Enable Grizzly to perform JaaS simple HTTP AUTH - java

How can I make Grizzly HTTP server allow JaaS for simple HTTP AUTH?
I can't see any code/sample out there: There's another post here in StackOverflow that directly assumes that jaaS is available in Grizzly, but doesn't explain how to add it.

I don't think the Grizzly HTTP server provides basic auth 'out of the box'. If you do not want to use a full-blown implementation like glassfish, you can implement your own filter and add it to the list of grizzly filters. Here is an example of how to extract the login data via HTTP basic auth and how to integrate it in JAAS objects within the grizzly context. But it requires a significant amount of coding.
http://java.net/projects/jersey/sources/svn/content/trunk/jersey/samples/https-clientserver-grizzly/src/main/java/com/sun/jersey/samples/https_grizzly/auth/SecurityFilter.java?rev=5160
Hope that helps.

Related

Apache Camel + CXF endpoint authenticatiion

i need to secure simple rest service in Camel, like these
<cxf:rsServer id="usrServer" address="${host}"
serviceClass="..."
loggingFeatureEnabled="true" loggingSizeLimit="20"/>
but i have no idea how to enable authentication on this endpoint, for examle Digest authentication.
You have essentially two ways of achieving this:
Configure your apache-camel runtime container to handle the authentication i.e. if you are deploying to Tomcat then configure Tomcat to handle the Digest authentication. ServiceMix and Karaf will use the OSGI PAX web server which will need to be configured.
To secure your CXF REST service please review the CXF documentation around REST service security
There's somes ways to secure a rest service and in my opinion it doesn't depends on Camel.
For example, you want to allow access to the service event if the client is not logged. So you have to check his information in the body of you service.
That's one way.
One other way, is to use authentication (by login/pwd, token, etc...). That force to have 1 request to obtain your credentials, and 1 request to the service you want.
So, it you want to use Digest authentication, why not. But you have to configure it in your web server, not on the rest service configuration.
Here are a link for apache : http://httpd.apache.org/docs/2.2/fr/mod/mod_auth_digest.html
and a like for tomcat http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
I'm not very used to security, so i don't know if it's help.
cheers

SSO between Webapp and REST API using apache shiro

I'm trying to set up a SSO between a webapp and a REST API, to do this I'm using Apache Shiro + Jasig CAS but now I'm having a problem related to the authentication of the REST API.
I'm using CASRealm + CASFilter in the Webapp and trying to use the session created there to access the REST API, I've tried 2 approaches:
propagating the CAS service ticket from the webapp to the REST API through the request header (does not work, it says the service ticket is invalid because it belongs to another app, maybe the TGT would work)
store the username and password in the webapp and use them in http basic authentication (this might be a big security flaw, I'm trying to avoid it)
What other approach can I use to authenticate the user in the REST API?
I guess this is mainly an architecture issue.
Please ask questions if you didn't understand my question (or my english)
It looks like you want to use the first CAS service as a proxy for your REST API: you could use the CAS proxy mechanism: https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough. Though, the proxy support is not available in the Shiro CAS module, you should use the buji-pac4j extension, here is a good discussion on this topic: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-td7579694.html.
You can enable the OAuth2.0 configuration on CAS and then u can secure your REST services with the oauth2.0. For example u can have a rest service with oauth for user authentication. Here some usefull links.
OAuth configuration
Securing REST
OAuth and REST

Can I use FORM and BASIC authentication together in my Java webapp?

Is there any way to use FORM and BASIC authentication together in my webapplication? I have a RESTful interface in it and I'd like to allow scripts to use it with the simple BASIC auth method but I'd like to have the FORM based auth for web clients as well. I'd like the webapp respond with 302 Moved Temporarily redirecting to the login page for unauthorized requests, but if it finds that the client is sending the BASIC authentication's HTTP headers with username and password, then accept them just like in BASIC authentication.
I see that this is not possible with a single web.xml configuration but wondered if anyone else has some solution for this.
Can you use a filter?
Inspect the request for your headers. If present do the login process and add session data etc. to the request. If it fails then either ignore it or redirect.
If I configured container auth then my code was never invoked without authentication. So the answer is no. Jenkinks CI and similar software use FORM based authentication for a restricted set of web resources and make use of Spring Security where things are more flexible.

REST HTTP Authentication - How?

So, I'm developing a REST webservice using RESTeasy and Google App Engine. My question isn't related to GAE, but I mentioned it just in case it matters. It happens that naturally I need to secure my resources and my own users (not Google's).
Securing a REST webservice seems like a very controversial subject, or at least a very 'liberal' one. REST doesn't impose any standard on this matter. From what I've researched on the web and literature, there are at least 3 approaches that I think might fit in my application:
HTTP Basic (with SSL)
HTTP Digest (with SSL)
OAuth
OAuth seems like the most complete approach. But I don't think that such a complexity is needed because I will not need to authorize any 3rd party applications. It is a webservice to be consumed by my own client applications only.
HTTP Basic and HTTP Digest appear as the most simple ones on the web, but the fact is that I've never found a concrete implementation of them using RESTeasy, for example.
I've found this page and this one in RESTeasy's documentation. They are indeed very interesting, but they tell little or nothing on this subject (HTTP Basic or Digest).
So, here I am asking:
How do I secure my WebService using HTTP Basic or Digest in RESTeasy?
Perhaps it is so simple that it isn't worth mentioning in the documentation or anywhere else?
Also, if anyone can provide me some insight on the matter of securing RESTful webservices, it could be helpful.
Am I choosing the right approaches?
The simplest way to secure a REST API is to use HTTP Basic authentication over SSL. Since the headers are encrypted there is not much point of using Digest. This should work great as long as you can keep the password secure on the client(s).
I've managed to accomplish this by using RESTeasy's Interceptors.
Basically the requests are intercepted by using a listener like class. In this class I inspect for the request's HTTP headers and then the normal Basic-Auth process goes on.
Useful links:
http://en.wikipedia.org/wiki/Basic_access_authentication
Passing parameters in the message header with a REST API
http://www.alemoi.com/dev/httpaccess/ (the Servlet part)
I hope this helps anyone.
Thanks.
you will definitely face a security risk when using any authentication method without SSL.
but if you did use SSL, you will usually suffer from a poor performance.
Oauth is actually a solution to allow 3rd party to obtain access to your webservices.
due to the limited selection, my solution to a current webservices that require authentication used the combination of SSL+basic
You might look at using OAuth 2. It is significantly simpler then OAuth 1 and is actively being used on large REST API by Facebook and Google.

Authentication in Apache Jersey without using Http-Authentication?

I am building a RESTful Webservice using Apache Jersey. Now I want that you need an authentication for some requests to it. Using the typical REST-approach the Authentication should be done via HTTP-Authentication. But a post here mentions that a better way how this can be done is by using cookies. I think there are some valid points in the discussion. (How) Can I make my Jersey Authentication work with Cookies? Do I need another framework for it?
Jersey uses the authentication mechanism declared in the enclosing web application's web.xml, practically either HTTP Authentication (over SSL) or Form-based Cookie authentication.
If you want to used cookie-based session authentication, users must authenticate with the web service first to create a session which can be used to check their identity for future calls. The servlet spec provides a standardized way to authenticate using cookies and session using a web form, which however, is not compatible to a web service type of application. So you would probably want to cook up some custom solution to let users submit their credentials via POSTing an XML or JSON document. A problem with this method is that if a user performs a call to a resource without first authenticating or after the session has expired, they will need to be redirected or receive some type of error code. Not impossible but it adds complexity to your web service.
At this point you have to wonder if using HTTP Auth is not the better choice for web service style apps. We recently built a web service using Jersey and HTTP Auth as the authentication mechanism. We then build a Javascript front end on top of it. The Javascript client always submits the Authentication headers to the web service so that the user is never confronted with the HTTP Auth authentication window from the browser. Perhaps the best of both worlds.

Categories