Authenticating GeoServer REST calls with certificates? - geoserver

To meet security requirements, our project needs to move our GeoServer credentials(account/password) out of the code base. Is it possible to authenticate REST calls with certificates, or any other method besides account/password credentials?

The answer is 'yes'!
Exactly how requires working out a few details. If all users are required to provide a certificate, you'll likely want to sort that out at the container level (Tomcat, Wildfly, etc).
Once GeoServer has a certificate, you'll likely want to set up a role service to map users to roles.
The docs for GeoServer's security system are great. I've read them multiple times, and I'd strongly encourage checking them out: http://docs.geoserver.org/latest/en/user/security/index.html#security
Since you mentioned certificates, I'd suggest reading this tutorial: http://docs.geoserver.org/latest/en/user/security/tutorials/cert/index.html.
Since you mentioned security REST endpoints, I'd point out
http://docs.geoserver.org/latest/en/user/security/rest.html. I believe some of that configuration can be done through the GeoServer admin UI.
As a note, GeoServer is highly modular; you may need to install a module or two to connect to an LDAP server or modify how the security settings, etc.

Related

Liberty 19.0.0.7 - How to load lpda profile attributes once logged in

I'm currently running on WebSphere Liberty version 19.0.0.7 with ldapRegistry configured. I am able to successfully login using the configured ldap, and I am interested in retrieving the full profile attributes for a logged in user. My first thought was to use WIM client api, but I'm not 100% positive if that is a public api intended to be used for this purpose. I'm also aware that I can retrieve the data via ldap directly and possibly through scim api.
In short, what is the correct api that I should be using to load the profile for the currently logged in user that utilizes the configuration already provided for my ldap registry? With that knowledge, I can take the additional steps to research how to move forward.
Thanks.
As Ryan mentioned above, use the SCIM API.
https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_scim.html
https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/rwlp_sec_scim_operations.html
The SCIM API requires configuring TLS as well as making the calls with a user who possesses either the reader or administrator role.

Is there any build-in way to take advantage of "tomcat-users.xml" from external server?

I am trying to find out if there is any build-in option on Tomcat to use it's authentication credentials from remote server?
We build some application based on Spring Boot and that application should use authentication based on the credentials configured on another Tomcat server. Ideally I think about some kind of Web Service for the authentication which Tomcat may provide, but as far as I remember there is nothing like that available. Any thoughts on that?
Please don't advise LDAP or dedicated solutions - I can't use them on that particular case.
Thanks!
The components in Tomcat that authenticate users are called Realm, and there's quite a lot of them already implemented. You can find an overview of them, what they do and how to configure them on the Realm documentation page.
Check if any of the other existing ones (some access a database, which might qualify as an external server in your usecase - you judge that for yourself) will suit your needs.
You can even find a realm for LDAP in there if that will ever become an option ;)

Is it possible to set up one SAML spring application as a "man in the middle" to ADFS for other spring applications?

I have managed to integrated the Spring sample application against our ADFS to experiment with SSO just to understand the basics. We currently have 8 different modules all requiring the user to log in. I have been trying to use the sample application as a "relay" to ADFS for SSO, in order to reduce the amount of setup required? Or will I have to go through the same procedure as I did with the sample application and ADFS for all our modules?
If they are different "apps", they are also likely different SPs (or "relying parties") in ADFS.
The key things are: do each of these modules belong to a different security boundary? Can a token for one be used in another? Will user claims be different depending on the module they land on? (e.g. each module has a different expectation of user roles). If any of these are true, then these are different SP. If false, you might get away with having all as the same SP config in ADFS.
ADFS is rather clunky to configure/setup. So I understand your hesitation. Perhaps it's time for a more modern alternative, that does what you were thinking (Your modules -> Intermediary -> ADFS) ... :-)

Mean.IO - how to implement additional OAuth providers

mean.io does a great job of implementing a number of Oauth providers out of the box, unfortunately I want to use Spotify which is not one of them.
Mean.io uses passport which means that it should be as easy as implementing the passport-spotify npm module. However I am having difficulty understanding how mean.io's Oauth comes together. I also am having difficulty finding relevant information on how it works.
I can see that there is a config file in the config folder where the Oauth providers are configured but I can't tell what happens past there.
Is anybody able to point me in the right direction on how to implement an additional OAuth provider with mean.io?
Strategies
Passport has a comprehensive set of over 140 authentication strategies
covering social networking, enterprise integration, API services, and
more. The complete list is available on the wiki.
You might be interested in this one:
https://github.com/JMPerez/passport-spotify

Need suggestions on security design for a web application

i'm designing a security module for a web application using spring security . There are 3 separate wars(3 Apps)using separate login, deployed in a JBOSS Server.
The requirement is , If the user is authenticated in one app then he should be able to access other applications without login . Is it possible to share the security context between the web application( different wars not in a single EAR ).
We discussed about the SSO , but we are trying to achieve this with spring security and with support of the App server . Is there any way ? Please provide your valuable suggestions and inputs.
If you need more information, please let me know.
The easiest way is to employ usual Spring Security authentication (e.g. form-based with username/password) and enable the remember-me feature.
As long as all three applications are deployed on the same domain (and can therefore share their cookies), the remember-me feature will work seamlessly for all of them, i.e. once user authenticates at any of the applications she will be able to access the others without need for re-authentication.
This of course doesn't address issues like single logout, but that doesn't seem to be your aim anyway.
You can set this up in a short time and don't need and third party SSO components. Although relaying on standard SSO protocols and dedicated technologies tends to be a more secure option.
I've done this recently with SSO and Spring Security however I wrote our own security filter to be used which grabs the HttpServletRequest.getRemoteUser() value provided by the SPNEGO filter. One thing with SSO: most mechanisms use Kerberos which only really works in local desktop environments. It is possible to write a fallback mechanism which will redirect the user to a login page but then you still have your issue at hand.
Another option would be to repackage your applications as an EAR (see here).

Resources