I am building a RESTful Webservice using Apache Jersey. Now I want that you need an authentication for some requests to it. Using the typical REST-approach the Authentication should be done via HTTP-Authentication. But a post here mentions that a better way how this can be done is by using cookies. I think there are some valid points in the discussion. (How) Can I make my Jersey Authentication work with Cookies? Do I need another framework for it?
Jersey uses the authentication mechanism declared in the enclosing web application's web.xml, practically either HTTP Authentication (over SSL) or Form-based Cookie authentication.
If you want to used cookie-based session authentication, users must authenticate with the web service first to create a session which can be used to check their identity for future calls. The servlet spec provides a standardized way to authenticate using cookies and session using a web form, which however, is not compatible to a web service type of application. So you would probably want to cook up some custom solution to let users submit their credentials via POSTing an XML or JSON document. A problem with this method is that if a user performs a call to a resource without first authenticating or after the session has expired, they will need to be redirected or receive some type of error code. Not impossible but it adds complexity to your web service.
At this point you have to wonder if using HTTP Auth is not the better choice for web service style apps. We recently built a web service using Jersey and HTTP Auth as the authentication mechanism. We then build a Javascript front end on top of it. The Javascript client always submits the Authentication headers to the web service so that the user is never confronted with the HTTP Auth authentication window from the browser. Perhaps the best of both worlds.
Related
What is the correct way for a java heavy client to authenticate with an OpenAM protected servlet?
Java openAM sdk exists, which I have used and it does provide access to the SSO Token. Where things break down is when this same heavy Java client attempts to send serialized objects to a protected tomcat 7 (tomee+) servlet using this SSO Token id as a cookie. The OpenAM filter uses redirection with an embedded / hidden form containing credentials. This breaks the serialized object communications.
So what is the right way to have a Java heavy client authenticate such that it can then send serialized objects back and forth to a protected servlet? Is this even possible?
There are several ways to authenticate a client:
use the REST API to authenticate the client (/identity/authenticate or /json/authenticate)
using the ClientSDK AuthContext API
sending POST requests to /UI/Login (not necessarily the best way..)
After acquiring the token the only thing you have to make sure of is that you send the session cookie to the protected pages. In case you receive a self-submitting form for JAAS, then that means that you are using the agent in J2EE_POLICY or ALL mode and Java EE declarative security is enabled. Possible solutions for this problem area:
modify the client so it copes with the JAAS FORM login content (i.e. grab the input values and perform a POST manually), after this possibly you will also have to send the JSESSIONID with all your requests.
consider removing protection for your servlets in web.xml, that way the container will not attempt to display the JAAS login form, but then this will also mean that you won't have the fancy JAAS integration either (isUserInRole/getRemoteUser/#RolesAllowed/etc)
move your servlet to a separate application, which can be protected in a different agent filter mode (URL_POLICY/SSO_ONLY), it would be still protected, but again without the JAAS integration..
Basically I can't think of an easy way of leveraging JAAS integration with the use of a heavy client without dealing with form based login.. At one point in time I was able to implement a Java EE application client that authenticated into the container's (agent's) realm using programmatic login and that worked, but I don't suppose your heavy client is actually a Java EE application client..
Is there any way to use FORM and BASIC authentication together in my webapplication? I have a RESTful interface in it and I'd like to allow scripts to use it with the simple BASIC auth method but I'd like to have the FORM based auth for web clients as well. I'd like the webapp respond with 302 Moved Temporarily redirecting to the login page for unauthorized requests, but if it finds that the client is sending the BASIC authentication's HTTP headers with username and password, then accept them just like in BASIC authentication.
I see that this is not possible with a single web.xml configuration but wondered if anyone else has some solution for this.
Can you use a filter?
Inspect the request for your headers. If present do the login process and add session data etc. to the request. If it fails then either ignore it or redirect.
If I configured container auth then my code was never invoked without authentication. So the answer is no. Jenkinks CI and similar software use FORM based authentication for a restricted set of web resources and make use of Spring Security where things are more flexible.
I have an application runs on Java Spring 3. My application uses RESTful services and Spring Security for security. It has a user table and checks user credentials from it. I implemented web service capability to my application(one of customer's wanted web services instead of RESTful services). If possible I want same authentication mechanism and want to look up that database and allow just one user (for now-to admin) to communicate with my web service server.
Should I follow the same way as like my RESTful authentication or is there any authentication and security mechanism for Java Web Services at Spring (i.e. how to deal with logout, how to enable logout mechanism for a client-server web services communication)
PS: I use Apache-CXF.
Two potential ways:
Put a BasicAuthenticationFilter or DigestAuthenticationFilter in front of your CXF Servlet.
Use a WS-Security UsernamePasswordToken with CXF and write a CallbackHandler that a) creates a UsernamePasswordAuthenticationToken, b) calls authenticationManager.authenticate() and c) stores the authentication in the SecurityContextHolder.
Note that the above doesn't cover the concept of logout since login sessions are generally implemented with cookies and the above are stateless approaches. If you really need logout then you should consider using OAuth because you can implement logout by invalidating access tokens.
You could put a security token in the HTTP header you are sending to the REST which the REST decodes and verifies it's coming from an administrative location.
is there any way to integrate/embed JasperServer into another web app?
The thing is that the login page of JasperServer should be somehow bypassed. Is it maybe possible to do authentication through web service / REST, skip login page, and then show the main server page in an iframe, or something to that effect?
Thanks.
You can use Http protocol and pull the reports in an iframe. The authentication information needs to go in URL as j_username and j_password.
To use Rest service, you need to write a REST client (I did it using Jersey with Http authentication) where authentication info goes in the Header.
It also provides SOAP services for integration which I haven't tried yet.
JasperServer Authentication is implemented by Spring Security, so you can use a SSO mechanism supported by Spring Security easily.
You can find XML configuration file (for the security) easily.
I've build a webservice via Axis2 in Java and uploaded it on the server. everything is ok and it works like fine. but I haven't considered any authentication method for that. How can I set a username and password for my method?
The standard for web services authentication is WS-Security. The Axis2 implementation is called Rampart.
You can create a web service method that accepts a user name and password.
If the user name and password are correct then you create a session token (preferably created by using the credentials) and send it back to the web service client.
The client for each web service call, must send along with the request parameters the token as well.
Since the request has a valid token, the client is considered as already authenticated and you proceed with the web service call.
If you're using a servlet (and not a custom-made stand-alone server application) you can just use a servlet filter for authentication.
Depending on the web framework you use you can use the standard security for that. Like you would for securing pages.
Or you could protect the resources using http BASIC or DIGEST authentication.
Web services are - for the container - not much more than web pages so they can be protected in all the standard ways.
You can succesfully use one of the existing Axis2 modules: Rampart.
Check the website (http://axis.apache.org/axis2/java/rampart/) for setup/config instructions and both client & server examples.
With Rampart I managed to use UsernameAndPassword authentication with WCF server and Java client.