is there any way to integrate/embed JasperServer into another web app?
The thing is that the login page of JasperServer should be somehow bypassed. Is it maybe possible to do authentication through web service / REST, skip login page, and then show the main server page in an iframe, or something to that effect?
Thanks.
You can use Http protocol and pull the reports in an iframe. The authentication information needs to go in URL as j_username and j_password.
To use Rest service, you need to write a REST client (I did it using Jersey with Http authentication) where authentication info goes in the Header.
It also provides SOAP services for integration which I haven't tried yet.
JasperServer Authentication is implemented by Spring Security, so you can use a SSO mechanism supported by Spring Security easily.
You can find XML configuration file (for the security) easily.
Related
i need to secure simple rest service in Camel, like these
<cxf:rsServer id="usrServer" address="${host}"
serviceClass="..."
loggingFeatureEnabled="true" loggingSizeLimit="20"/>
but i have no idea how to enable authentication on this endpoint, for examle Digest authentication.
You have essentially two ways of achieving this:
Configure your apache-camel runtime container to handle the authentication i.e. if you are deploying to Tomcat then configure Tomcat to handle the Digest authentication. ServiceMix and Karaf will use the OSGI PAX web server which will need to be configured.
To secure your CXF REST service please review the CXF documentation around REST service security
There's somes ways to secure a rest service and in my opinion it doesn't depends on Camel.
For example, you want to allow access to the service event if the client is not logged. So you have to check his information in the body of you service.
That's one way.
One other way, is to use authentication (by login/pwd, token, etc...). That force to have 1 request to obtain your credentials, and 1 request to the service you want.
So, it you want to use Digest authentication, why not. But you have to configure it in your web server, not on the rest service configuration.
Here are a link for apache : http://httpd.apache.org/docs/2.2/fr/mod/mod_auth_digest.html
and a like for tomcat http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
I'm not very used to security, so i don't know if it's help.
cheers
I'm trying to set up a SSO between a webapp and a REST API, to do this I'm using Apache Shiro + Jasig CAS but now I'm having a problem related to the authentication of the REST API.
I'm using CASRealm + CASFilter in the Webapp and trying to use the session created there to access the REST API, I've tried 2 approaches:
propagating the CAS service ticket from the webapp to the REST API through the request header (does not work, it says the service ticket is invalid because it belongs to another app, maybe the TGT would work)
store the username and password in the webapp and use them in http basic authentication (this might be a big security flaw, I'm trying to avoid it)
What other approach can I use to authenticate the user in the REST API?
I guess this is mainly an architecture issue.
Please ask questions if you didn't understand my question (or my english)
It looks like you want to use the first CAS service as a proxy for your REST API: you could use the CAS proxy mechanism: https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough. Though, the proxy support is not available in the Shiro CAS module, you should use the buji-pac4j extension, here is a good discussion on this topic: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-td7579694.html.
You can enable the OAuth2.0 configuration on CAS and then u can secure your REST services with the oauth2.0. For example u can have a rest service with oauth for user authentication. Here some usefull links.
OAuth configuration
Securing REST
OAuth and REST
Is there any way to use FORM and BASIC authentication together in my webapplication? I have a RESTful interface in it and I'd like to allow scripts to use it with the simple BASIC auth method but I'd like to have the FORM based auth for web clients as well. I'd like the webapp respond with 302 Moved Temporarily redirecting to the login page for unauthorized requests, but if it finds that the client is sending the BASIC authentication's HTTP headers with username and password, then accept them just like in BASIC authentication.
I see that this is not possible with a single web.xml configuration but wondered if anyone else has some solution for this.
Can you use a filter?
Inspect the request for your headers. If present do the login process and add session data etc. to the request. If it fails then either ignore it or redirect.
If I configured container auth then my code was never invoked without authentication. So the answer is no. Jenkinks CI and similar software use FORM based authentication for a restricted set of web resources and make use of Spring Security where things are more flexible.
I am building a RESTful Webservice using Apache Jersey. Now I want that you need an authentication for some requests to it. Using the typical REST-approach the Authentication should be done via HTTP-Authentication. But a post here mentions that a better way how this can be done is by using cookies. I think there are some valid points in the discussion. (How) Can I make my Jersey Authentication work with Cookies? Do I need another framework for it?
Jersey uses the authentication mechanism declared in the enclosing web application's web.xml, practically either HTTP Authentication (over SSL) or Form-based Cookie authentication.
If you want to used cookie-based session authentication, users must authenticate with the web service first to create a session which can be used to check their identity for future calls. The servlet spec provides a standardized way to authenticate using cookies and session using a web form, which however, is not compatible to a web service type of application. So you would probably want to cook up some custom solution to let users submit their credentials via POSTing an XML or JSON document. A problem with this method is that if a user performs a call to a resource without first authenticating or after the session has expired, they will need to be redirected or receive some type of error code. Not impossible but it adds complexity to your web service.
At this point you have to wonder if using HTTP Auth is not the better choice for web service style apps. We recently built a web service using Jersey and HTTP Auth as the authentication mechanism. We then build a Javascript front end on top of it. The Javascript client always submits the Authentication headers to the web service so that the user is never confronted with the HTTP Auth authentication window from the browser. Perhaps the best of both worlds.
I've build a webservice via Axis2 in Java and uploaded it on the server. everything is ok and it works like fine. but I haven't considered any authentication method for that. How can I set a username and password for my method?
The standard for web services authentication is WS-Security. The Axis2 implementation is called Rampart.
You can create a web service method that accepts a user name and password.
If the user name and password are correct then you create a session token (preferably created by using the credentials) and send it back to the web service client.
The client for each web service call, must send along with the request parameters the token as well.
Since the request has a valid token, the client is considered as already authenticated and you proceed with the web service call.
If you're using a servlet (and not a custom-made stand-alone server application) you can just use a servlet filter for authentication.
Depending on the web framework you use you can use the standard security for that. Like you would for securing pages.
Or you could protect the resources using http BASIC or DIGEST authentication.
Web services are - for the container - not much more than web pages so they can be protected in all the standard ways.
You can succesfully use one of the existing Axis2 modules: Rampart.
Check the website (http://axis.apache.org/axis2/java/rampart/) for setup/config instructions and both client & server examples.
With Rampart I managed to use UsernameAndPassword authentication with WCF server and Java client.