I am using GAE Java for a multi-user application. There are multiple users with different roles. Each user can login, do some operations and logout. The business restricts me from using Google User Service and I need to implement my own for authentication and session management.
Can anyone please share with me how should I go about implementing my own user management? I have read its very tricky to implement own user management. Any pointers in terms of best approaches/ design / existing frameworks if any ?
I could see some similar posts but they are for python.
Well, for the production quality authentication and security I finally decided using "Spring-Security". Seems to be the best solution if you are using spring in your application and you can do customizations at finest levels.
Related
I am building a Website where a user can later on register to use some features. I wanted to use Java-Spring boot for Registration and Login now I learned about Keycloak for authorization, I searched the web a bit but could not find anything which helped me in that matter.
So my Question is it possible to use keycloak as a registration/Login form? As far as I know keycloak is used company intern to give the employees users to different services or am I wrong?
Keycloak is a full solution for authentication and authorization. You can register users, login users, change privileges and so on. What I recommend is to use their official docker image to spin up a local instance, and have a look what the admin console offers.
There are too many features to list in an answer here, but I recommend this getting started guide, to maybe give you a better understanding of the basics.
In addition, there is a good Spring Boot integration available, as well as numerous adapters for the countless front-end frameworks.
I am working on providing single sign on feature to the applications I have. I am using CAS for this along with spring. I am able to make it working for all the applications. But one doubt I have is, Is it possible to restrict user for any one application for which he is not having access? I mean is there a way to provide application level authorization using CAS?
Thanks
You can customize CAS to return a complex object including the role of user só then the each APP be responsible for authorization. Herecwe do this using Spring Security
Am developing a web application using Springs. To make a scalability for my application am in need of user management system. In application having different groups each groups having different users.Every user having different roles.
To implement access control mechanism any API's available?
How to assign role for every users?
I think Spring Security domain-acls is a good choice for you. You can take a look at Contacts sample first to decide whether it is fit for you.
I currently work on a Java web application that has relies on a permissions mechanism to manage user content. This of course means that we need to manage users. Our current user management system is an in house system that manage info about users, groups, and user and permissions in an RDBMS. The system works but is a hassle to maintain. I'd like to find a way to simplify things.
It seems that packages to manage users must be commonly used out there on the internet machine given that user management is a core piece of functionality of many web apps. What solution to you use to manage users? It seems that something like the Spring Security package may work, but I'd like to get a handle on what's available before locking myself into Spring Security.
Thanks.
You are looking for something like LDAP or Active Directory to manage your users. You would use Spring Security to apply/enforce your security information that you store in LDAP. Pretty sure you can configure any App Server to use LDAP for basic authentication and authorization features out of the box.
What is the best way to design a user login mechanism using Java? What are the best practices to be followed to architect a secure and robust login mechanism?
What is the difference between JAAS, JNDI and GSSAPI? How do you decide which one to choose?
Single sign on (SSO) is one of hte best practices. Using one set of credentials for authentication (not necessarily authorization) for a group of applications.
Sun's java based open source -- OpenSSO solution is available at https://opensso.dev.java.net/. This includes OpenDS, an open source LDAP server.
few things you need to consider is
1) is it OK to let the user login simultaneously from multiple computers
2) how to mix authentication and authorization info in the same LDAP server
Some patterns in this area can be obtained from the book : http://www.coresecuritypatterns.com/patterns.htm
It depends on your user referential.
You need to be able to connect your login java module with that base. it is is LDAP, you might consider framework like OpenLDAP.
Plus you have to consider what is include in your "login" perimeter: It is is an "habilitation" login process, you need to have more that just the user name, but also other parameters helping your java module to grant him access (its group, which might be in LDAP, but also the kind of action he wants to make, in order to check if he has the required accreditation level)
I really like Spring Security. It's pretty easy to set up if you've got a Spring project, of course, but I've seen parts of it integrated into other implementations.