Stormpath and internet - spring-boot

For stormpath to work, is the internet a must?
I want to implement user management on my springboot server hosted for LAN, where the internet might not be available at times.
If this is not possible, what are the other options possible?

Yes, a connection is required, as user info is stored by Stormpath. If your connection is intermittent, enabling caching could help.

For my use case, where I was avoiding cloud based user authentication, I used Spring MVC with JPA, Spring Security with user details stored in my local mysql database.
Following link is one of the best tutorial I could find on the same topic.
https://medium.com/#gustavo.ponce.ch/spring-boot-spring-mvc-spring-security-mysql-a5d8545d837d#.gwxd1jdkj

Related

How to Configure SSO With Oracle Smartview Using Okta Or Pingfederate?

Currently working on configuring SSO for Oracle Smartview client that accesses the Oracle EPM suite of BI Tools. Pingfederate SP and Okta Idp configured with multiple AD data sources is configured.
Would appreciate if anyone would share their experience in the approach and configuration steps taken to enable SSO for Smartview
A quick Google indicates that Smart View can consume a header for a user ID. This allows you to use any standard mechanism for header injection available in your IAM environment. You mentioned PingFederate as your SP. You didn't mention if Smartview is behind any proxy (like Nginx or Apache).
Ping has a number of integration mechanisms for header injection, ranging from the various integration kits in PingFederate (Java, Apache, IIS), as well as PingAccess which is the Ping Identity standard WAM tool.
With all of the options available to you for integration, providing you step by step guidance requires more information. I would suggest a call to your Ping account team.

Keycloak client id strategy for a micro service plattform

Hello fellow programmers.
I hope there are some keycloak experts out there that can help me to solve my question.
So my situation is that we have microservice platform with ~20 services which in the future should be secured using keycloak jwt tokens.
The idea is that we offer an interface for our clients where they can register themselves with a password/key pair within one realm and they should be able to use that account to access all the
services through a public facade/api.
Now to the question - how to handle the client id - in all examples each service has its own specific client id - should this in our case be the client id of the public api//facade which allows the inner services or is there better approach how to handle this without forcing the user to log in for each service...
Thanks in advance for all help and I hope you are all doing well...
Gerrit
P.s. Maybe to clarify my question further - my current understanding is that for each. service i should add a new client to my realm but my users then would need to get a token for each service/client as each client owns his own secret... and I want my users to be able to use one token for all our services.
So after wrapping my head around this issue and reading the docs:
clients
Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. Clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network that are secured by Keycloak.
I think to use one client for my user accounts for the whole platform is the proper way to go.
Would be perfect if one of the keycloak experts can acknowledge this.

Spring security Oauth and SSO

Can anyone Tell me if it is possible to combine SSO from Spnego and Spring security with Oauth
This is my problem :
The Client I now represent has chosen Spnego as their SSO solution.
This requires us to use a full blown appServer (Liberty) in all scenarios.
At the same time, the knowlegde and skills about Spnego in the developent team is very limited.
Due to issues with creating the keytab files, Spnego is only available in the formal test environment and not our local test enviroment.
This makes it very difficult/time consuming to test and devlop due to the long deployment time to the formal test enviroment.
Not over to my question:
If possible I would like to be able to "log in" to a service in the formal test enviroment (OAUTH2 authentication server ?) using SPNEGO SSO and get a token back that I can use in further requests towards my services located locally and/or in any other test enviroment.
Is this even possible ? I have not seen any examples where the authenticantionServer is using another sso provider to actually authenticate the user.
A different possibility might be to to do some sort of redirect from the login service in the test environment but I fear the Spnego token created only will be valid on a sever in the same domain..
I`m sorry if this question is confusing or not clear.
My knowledge of this domain (security) is limited and I struggle to get a grasp of how I can test my code locally with security enabled.
Links to any resources on the net that addresses some of these issues will be greatly appreciated.

Websphere multiple authentication provider

I am looking for some information about using multiple authentication provider with WebSphere Liberty at the same time. Requirement is to have AD (LDAP) auth as main authentication and for users not allowed to be listed in AD have a simple database for authentication.
Thanks for any hints.
You can implement a custom user registry to meet these requirements:
http://www-01.ibm.com/support/knowledgecenter/#!/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_custmr.html
If you're looking for the solution of security domains provided in WAS Classic (the full profile), please open an RFE and be sure to vote for it!
https://www.ibm.com/developerworks/rfe/?BRAND_ID=181

Using LDAP authentication with liquibase

Is it possible to use LDAP authentication with Liquibase?
If not, how have others solved the problem of automating changes to production database schemas using Liquibase (yet still keeping the database credentials secure)?
LDAP is used for server-side authentication. Not all databases support it, for example MySQL only supports it in it's Enterprise version.
Securing the credentials, used by clients like liquibase, falls into two categories:
Protecting data in transit
Protecting credentials at rest
To protect credentials in transit, I'd recommend using a JDBC driver which supports SSL. Some JDBC drivers support this feature, for example MySQL. Another approach is to tunnel the JDBC traffic over a SSH tunnel.
Protecting credentials at rest (in configuration files) is more difficult and depends on how you plan to invoke liquibase. If you're using ANT, I'd suggest using the answer to this question on how to read encrypted property files.

Resources