A user is accessing a restricted web application with JAAS (on Glassfish 2.1). LDAPRealm is used, and authentication is successfully performed from LDAP. A password policy should be installed for the users, so that they are forced to change passwords, have passwords of certain complexity/length, password failures and last N passwords should be checked. Password policy of LDAP server used (OpenDS) supports all this, but it is not obvious at all how to receive this kind of information in JAAS FORM login we are using, so that the information (i.e. "Please change you password") can be displayed to the user.
Do you have any ideas how to go about implementing this? Using database only is not an option, users need to be in LDAP. What is not obvious is whether to use LDAP password policies at all, or have it all programmed in our web application. I would like to avoid this and use LDAP's native password policies.
Thank you for answers and best regards,
Bozo
Unfortunately, what you can do using JAAS is kind of constrained to a small set of operations that any login system can support. While LDAP supports a password policy, other login systems (eg keystores) may not, so JAAS cannot have code that requires this.
Hence, you'll have to talk to the LDAP server directly using either JNDI or possibly this library from Novell.
Got it. Have to use a SAM, since you cannot receive LoginException (with reason of login failure) in the existing auth mechanisms in Glassfish.
Answer is here: How to override j_security_check in glassfish?
Related
We're planning to implement SSO using http://spnego.sourceforge.net/ on our web application. I've tried the sample projects in http://spnego.sourceforge.net/ and it worked well (helloKDC.java and hello_spnego.jsp).
My question is, after authenticating the user successfully using SPNEGO, how can this user be login automatically to our web application? I know, that request.getRemoteUser() returns the client's windows username, but how about the client's windows password? If my understanding is correct, SPNEGO uses tokens instead of passwords?
Note: This question is somewhat similar to Java SSO using SPNEGO but unfortunately, no accepted answer on that.
Your understanding is correct, SPNEGO uses tokens instead of passwords. As to your first question, regarding how can user login automatically to web application, you have to create a Kerberos keytab and then copy it to your application server (and configure it to look at the keytab) in order to decrypt the SPNEGO token to "tell" who the user is. Once a keytab is in place, logins to your web server using Kerberos SSO will then occur automatically. Otherwise the token will just look like scrambled bits to your application and SSO authentication will fail. Note you will never be able to see the password - there is no request.getPassword(). In SPNEGO/Kerberos, the password is never revealed or exposed to anyone, not to the application server and not even to the Kerberos KDC itself, so it is impossible to grab the password in any way when using SPNEGO/Kerberos. That's one of the beauties of Kerberos. For additional reference, you can read more from my technical article on how to create Kerberos keytabs here: Kerberos Keytabs – Explained.
I have two applications. One is running on IIS and second is on Tomcat. Both the applications are authenticating users through active directory. Currently users have to provide their domain, username and password in both the application separately in order to use them.
What I want is - if user logs in Tomcat application using AD details then we will show a button in the application which will open our IIS application in other tab of browser (already done) and in that IIS application this user don't need to login using AD details again (it should be logged in automatically). As he has already used same account to login in another application (Tomcat application).
Is this possible? if yes, please tell me how can I achieve this.
You want Kerberos. Builtin into IIS, Available for Tomcat: http://tomcatspnegoad.sourceforge.net/ (Yes, I am the author of that and it works great in multidomain environment.)
Best to think along some slightly different lines than you currently do:
Attempt to authenticate both Tomcat as well as IIS to a common SSO system - rather than just from one to the other. SSO systems are specifically made to allow this. Neat side effect is that these systems are single-purpose, relatively easy to monitor/protect and they'll be the only ones in touch with your passwords - no application that is using SSO for sign-on needs to know any user's password. So you can't loose any password.
Whatever route you go (Michael-O has suggested Kerberos, I'm not recommending any specific product or protocol), don't try to provide one system's password to the other system. This would inherently introduce security issues.
I know that CAS is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password.
So, How can i use Jasig CAS server for android mobile applications ? some guidelines would be very useful!
Actually there exist two ways of doing this, each of them has some drawbacks.
1) Expose the REST interface (here you'll find a simple JAVA client that consumes them and a iOS sample how to use it on a mobile)
The problem here is that if somebody downloads your application from the store and checks the network traffic in it (or simply decomposes it) he'll find the calls you make. With this he could create an APP that does the same as you do, and log the passwords entered by the users (like a man-in-the-middle attack)
2) Open the real website in a web view inside your APP
You'll need to create a modle login page, or a responsive one on your CAS server so that it looks nice. Obviously even here somebody could theoretically copy your APP and the Website on your CAS fake both to look like your APP grab the username and password and send it in background to your CAS to give to the user the impression that everything went right but it is much more complex.
However even here u'll need to tweak the CAS; CAS is designed to accept a login for a service to which it would redirect after successful login. Therefore in this case you'll need to add a fake service to the CAS configuration and check if the webview will redirect to it. when that happens u'll find the TGT in the CASTGC cookie.
In our first APPs we used the REST version, but then as we use our CAS for websites too we wanted to restrict the REST access only to other servers in the facility, so we came up with the second solution which seems to fit better, but overall CAS seems not to be prepared for mobile APPs
You can set up CAS in order to expose REST service, this allow to validate credentials.
Documentation: https://wiki.jasig.org/display/casum/restful+api
We have Windows Active Directory, where all users are registered and use to login in Windows.
We have an Apache server configured to use LDAP to authenticate users in that Active Directory. It's setup so that, in PHP, all we have to do is call $_SERVER['REMOTE_USER']. Browser verifies user login in Windows and sends this data to Apache, which talks to LDAP to verify authentication. When LDAP authenticates, that code returns user's login, otherwise it returns null.
This way we can safely and easily authenticate users inside PHP and use their AD login to control access to our softwares. Another advantage is that we don't need a login page and not even have to handle passwords in variables: authentication is handled transparently to users and they are automatically logged to our softwares all the time, and their password never comes into our code.
I'd like to do the same thing with Servlet. I see no reason for it not happen if it works with PHP. But I can't find how to do it. I googled but couldn't find anything. Has anybody done something like that and could point me a way?
Standard authentication with login and password is working in Java. If I have domain, login and password, (that in Servlet would come from a login page) I can authenticate any user.
What you're looking to do is plug a SSO provider into your web app. There are several options, you will have to do your own research into what will work best in your environment. You might want to investigate the following security frameworks, which all enable SSO:
Apache Shiro
Spring Security
JCIFS
There are also commercial products like CA SiteMinder that do the same thing.
the HttpServletRequest object you have in the doGet and doPost methods on the servlet has the equivalent of PHP $_SERVER['REMOTE_USER'], it is called getRemoteUser().
Your post is tagged as Tomcat. You could add a "realm" in tomcat to do the Authentication.
I have no idea how you can not prompt for a password unless you are using some sort of SASL plugin to verify the user against LDAP.
$_SERVER['REMOTE_USER'] implies you are using "HTTP Authentication" header which would (AFIK) require a popup for the credentials. Perhaps this is transparent if only using IE against a Windows server.
There is an example of how to configure tomcat
I’m looking for a bit of feedback on the practice of requesting users to authenticate to an intranet based web app by entering their AD credentials directly in form fields. For example, using domain\username and password fields as opposed to using the native browser based challenge window for integrated authentication. In the form based example, credentials are passed to the application in plain text and it’s essentially up to the integrity of the application to handle the data appropriately. It seems to me this is the equivalent of entering my Open ID credentials directly into a host app on the Internet.
So my questions are:
Is there any best practice guidance on authenticating to a custom web app (assume predominantly .NET / Java stacks) in an AD environment?
Can you think of any legitimate circumstances where this is really necessary?
Is this a legitimate concern or am I just being paranoid?!
In a highly secure environment, users would be encouraged to only enter their credentials when using the Secure Attention Sequence CTRL-ALT-DEL, which is designed so that it can't be intercepted by applications.
So in such an environment, even the browser challenge window for authentication would be suspect. Instead you would log on locally using the same AD credentials as you need to access the website, and would be authenticated without needing to be prompted.
I'd say entering AD credentials in form fields is extremely suspect if the credentials can also be used for access to other sensitive resources. Even if the app developers are well-intentioned, it is an unnecessary security hole. For example, anyone who has write access to the web directory can easily replace the login form and capture credentials.
If it's a browser based application, why wouldn't you just enable Windows authentication in your web.config (not sure what the equivalent is in the Java world, sorry) and let the browser handle authentication.
Otherwise, I'd say if you do this over a secure transport (SSL) then you should be ok. Microsoft's own products often use form fields to submit AD credentials (I know Outlook Web Access and Internet Security & Acceleration Server both do this).
The best approach is to use Kerberos tokens instead of an encrypted username/password.
This open source library, http://spnego.sourceforge.net, will allow your java web apps to perform integrated windows authentication using Kerberos tokens.
The library is installed as a servlet filter so you will not have to write any code.