I am building spring based system where in the requirement is that the users of group A are kept in one set of machines and users of group B are in another set of machines. The servers for group A will hold data for only those groups users and same for the other group. I currently envision a authentication/redirector service (login service) which will redirect users to the correct servers. So the users could all come to login.example.com and be redirected to a.example.com and b.example.com
The thing is that it should be possible to seamlessly migrate a user from group A to group B and if a user wants to belong to group A and B it must be somehow possible.
I have been looking out for OAuth and some "hackey" ways of doing it but would like to know how this problem is handled by others.
If you have an architecture where you have seperate web servers and application servers then you can use the load balancing features of your web server to direct users to the appropriate application server.
Load balancing can be performed on a variety of properties of a HTTP request (it depends on the load balancing software you use) such as a HTTP header, request parameter etc. If you balance on a header value this allows you use a cookie to determine which application server the user is directed to.
This is my suggestion (you might be able to do it in another way)
As you can assign a user to any of those servers I assume
You need a central database to keep your users/passwords.
In that users database you will need another table to define the membership of each user
Use spring security to authenticate user. (you can use different authentication mechanisms here)
in each server add a property file that defines the server number(ID)
inject that resource into your spring context
user declarative authorization in your code to make sure that the user belongs to the same group as the server ID provided in item 4
Related
I have been trying to read through existing information about this topic. I even installed KeyCloak server locally, configured the realm, the client and used Postman to send some requests to KeyCloak, and received some json response.
My problem is that - unless I misunderstand something - none of the descriptions seem to fit my goals.
Our application already has user management and we rely on user identity and roles / access rights configured in the system. The backend runs inside Tomcat and we run a Polymer 1.0 / Javascript frontend to call the REST services of our backend. I cannot get rid of user management as our DB is highly dependant on user to object assignment when deciding the scope of the objects for which the particular user is responsible.
All we need is an extension of our system by the possibility of foreign authentications (like social logins) in the future.
We have now explicit login that delivers a session cookie, Servlet filters to check the presence of this cookie, etc. In the server we use the login token / user identity in each REST call to filter the results from the DB to those available to the particular user.
What I need is a flow like:
in the fronted we check if we have active session (existing code)
if not we redirected the user so far to our own login page, logged in, created the session cookie on server and then returned it. On client side we saved this and added to every REST request as authoriation token.
Now with OIDC I'd like to insert a new unprotected query that checks if OIDC is configured. If not, we keep the old solution. If yes, I'd like to get redirected to KeyCloak login, and - and this is the most important for me - I'd like to get back the user identity (or some role that we associate administratively to the user - using which I could identify one of our configured users.
I tried experimenting with the Tomcat solution but that simply blindly hides the authentication procedure and merely allows or blocks REST access to the backend resources. This is not enough for me, I need some kind of user identity which I can use in the server side.
Also a javascript solution only provides communication between frontend and keycloak, but we need the backend to know who has logged in.
I think this topic and all the used lingo is too complicated for me. Could anyone give me some easy advice how to solve this with best practices?
Thank you very much
I have a web service which authenticates a user, and if successful gives them a JSON Web Token which they can use to persist their session.
Currently I only have one server, but would ideally like to increase that to two or more for the sake of performance, however I'm unsure as to how that'll work with different servers as they'll have different instances of maintaining who is currently logged in.
For example, my service will examine the JWT the client returns, and (assuming it's a good token), will take the user ID and session and check if there is a user logged in with that session ID.
However, if for example, the middleware that precedes the web service layer determines that the server the user was initially logged in is currently unavailable and routes the request to a different server instance of the web service, how is the authentication controller meant to evaluate if the request is valid?
A very basic version of my service can be found below, with the black arrows representing ordinary communication, and the red arrows representing communication in the event that Layer One decides to route the request to Instance Two.
Layer One, in essence is very basic and doesn't really do anything other than route traffic to the next layer dependent on the availability of the layer two instances.
One of the main advantages of JWT is that it does not need server storage because it is self-contained and stateless. If you need server sessions may be JWT it is not your best option to manage authentication. See Stop using JWT for sessions
Currently application servers use the SESSION ID to manage load balancing and redirection to the server that store the user session, including persistent storage and migration of session. Using a JWT you won't take profit of these characteristics.
Use JWT if you need a REST stateless endpoint with authentication or you need to exchange data securely between parties
I have created one group on web-logic server, now i want to add user in that groups(they are configured on LDAP Server).
how can I achieve the same. or is there any way I can get all list of LDAP users or groups through some java code.
You're actually making life harder for yourself than it needs to be here.
A user's group memberships should be defined in the same security realm as the user themselves - you can't get part of the subject from one place and part of it from the other, at least not without creating a custom security provider as far as I'm aware, and that's way more effort than its worth.
If the users are defined in an external LDAP server, this is where the group membership should also be configured.
A possible alternative depending on what you're securing would be to use role-based security configuration, but even then you still want something to determine membership in a role, and that should typically be a group.
Security configuration should always be based on groups rather than users, otherwise maintenance will become very painful.
I want to allow my company’s customers to integrate our Google App Engine application into their domains. For example, let’s say one customer owns the domain coolcustomer.com and wants to make our app accessible at service.coolcustomer.com.
This article discusses how to set up multi-tenancy internally, but does not mention how to associate client domains with an app.
Ideally, I’d like to allow customers to associate a sub-domain in a self-service manner. This, of course, brings up the issue of validating that the customer has permission to add a sub-domain to a domain name.
What is the best approach to accomplish this?
The customer will add your application as a service via their Google Apps control panel. Some of the details are outlined here.
To handle multi-tenancy you will probably want to use the server host name. From the host name, you'll be able to get the domain name to use for your namespace.
You'll have to handle validating the domain is a valid customer in your app. I would probably let them register, then provide instructions for setting up the Google Apps mapping.
If you want to allow them to login using Google Apps accounts tied to their domain you'll need to use OpenID (federated login).
I'm interested in the best practices of using LDAP authentication in a Java-based web application. In my app I don't want to store username\password, only some ids. But I want to retrieve addition information (Name, Last name) if any exists in an LDAP catalog.
My team uses LDAP as a standard way of authentication. Basically, we treat LDAP as any another database.
To add user to application, you have to pick one from LDAP or create it in LDAP; when user is deleted from application, it stays in LDAP but has no access to application.
You basically need to store only LDAP username locally. You can either read LDAP data (e-mail, department etc) from LDAP each time, or pull it in application in some way, though reading it from LDAP is probably simpler and smarter since LDAP data can change. Of course, if you need reporting or use LDAP data extensively, you might want to pull it from LDAP (manually or with batch task).
The nice thing is that once a user is disabled in LDAP, it's disabled in all applications at once; also, user has same credentials in all applications. In corporate environment, with a bunch of internal applications, this is a major plus. Don't use LDAP for users for only one application; no real benefits in that scenario.
For general best practices with LDAP, see "LDAP: Programming practices".
If you have more than one web based application and want to use LDAP authentication then a prepackaged single sign on solution might be better than creating your own LDAP authentication. CAS supports LDAP authentication and can pull back the data you need for your application.
At my college we actually have implemented CAS as a single sign on against our Active Directory server. We also utilize CAS to authenticate our J2EE applications and are working on using CAS to authenticate our PHP applications.
We use AD to hold the users for the domain. There are certain OUs for based on the type of user. The users each have a unique ID which happens to be their student/employee ID, so applications can use that as a primary key in their databases. We have a database driven authorization method for our PHP applications. Authorization for the J2EE application comes from a value in LDAP.
Good luck with your application.
So, you want user to enter ID only, and then grab the rest of their info from LDAP? That's quite easy.
Create LdapInitial context and connect to LDAP
Do a search for the ID (it should be stored as some attribute value) -- e.g. (&(userid=john)(objectClass=user)) -- which means "userid=john AND objectClass=user"
SearchResult object would contain all Attributes (or the ones you asked)
Some LDAP implementations (notable MS ActiveDirectory LDAP) do not let you connect with anonymous user. For those you need to have a technical userid/password to connect.
As said above, LDAP is normally makes sense when you have many applications.
P.S. For feeling what LDAP is try Apache Directory Studio.