I'm have the next scenario on my enviroment
Tomcat running as services in Windows server
The service is configured with a Domain Account, it is an Active Directory Account.
Now in a Spring Controller I need to acces to a site, this site is configured with Integrated Security.
So what I want is to access to this site using the same credentials that is running the tomcat account. So I'm beleave thath I need to access to this credentials and pass it to a http client.
Thanks.
There's a number of ways you can integrate a Java application into an Active Directory / Windows Authentication system:
I would start by understanding the Kerberos and NTLM authentication systems (and which apply to your environment) and reading up on the documentation: http://docs.oracle.com/javase/6/docs/technotes/guides/net/http-auth.html
Given you are using Spring already, I would strongly consider using Spring Security, which has NTLM support: http://blog.mediasoft.be/ntlm-with-spring-security-20/
Related
I'm trying to get to point, where wildfly 9 would be able to authenticate users with kerberos and authorize them with ldap.
I'm having rich EJB client using JAAS (having com.sun.security.auth.module.Krb5LoginModule).
I'd need some sample including the step-by-step configuration.
What I've found is:
wildfly with LDAP (https://developer.jboss.org/wiki/LDAPSecurityRealmExamples)
wildfly with SPNEGO (https://github.com/kwart/spnego-demo)
wildfly with kerberos for server management (http://darranl.blogspot.co.uk/2014/10/wildfly-9-kerberos-authentication-for.html,
http://darranl.blogspot.co.uk/2014/11/wildfly-9-kerberos-authentication-with.html)
however I have not web but rich application + I'm not using LDAP for authentication, but kerberos. And I need not only management operations to be authenticated using kerberos.
Any complete sample/references out there?
i manage to make it work with this library :
https://github.com/dstraub/spnego-wildfly
you incorpore the jar in your application (not available in MVN repository), then you have to specify the mechanism authentication "SPNEGO" for example in web.xml, configure your active directory, create your keytab, configure your standalone.xml or domain.xml and it is OK , you can also use an apache in front and a load balancer, an example with the sample-app
I'm trying to write a small servlet which is a plugin in a WebSphere application on Linux. The servlet will make web services calls to a service hosted on a Windows server that's part of an AD domain & uses Integrated authentication.
I'll be using JAX-WS and would like to use WS-Security with Kerberos Token authentication. The Kerberos authentication is being mandated by the Windows service because it relies on Windows Auth - something I can't change.
The authentication will be for a single service account in the AD domain - an account dedicated to the servlet which is permissioned within the AD domain.
Does anyone have some pointers on this? I've read the sg247771 (Implementing Kerberos on WAS), but can't locate a scenario which matches the above - same for the WAS docs online. I suspect I'm just missing something obvious. Alternatively any other docs that would explain the configuration I'm after would be great. It's entirely possible that my googling skills have failed and I'm using completely the wrong keywords.....!
I am building an android application which communicates with the web server on apache tomcat. Web server build in JAVA EE. Currently for authentication and authorization I am using username , password and for managing the session I am using tokens. So when the user logs in I will check mysql database and authenticate the user. When the user tries to do some action , based on the token the sent , I will identify the user and authorize to do that action based on the privileges given to that user. It looks bit cumbersome . I was wondering is there any standard framework which make this task easy.
Is there any tomcat container level authentication and authorization possible , so the request won't reach the web application if its not authorized to do the action ?
Or else Is there any framework which provides standard authentication and authorization in web application ?
Apache Shiro is what you are looking for:
Apache Shiro is a powerful and easy-to-use Java security framework
that performs authentication, authorization, cryptography, and session
management. With Shiro’s easy-to-understand API, you can quickly and
easily secure any application – from the smallest mobile applications
to the largest web and enterprise applications.
I used Spring security (version 3) in couples of projects, the shortcoming was the size of jars you need to deploy (it is Spring!), it's was cumbersome.
Also I have integrated Apache Shiro with magnolia-cms, as far as I can say Apache Shiro has the strength of Spring Security with the ease of use.
We want to realize a SSO-infrastructure with some IBM Domino / Websphere products and one custom web application. All IBM products are configured for SSO. Therefore, the WebSphere Application Server 8 generates an LTPAToken2 after successful login in one of the IBM products. We want to achieve the same behaviour for our own custom web application. After login into this web app, a LTPAToken2 should be generated.
Therefore my question: Is it possible to generate a valid LTPAToken2 in our custom web application? Or maybe, is it possible to use the WebSphere Application Server APIs for this generation? Which steps would be nessecary to achieve this? At the moment, our custom web application is not hosted in a WAS, but on a Tomcat.
Thanks and best regards
Ben
As long as you have your application hosted on a tomcat server that is not possible. There is no open API from IBM for creating LTPA tokens.
If you would have had the same user directory and using standard Java Security Mechanisms you could move your application to WAS, where SSO is configured. Not only would it be possible, your LTPA tokens would be created on login to your web application without any further configuration.
As it seems have a solution with two different user directories, sharing the same user id but not the password, you need to take other measures to achieve SSO.
One is to have an Access manager software which handles login for all your applications,
A second solution is to write some custom code. Login into the tomcat server could generate a custom cookie. You need to write code to generate this cookie. Then you can write a TAI to intercept it on the WebSphere server thus accepting the login. The TAI would be configured in the container rather than in a separate application itself. (example)
I also assume you could solve this by writing servlet filters to handle the login, rather than a TAI.
If your Tomcat app is on the same domain as (one of) the WebSphere servers, and the Tomcat server has network access to the WebSphere instance, you could have a servlet in your Tomcat app accept credentials on its request and pass them in an outbound http request to something like /<secured app>/j_security_check on the WAS instance, record the LtpaToken2 if successful and then add a cookie with its value in the servlet response on Tomcat.
As long as the two servers are on the same domain the browser will send the cookie back if the Tomcat app links/redirects the user to a secured URI on the WAS app, and you have SSO.
I am trying to implement LDAP authentication using spring security and jboss server.
Below is my environment setup:
Active directory running on company Windows server
application to be deployed jboss server running on RHEL 6.4
java version to be used: 1.6
JBoss version: jboss-eap6, jboss-as-7.1.1 Final
What i am trying to achieve is :
When the user open the application url from the windows machine in company network, he should get authenticated against the company LDAP server and be able to go the dashboard with being asked for password.
When the same url is opened from any machine outside company network, the the login page should be displayed and on providing credentials authentication should be done against the company LDAP and then the user specific dashboard page should be displayed.
I have already gone through the WAFFLE and SPNEGO documentation/tutorials available over internet, but WAFFLE dont work in OS other than Windows as it uses some Win32 api. Also What SPNEGO (PRE-AUTH) does is not exactly what i want to achieve.
In short in want to implemnent what WAFFLE do but the problem is that my application would be deployed in unix machine.
Please help me.
What you can do, is start out configuring your application using an in-memory authentication provider.
Internalisation using Spring Security In-Memory Authentication
The only thing you then have to do is change out the in-memory authentication provider with an LDAP authentication provider.
The best information I found so far is in the spring reference itself.
http://docs.spring.io/spring-security/site/docs/3.0.x/reference/ldap.html
Add the Ldap active directory address
< ldap-server url="ldap://springframework.org:389/dc=springframework,dc=org" />
Hook up the ldap bind authentication provider
< ldap-authentication-provider user-search-filter="(uid={0})"
user-search-base="ou=people"/>