based, LDAP, etc. Realms also cluster if the container clusters (which can be handy).
The dark side of Java EE security, and why most apps avoid it is that, since, again, the Realm is part of the container, and not the application, it can be a little ungainly to use, and perhaps not offer the features you like in terms of user management, password policies, etc.
But the bright side of Java EE security is that once you're under its umbrella, you can leverage the credential all over in your code easily. A person logs in to the web site, and that credential can be used there in the web app, or automatically propagated back to the EJB tier (ever a remote EJB tier), and the information is always handy.
You can point your web apps at a realm, you EJBs, your web services. They all leverage the same pieces.
In order to get kind of the best of both worlds is to leverage container specific mechanisms to access the containers security. This is the other dark side of Java EE security.
Things like Realms, and direct access to container security are not portable across containers. GF does it different than Tomcat does it different from WebLogic. It's all really close, but differs in details so your code won't port seamlessly.
The bright side is for in house apps, most folks simply leverage the container they have, put a reasonable abstraction around the container dependent code, and call it day noting that yes, they will have to port this if and when they move to a different container. But, in practice. much like a database, once a container platform is chosen, folks tend to snuggle in tight and stick with it.
Finally, Servlet 3.0 (In GF3 and Tomcat 7) standardizes more of the programmatic login issues to make them more portable across containers, but the underlying concepts are the same.
Now, SSO.
SSO is a different beast. But, out the gate, both GF and Tomcat support SSO for web apps. This lets you log in to one web app and have be able to easily access others without having to log in to them. But the SSO is a little bit limited since it relies more heavily on the container security and its lifecycle, rather than a more flexible one under the control of the application. Mind, not just on Realms (that's a given), but on the actual container based FORM login, rather than a custom programmatic login. FORM login is not spectacular, but it's functional and it works. Implement a Realm, deploy your apps to a single instance of Tomcat or GF (or a cluster in GF 3.1), and you get SSO for free, so if that's important, it's kind of nice really. It's usability is fine for back office apps, but not perhaps the public internet.
If you want a more sophisticated SSO solution, then you need look at custom implementations. OpenSSO is one of those, and it relies on SAML and the SAML web profile. However, there are others. There's CAS, Atlassian Cloud, Kerberos, and OAuth as well. Those are all using different protocols than SAML. If you want to stick with SAML you can also look at Shibboleth, or even SimpleSAML (SimpleSAML is a PHP server that acts as a SAML Identity Provider, among other things, but you still need a Service Provider within your applications).
Whatever protocol you choose, the process is basically the same (detailed here -- Cross Domain Login - How to login a user automatically when transferred from one domain to another).
But the devil is in the details. And, boy, are there devils.
All of these systems are complicated. SSO is complicated. For example, now that you have Single Sign On, what about Single Sign Out? What about Single Time Out? What about credential changes while users are logged in? What about an STS (Secure Token Service) for your Web Services? (STS offers a similar delegated authentication mechanism for web services.)
SAML introduces you to a whole lot of new vocabulary, and a lot of configuration. It's not readily picked up since the documentation isn't stellar and relies a lot on standards documents which talk to a higher level of generic things, and not to you and your application specifically.
If you don't need really need SSO, then you'll likely be content with something like a central LDAP store and going on from there.
All that said, as an example, our applications support both a DB and LDAP backend. They use Glassfish, and Java EE security. We completely control the user experience. We also support SSO via SAML (we wrote our own Identity and Service Providers), and we have both shared credentials via LDAP and SSO across Java and other applications, using our code and third party code. The bright side is this is all standards based. The dark side is that standards are communicated in english, and english is subject to interpretation.
I say this simply to say it can be done. I have also written ad hoc, back of the napkin SSO implementations, both same domain and cross domain (same domain is simple with a shared cookie) using simple Servlet Filters. Password policies, password recovery, keep alive timers, multiple window timeout and session management (that's a hoot), roles, privileges, etc. etc. Been there, done that.
Also, I would be remiss to not mention Spring and Spring Security which offers all of this on top of Spring. I have not used it (I'm not a Spring person), but those folks do know what they are doing so it's worth looking at.
Please note that "Is there a way to make OpenSSO/OpenAM talk to Database for its authentication and authorization?" is phrased wrong. The question details and answers only deal with the authorization aspect. OpenAM works great with a MySQL database of users and passwords (authentication), and can use it's hidden/embedded LDAP server for storing policies and other settings.
It sounds like you still need to flesh out your security model, but you will likely find you do not need something like OpenAM at all, and can just use container/framework provided security.
This list might provide a good starting point:
http://en.wikipedia.org/wiki/List_of_single_sign-on_implementations
with JOSSO and Shibboleth springing to mind.
OpenAM has two separate stores, a User Store, where users and all the accompanying properties are stored and a Configuration Store, which holds the configuration. There is a database User Store, which is available in OpenAM however I have never tried it. The SO question you were pointing to was referring primarily to the config store, which while LDAP only, is embedded in OpenAM (so doesn't require direct management).
Personally I am a fan of Tomcat over Glassfish, as it is a fast and light Servlet container, without all the associated bloat which goes with a full J2EE container.
You can use OpenAm with RDBMs. I am using JBDC based user store in OpenAm
OpenAM seems to have the ability to plug in your own authentication module.
Presumably, you can make your DB calls from within your extentsion of the AMLoginModule.
I have successfully build a custom user repository for OpenAm. Since this question have not been active for a while and because it would be too long to describe in details here how to do it, I will just give a few hints. If you need help on specifics, fell free to ask me.
Your basic entry point needs to extends com.sun.identity.idm.IdRepo.
You need to register your custom repository using ssoadm.jsp?cmd=add-sub-schema.
From this point, your repository type will be listed among the other types when you create a data store for a realm.
Good luck !
I've been tasked with making an enterprise application multi-tenant. It has a Java/Glassfish BLL using SOAP web services and a PostgreSQL backend. Each tenant has its own database, so (in my case at least) "multi-tenant" means supporting multiple databases per application server.
The current single-tenant appserver initializes a C3P0 connection pool with a connection string that it gets from a config file. My thinking is that now there will need to be one connection pool per client/database serviced by the appserver.
Once a user is logged in, I can map it to the right connection pool by looking up its tenant. My main issue is how to get this far - when a user is first logged in, the backend's User table is queried and the corresponding User object is served up. It seems I will need to know which database to use with only a username to work with.
My only decent idea is that there will need to be a "config" database - a centralized database for managing tenant information such as connection strings. The BLL can query this database for enough information to initialize the necessary connection pools. But since I only have a username to work with, it seems I would need a centralized username lookup as well, in other words a UserName table with a foreign key to the Tenant table.
This is where my design plan starts to smell, giving me doubts. Now I would have user information in two separate databases, which would need to be maintained synchronously (user additions, updates, and deletions). Additionally, usernames would now have to be globally unique, whereas before they only needed to be unique per tenant.
I strongly suspect I'm reinventing the wheel, or that there is at least a better architecture possible. I have never done this kind of thing before, nor has anyone on my team, hence our ignorance. Unfortunately the application makes little use of existing technologies (the ORM was home-rolled for example), so our path may be a hard one.
I'm asking for the following:
Criticism of my existing design plan, and suggestions for improving or reworking the architecture.
Recommendations of existing technologies that provide a solution to this issue. I'm hoping for something that can be easily plugged in late in the game, though this may be unrealistic. I've read about jspirit, but have found little information on it - any feedback on it or other frameworks will be helpful.
UPDATE: The solution has been successfully implemented and deployed, and has passed initial testing. Thanks to #mikera for his helpful and reassuring answer!
Some quick thoughts:
You will definitely need some form of shared user management index (otherwise you can't associate a client login with the right target database instance). However I would suggest making this very lightweight, and only using it for initial login. Your User object can still be pulled from the client-specific database once you have determined which database this is.
You can make the primary key [clientID, username] so that usernames don't need to be unique across clients.
Apart from this thin user index layer, I would keep the majority of the user information where it is in the client-specific databases. Refactoring this right now will probably be too disruptive, you should get the basic multi-tenant capability working first.
You will need to keep the shared index in sync with the individual client databases. But I don't think that should be too difficult. You can also "test" the synchronisation and correct any errors with an batch job, which can be run overnight or by your DBA on demand if anything ever gets out of sync. I'd treat the client databases as the master, and use this to rebuild the shared user index on demand.
Over time you can refactor towards a fully shared user management layer (and even in the end fully shared client databases if you like. But save this for a future iteration.....
I'm using JDBC to connect to a PostgreSQL database. We are trying to block access to the database for the users themselves; instead they should be forced to use our frontend. We blocked access to any table, and gave only procedures, which do all the work for users, still not giving them any opportunity to access data directly. We tried to block access to schema pg_catalog, which limits users to procedures we created, but it seems that this access is needed for JDBC to call any procedure.
Anyway, the question is either how to use JDBC without access to pg_catalog, or how to authorize only connections made by application, not user.
There is no fool proof way but the simplest is to use a username and password for the connection that you do not give to your users. Store the password in an encrypted configuration file. Ofcourse the encryption key can be retrieved from the application by a smart person.
For a really save system it would probably be best to put a service in front of the database that handles all security and provides a high level API to access the data and let the client connect to this.
The DBMS is being presented with a Catch-22 situation:
When a user runs a specific JDBC program to access the database, let it do its stuff.
When a user runs any other JDBC program to access the database, do not let it do its stuff.
How can the DBMS tell the difference between the two programs? As far as it is concerned, they are both clients that are using the correct protocol to communicate with the DBMS, and have identified themselves as a legitimate user of the database.
To make it work, you have to find a non-subvertible way to distinguish between the two applications. That is not trivial - to say the least.
There are kludges, but there isn't a clean solution. It is a generic problem that any DBMS faces when the problem is presented as in the question.
Well, just don't give your users an account on your postgresql database and create only an postgresql account for your application.
I want to make a web based Java application that reads an LDAP compliant directory and creates a record in a database for each user and group in the directory.
How can i go about it?
I've used the Spring LDAP module to interact with directories. It works very well, same as all Spring code. You would use whatever relational database technology you wish to write to the database. If you're already using Spring, this won't be difficult. In this case you'd create a connection to an LDAP to read the data and another to the database to write it.
But there's a question here that's worth asking: Why do you feel like you need to duplicate the data? The DRY principle would discourage you from doing so. Wouldn't it be better to have all the information in one place or the other?
I don't see how being web-based will affect things, so long as the web server has access to the LDAP directory - you'd use classes under javax.naming.
If you want to access a directory which the browser has access to but not the web server, you'll need to write code to run on the client instead - possible a JNLP application with appropriate access to make network connections.
The general API for talking to directory services (including LDAP) in Java is JNDI (javax.naming).
The official documentation for LDAP is rubbish, but there's a good tutorial on JavaWorld here.
Sometimes we deploy applications behind customer firewall and we need read only access to their DB for debugging issues as sometimes their IT people are not SQL savvy. We want to bundle our application with some web based application that will expose the database and allow us to fire adhoc SQL queries and show their output in HTML table. We dont want to write home grown code and we can bundle Java/JSP based applications.
Our backend is Oracle so we need a solution that can connect to oracle server and expose it over the web.
If you want the database behind a firewall, and believe me, you do want your database behind a firewall, see if you can have a VPN for going directly into the box. Once you are on the VPN, you can use whichever management tool you currently use for managing the database. So if you use SQL Server, you can connect via the VPN, and use Enterprise Manager to manage the database. Oracle probably has a similar tool, although I'm not that familiar. While having a VPN does incur an extra cost, it will probably make things many times easier.
phpMyAdmin is a good favourite if you're using MySQL. Its always a bit dangerous opening up an application like that if the db is intended to live behind a firewall, but as you say you could set it up ith a read-only account and possibly add extra layers of security on top like simple HTTP Basic auth.
Oracle Tool is a pretty decent oracle web front end. But so is enterprise manager.
Either way, you don't want your database open to the outside world in any way, either via some website or a listener or anything really.
The VPN solution is the way to go, just get VPN and then you can use whatever tools you normally use, if VPN is not an option then a simple firewall rule allowing just your IP's access would be ok, but not quite as nice as VPN.
On my current project, we use SQL Navigator in order to run queries on our Oracle database. I've also heard decent things about TOAD. I would advise against writing a web application just to run ad hoc SQL queries, because it seems to me that plenty of tools can support your debugging needs.