I need to synchronize users in SAAS, but some clients doesn't want to open the ldap port (389) to access. I already have authenticate the users with SAML, but how would I synchronize the users ?
[Updated] Nor should clients be opening up their LDAP externally to you. Just a bad security practice all around. You'll need to look into providing a REST API (like SFDC or Google or Workday does) for your clients to programmatically manage their own user identities in your system. Much like SAML allows a standards-based authentication method, check out the emerging cloud provisioning standard called SCIM (http://www.simplecloud.info/ if you want to do this in a repeatable manner.
You'll find a lot of big name players involved in SCIM and some 3rd party products already exist (see Ping Identity) that will help you and/or your customers quickly integrate.
HTH.
I am working on a web project, backend is Java & Mysql, the client include web(html5) and app(IOS/Android), I have some doubt in design the account of the system.
There are 3 different types of account:
Shop, shop account will have its own website,
Customer, customer access shop/commodity via app(IOS/Android),
Admin, manage everything of the system.
My basic idea of authentication:
There will be account / role / permission table for sure, because both admin & customer will have quite complex user permission issue, customer also have different permission due to their history behavior.
I have kind decided to use Apache Shiro, due to its simplicity & distributed session.
My question is:
(1) Should I create a single account table or 3 individual account tables.
(2) Any advise on design of 3 tables:
account / role / permission ?
If in your first question you're asking how to design a database schema for three very distinct entities (admin user, customer user and shop owner), I suggest you don't combine them into a single table, because they are different concepts and will likely have different features.
You kind of answered your own question, since "ease of programming" rarely trumps business rules/logic.
Your decision to use an existing security framework, or to roll your own, should be independent of the data model for your core business entities.
If you don't want to use a managed solution like Stormpath, and haven't settled on Shiro yet, check out OACC, an open-source permission-based security framework for Java with support for hierarchical security domains, super users, permission inheritance and impersonation.
It might be a good fit for your project because:
you won't need to clutter your database design with authorization-related aspects
OACC was designed for multi-tenancy application architectures (like your project's "shops")
it allows for impersonation, which is a powerful feature if you need to support customer service representatives without giving them "admin" privileges
[Disclaimer: I am a maintainer and co-developer of OACC]
I suggest you to consider delegating all your user-management needs to Stormpath. With Stormpaht, you do not need to worry about such low-level concerns, all your data is securely managed and stored. Stormpath provides:
User management API with different SDKs: node.js, express, java, rest, python, flask.
Off the shelf Hosted Login: login, registration, and password reset.
Off the shelf ID Site to power Single Sign-On across your applications
API keys for your users, secured with HTTP Basic Auth or OAuth2
Social Login: Facebook, Google, LinkedIn, Github
Integration with Shiro and Spring Security
Integration with Active Directory and LDAP
With Stormpath you will only need to create Groups which will represent your roles. Inside your groups and accounts, you can also create finer-grained concepts like permissions using our flexible Custom Data concept.
As mentioned above, we also support Shiro integration, where you can model all your security needs with Shiro while using Stormpath as the authentication and authorization data provider. Please take a look at our Stormpath Shiro plugin and at our Sample Shiro Web App.
Disclaimer, I am an active Stormpath contributor.
To be short: you don't need role / permission tables :)
I would decide first do you really need RBAC security model? Your application looks like a perfect use case for hexagonal architecture with 3 separate isolated front-end parts: Consumer, Shop, Admin. Then I would advise to build separate authentication/authorization mechanism for each of these front-ends. In this case you are flexible to choose the best tool for the purpose (OAuth2, OpenID, LDAP whatever) and follow least common mechanism security principle. Your application doesn't look like the one which needs authorization on method level, thus you don't need RBAC.
I would design each Java object depending on its individual needs. Get clear about what you have to create. Are there overlappings in the account types? Shall a Shop account be able to buy something like (that is. extend) a Customer, or shall an Admin implement both a Shop and a Customer? Shall the address of a Customer, living in the same street as a Shop is located, change if the Shop reports the street got renamed? Does the phone number’s area code depend on the city?
If your Java objects do their job properly, think about the O/R mapping in a second step. Perhaps it will be even very different from what you may think now (just think of carrier codes in telephone numbers that require inline replacement, Packstation boths, Shops with multiple persons of contact, different address layouts in different countries …).
In general, make sure your address fields properly support UTF-8 for diacritics, greek, cyrillic or arabic addresses.
(1) Should I create a single account table or 3 individual account tables.
Yes, I think you should design a single one, as an account is going to have similar data for all 3 types.
(2) Any advise on design of 3 tables: account / role / permission ?
account: PK account_id int, FK role_id int
role: PK role_id int, account_permission enum(admin [0], customer [1])
You do not need a permission table, you may handle your permission levels in your application code, using composite design pattern, where you can have multiple hierarchical levels of admin or customer permissions. Reason for this is it's better to declare your business logic in your model code rather than database design, database is there to persist data with as optimised and normalised state as possible. I suppose you can then use dependency injection to your composite permission hierarchy depending on customer behaviour, which needs to be held in the database under a table, ie named customer_behaviour, with certain columns "ticked" as they behave certain ways.
Hope this helps.
I have been trying to use Datastore Multitenancy for weeks now. And I can't seem to make it work. Every time I try to run it on my own (computer) server, it does not seem to display anything at all. I have also tried to publish it on the GAE server, but it still does not seem to display.
What I am trying to acheive is to work on a Company Entity with another sub-entity of Users and Data which is not connected to any emails, Oauth, or third party applications. The Company Entity, being the namespace, will separate all the data and users of each company. This way, it will contain users and all its other data without leaks.
I tried to make sure that the application has its own NamespaceFilter Class for the Company Entity. What causes the blank page? (Or maybe the right question is, what am I doing wrong?)
Update:
There are no errors on the code and there are no exceptions whatsoever. However, the JSP pages that I am trying to display is just gone without any information how it does not display.
Multitenancy can only be used with Google Apps. Here is what is stated by Google App Engine on Implementing Multitenancy.
Most App Engine developers will use their Google Apps domain as the current
namespace. Google Apps lets you deploy your app to any domain that you own,
so you can easily use this mechanism to configure different namespaces for
different domains. Then, you can use those separate namespaces to segregate
data across the domains.
Clarification: It is Google Apps that lets you deploy to any domain and use Multitenancy. You need to use Google App Engine API that can make you use Multitenancy. Google Apps and Google App Engine should be connected. By registering Domains to Google Apps, you can use Multitenancy. Therefore, if you use Users, it needs to be registerd with Google Apps.
I am building spring based system where in the requirement is that the users of group A are kept in one set of machines and users of group B are in another set of machines. The servers for group A will hold data for only those groups users and same for the other group. I currently envision a authentication/redirector service (login service) which will redirect users to the correct servers. So the users could all come to login.example.com and be redirected to a.example.com and b.example.com
The thing is that it should be possible to seamlessly migrate a user from group A to group B and if a user wants to belong to group A and B it must be somehow possible.
I have been looking out for OAuth and some "hackey" ways of doing it but would like to know how this problem is handled by others.
If you have an architecture where you have seperate web servers and application servers then you can use the load balancing features of your web server to direct users to the appropriate application server.
Load balancing can be performed on a variety of properties of a HTTP request (it depends on the load balancing software you use) such as a HTTP header, request parameter etc. If you balance on a header value this allows you use a cookie to determine which application server the user is directed to.
This is my suggestion (you might be able to do it in another way)
As you can assign a user to any of those servers I assume
You need a central database to keep your users/passwords.
In that users database you will need another table to define the membership of each user
Use spring security to authenticate user. (you can use different authentication mechanisms here)
in each server add a property file that defines the server number(ID)
inject that resource into your spring context
user declarative authorization in your code to make sure that the user belongs to the same group as the server ID provided in item 4
I currently work on a Java web application that has relies on a permissions mechanism to manage user content. This of course means that we need to manage users. Our current user management system is an in house system that manage info about users, groups, and user and permissions in an RDBMS. The system works but is a hassle to maintain. I'd like to find a way to simplify things.
It seems that packages to manage users must be commonly used out there on the internet machine given that user management is a core piece of functionality of many web apps. What solution to you use to manage users? It seems that something like the Spring Security package may work, but I'd like to get a handle on what's available before locking myself into Spring Security.
Thanks.
You are looking for something like LDAP or Active Directory to manage your users. You would use Spring Security to apply/enforce your security information that you store in LDAP. Pretty sure you can configure any App Server to use LDAP for basic authentication and authorization features out of the box.