I want to know the simplest way to authenticate an application user on a database table using jaas.
Since a database table with username/hashed password is probably the most common solution, is there a "provided" LoginModule for this kind of auth?
The JDBCRealm support in Tomcat 6, comes out-of-the-box. This is probably sufficient for most needs. Note, that Tomcat also provides the DataSourceRealm to allow for authentication via a JNDI based JDBC datasource; this is better suited for applications that need a dedicated connection pool to access the authentication data source. Note that the realm implementations support the use of digested/hashed passwords; but not by default. This would require additional configuration via the digest attribute of each realm.
Glassfish also supports authentication of principals using a JDBC realm. Details for creating the realm can be found in the Glassfish Administration Guide. The guide might provide pitiful documentation on the allowed values for managing the realm - you'll these in a blog post.
If you are looking for ways to manage the underlying users in the realms, then most/all containers do not come with management tools for the same. You would have to write these tools on your own.
Also, if you wish to support digest algorithms not supported by these Realm implementation, or have the implementations work in a different manner (like adding a salt to the password, or locking out users based on a policy), then you'll need to roll out your own implementations.
Now, if you wish to use these in your application, this is usually done by specifying the realms in the appropriate deployment descriptor of your application. Assuming this is a web application, you can specify the realm used (for form, basic and digest authentication schemes) in the web.xml file.
Related
I have been going through lot of documentation to understand what is the standard way (if there is any) in which the java client authenticates themselves with the applications deployed on server container like weblogic, jboss etc.
After reading about JAAS & JNDI authentication documentation for weblogic, I am able to understand the flow, but no documentation answers the below queries
Are JAAS and JNDI the only available methods for authenticating java clients ?
What I understood so far is, that each application server can provide its own abstraction layer to perform authentication, for example OPSS in weblogic, but eventually they all depend on native authentication methods available in JEE framework. Please point out if this assumption is not correct.
The confusion is greatly amplified as some article mention that JAAS security doesn't exists in JEE. Is that valid for java 7+ too?
The oracle weblogic documentation I have been going through clearly states JNDI & JAAS as the standard authentication approaches, and even goes to the extent to specifying JAAS as being preferred over JNDI authentication.
https://docs.oracle.com/cd/E28280_01/web.1111/e13711/fat_client.htm#SCPRG225/
Here is clarification I got based on the material read during last two days.
Most basic thing - All application servers provided provide an identity store, that can store users & groups. Applications can refer to this identity store, as when it is deployed on the server.
A Caller or User is an individual named identity defined in an identity store.
https://dzone.com/refcardz/getting-started-java-ee?chapter=1
How the applications execute authentication?
Based on pure JEE framework, the authentication methods can be classified based on the type of application it secures:
Web Application Authentication
Declarative:
We use either deployment descriptors or #annotations to specify these authentication enablers:
a. Which options to use for rendering authentication i.e. basic (browser popup), custom form, SSL, etc.
b. Which resources(URL patterns) need authentication and authorization.
c. Which users or roles (via groups) are permitted authentication or authorization.
Programmatic
Here we make use of security methods() in built in interface HttpServletRequest.
The application(e.g. servlet) call following methods to instigate authentication from within an "unconstrained" resource.
a. request. Authenticate: A login box pops up to collect credentials.
b. request. login: This methods takes login/password without the pop
c. request. logout: Resets the user/caller identity
There are several other methods also available, that provides more details of the authenticated user like isUserInRole(whether it's in given role), GetRemoteUser(gives user name), etc.
EJB Authentication
How EJBs are authenticated??
EJBs are can also be secured in the same way, as web based apps. i.e. Either with Declarative or programmatic security. Some caveats to this statement, but those are not relevant to current discussion.
So why do we need JAAS, and what is JAAS?
To appreciate this, let's understand a practical scenario for any:
An application may have multiple authentication requirements e.g. password, certificate, authentication users from multiple security realms, perimeter authentication, etc. Do we have to code so much for every application, and type of authentication? Now, it can be cumbersome and complex create & maintain code for authenticating users based on these different techno-business requirements.
To address above situation, there has to be a Pluggable way to writing code for authentication, wherein, developers would only be responsible for mentioning(not coding) which AuthenticationProvider has to be used, and writing code to call the loginModule of that particular provider, which eventually has code to authenticate the given user/caller.
This framework of providing pluggable authentication is called Pluggable Authentication Module in LDAP world.
"JAAS" is java implementation of PAM framework. With JAAS, either updated, or additional authentication technologies can be plugged under an application, without modifying the application code as such.
After Authentication, JAAS also enforces authorization.
JEE provides libraries to implement JAAS in applications!
Is JAAS implemented in same way across different enterprise application servers like Weblogic, JBoss, etc.
Well, "It can be", "but is usually not" implemented in same way across different application servers.
This is because application server may provide its own libraries, which can be used to implement JAAS.
Hope this clarifies the JEE security model to folks who do not have development background.
I have several multi module spring web application each application like below, each of them differently develop no inter - connection.
war
|...webModule
|...coreModule
I want to integrate them with one admin module with security settings.
How can i do that?? is their any frameworks for that??
I go through the OSGI approach but it has lot migration work. What about component based (I never do that)... Can any one suggest some way to create my integration application which can handle common login & security for other sub application ? (need single sign on multiple war solution)
I strongly advise reading up on the Angular JS and Spring Security series, especially related is the https://spring.io/blog/2015/01/20/the-resource-server-angular-js-and-spring-security-part-iii
The approach that they describe seems completly viable for you. Key points
Spring Security uses the HttpSession to store authentication data by
default. It doesn’t interact directly with the session though: there’s
an abstraction layer (SecurityContextRepository) in between that you
can use to change the storage backend.
After authenticating through your admin module you should store your authentication data into a storage accessible to all your other modules, and using a session id as a key for the data. You can easily achieve this with a help of Spring Session where you can use an out-of-the-box supported Redis as your shared storage for authentication data.
Finally, the key will be set inside a custom header of the requests that target other modules, which will use this custom header and a changed session strategy to pull the authentication data from the storage and authenticated the user
There are quite a few details behind the approach, but the series come with the sample implementation so you should be able to find your way
I developed a LoginModule who implements javax.security.auth.spi.LoginModule, and I use the org.apache.catalina.realm.JAASRealm.
There is any way to utilize this solution on Websphere Application Server 8.5?
I read some articles saying that I need to set my loginModule in the WEB_INBOUND. I tried this, and the application starts to request authentication, but the authorization didn't work. I guess because the JAASRealm doesn't exist on WAS, there is any similar Realm to WAS? How should I configure that?
One more question, when I configure the WEB_INBOUND, the console Admin also uses my loginModule to authenticate, can I use my LoginModule only on my application?
Using login modules is a bit complicated, so I usually recommend to avoid that if possible. WAS provides support for some user registries out of the box like File, LDAP, custom, proprietary DB. Check it out, if it will be sufficient for you. If you need to customize login process, it is usually easier to use TAI (trusted associated interceptor) rather than login module, as it is easier to program it to be active for certain apps only.
You didn't write what is your customization in the login module, so its hard to recommend best solution.
For authorization to work with login module, you either need to have configured registry with the groups/users for which you are creating subject, or assert full subject in the login module, check details in links below.
As to separate administration security (console) from application security - it is fairly easy in the WAS ND (Network deployment) configuration, where you have separate server for management (deployment manager) - you just create separate security domain, and assign it to servers serving your application.
In Base(single server) configuration, you cant do that as security settings are per JVM. You could try some workarounds via separate server or admin agent, but setup is more complex, and I didn't test that, so I'm speculating.
You may use WSServletRequestCallback or WSAppContextCallback in your LoginModule and do your customizations only for your application.
You can also create a copy of WEB_INBOUND, and customize that copy. But to use it, you would need customized login page/process and invoke that login config programmatically.
See also:
Developing custom login modules for a system login
Configuring inbound identity mapping - see hashtable login here
Invoking JAAS config programmatically
Using TAI for Subject creation
Supported user registries
Multiple security domains
We are looking to use OpenAM/OpenSSO to act as a SSO provider. We need, however, to have OpenAM use our mongo datastore under the hood to manage its authentication needs.
With this in mind, I found this: http://www.badgers-in-foil.co.uk/notes/installing_a_custom_opensso_identity_repository/ which looks promising.
Apparently, this should allow me to add an "Access Manager Repository plugin", but I have since read this:
The Access Manager Repository plugin
is also called amSDK or legacy SDK as
it provides downward compatibility to
work with the existing Sun Access
Manager 7.x version deployment
identity stores. This repository is
tightly coupled with the Oracle DSEE
server; hence, will not work with any
other LDAP servers.
This makes me wonder whether this is really what I want to create, being as though I dont want to be tied to Oracle DSEE server (whatever this is).
Basically, where should I be looking to implement a custom Identity provider for openAM?
For a custom identity repository, specifically, this is likely what you'll want to do:
Develop and Deploy a Custom IdRepo Plugin
https://wikis.forgerock.org/confluence/display/openam/Develop+and+Deploy+a+Custom+IdRepo+Plugin
I'm also doing this for MongoDB - hopefully it will go well. If the logic of your login process is sufficiently unique, then a Custom 'Auth' module is necessary. I like keeping the data access layer separate from the auth process, however -rather than having connect statements in the Auth module.
See section 16.3 and beyond in the OpenAM Developer's Guide, http://openam.forgerock.org/doc/dev-guide/index/chap-identity-repo-spi.html
You can write a Custom Authentication Module in OpenAM.
This is an easy way to authenticate users against a custom datastore. You need to configure callbacks (Eg. username/password) which you need to process in a custom written com.sun.identity.authentication.spi.AMLoginModule. The runtime values for these callbacks will be provided as input to process the login module. Based on those values, you should decide whether the user can be authenticated or not.
I have a connection pool set in the tomcat server context.xml (connection used by several webapps so seems the best place for it).
However, I don't like having passwords hard-coded in the file. Is there any way for me to retrieve the password from elsewhere (secure password store) and set it pragmatically at the time the pooled connections are established?
Thank you
Ryan
I believe you are looking for Custom Resource Factory, you can code your factory to create javax.sql.DataSource object or a DBCP (or such) based connection pooling facade object, and have your custom code for getting and setting the username/password for the connection.
Do note that if you're looking for extra security -- the pragmatic way would be to use filesystem security for securing your context.xml file, as adding extra layers (such as your custom implementation for the resource factory), won't make the system more secure, as you still need the password for the secure password store configured somewhere -- you'll end up getting the chicken or the egg problem.
You might want to implement a single sign-on for your web application (e.g. using JOSSO). Note that it might be a significant overhead for a small project, but this should solve your problem. Apart from this solution, there are vendor specific applications like Secure External Password Store from Oracle. Another platform dependent example: you can configure PostgreSQL pg_hba.conf. Try the following authentication options:
Authenticate using SSL client
certificates.
Authenticate using the Pluggable
Authentication Modules (PAM)
service provided by the operating
system.
Authenticate using an LDAP
server.
... and many others
Edit: In one of the projects we used 3DES to encrypt the password. And yes, the key was hardcoded in application :)