Single authentication for multiple grails projects - session

So, I have multiple grails apps, but I'd like to package them into a single mega app that manages user login, permissions, which appscan they access, etc. I can already links to the other apps depending on the logged in users role.
I'm using Spring Security with all of the apps, and they already share a database for users and roles. The problem I'm having is that I want the users to be instantly logged in on all of the apps when they log in into the "mega app", I want them all to share a login session.
Right now, I have a login for the users to access the "mega app" where they are linked to the other apps, but they have to manually log in again for each of the different grails apps they are linked to. And I don't like this, I want all apps to share a session, atleast for login. Any way to do this?
Having all the source from all the apps inside one single grails project is not a possibility here, it would be too heavy and some users don't even install all of the apps, since this is installed on their own private servers for them to use in their own local network. Also, login sessions time out after a while of not being used, making the problem even worse.
Help would be greatly appreciated, thank you in advance.

The spring-security-cas plugin is one option; it uses the open source CAS single sign-on server to let you authenticate to any server and be automatically authenticated on all of the others.

Related

Use same user credentials on multiple different Laravel install?

tl;dr: trying to use one app's user credentials on different other apps. Tried a solution, but I have hit a roadblock and looking for better ideas.
--
Say I have 3 different laravel 5.4 installation, and let's call them "App1", "App2", and "App3". Those 3 apps have completely different functions, and they could be used by the same users.
At the moment, the users are using App1, and their login credentials and information is resting in App1's database.
App2 is located on the same private network as app one, so when I wanted to give the users of App1 the ability to login App2 with their existing credentials, I went this way:
Created a database connection in App2 that points to App1's database, using the private IP address of App1;
Used this new connection on the User model of App2 and bam, it worked.
But now I want to offer the same possibility with App3, but it's not located within the same network and I'm starting to see the shortcomings of my actual solution.
I could of course open the database connection of App1 to App3 specific IP address and keep the current setup, but I feel it's getting messy, and I guess it could be a security risk (I'm not knowledgable enough in this area to really know).
Then I'm thinking : API? Maybe Passport? Is this actually a road I should (and could) consider? If so, what would be an easy way to achieve it?
You might wanna look into a SAML solution that would allow you to share credentials across multiple apps and domains.
You can either use this Laravel package or use vanilla php-saml

Heroku account sharing

We have several developers, working on the same application (to be deployed on Heroku).
We know they can open separate Heroku accounts, and share the application using "heroku sharing:add".
But is it possible to use a single "team" account? Are there limitations on people logging in simultaneously from different PC's ? Or any other technical reason to avoid it?
Note we're not worried about them overriding each other's deployments, because it's for development (not production), and it's a small team.
Thanks :)
Although you can grant limited access to multiple Heroku accounts, only one "Owner" account has privileges to modify the account configuration.
If more than one person needs to modify your account/app configuration (ie: changing/provisioning add-ons, etc), it's best to create a shared e-mail/password stored in a secure password manager like 1Password. However, this is a hassle and opens up some vulnerability. It may also be against Heroku's TOS, but isn't likely enforced.
I would recommend using multiple accounts for anyone who needs read-only or deploy access. I would limit a shared Owner account to the privileged users who need full access.

How to securely store database credentials for Windows application?

I have a python application designed to run as a service on Linux, and I've been asked to install it on a Windows XP box in an office where there are no Linux machines (for me, this makes it a bizarre and confusing place as I have virtually no experience developing for Windows).
On Linux the application has its own user, and the application and database credential file reside in an encrypted folder accessible only by that user. (I'd like to state that I am not a cryptologist, and that if there are already glaring security errors in this set up I'm very happy to have them pointed out to me!)
How can I achieve an equivalent level of security by similar or different means on a Windows XP machine? That is to say, how can I prevent those who have access to the computer or the disk altering the program or reading the credentials?
A little background: the host windows box is a workstation used every day by users with non-administrative privileges. The secure assets are personal data roughly as sensitive as, for example, a school report. The application is intended to be used by about 10 people who authenticate to the application with individual passwords (stored salted and hashed in the database).
There is a very similar question that received the answer:
on Windows you would store the credentials in the registry in a location protected by an ACL
However, it doesn't touch on the aspect of protecting the program files, and further it seems to assume a higher level of Windows experience than I currently enjoy :) I have no idea how to protect registry items with an ACL, nor how I would then be able to access the protected keys from my program. Simple instructions for a developer in an unfamiliar environment would be greatly appreciated!
Your question is unclear about what your application does and what your security requirements are. I'm going to make some assumptions, and provide an answer based on them. If these assumptions are incorrect, please clarify in a comment and I'll update.
I'm assuming you have an application that:
stores sensitive data in a database stored in a DBMS installed on the workstation
is installed on a shared workstation
each user has their own login (non-admin)
allows different users to log on and interract with their data
user runs applicaiton which connects to a service
service connects with database, delivers data to users
service runs under its own user account
If this is correct, then you shouldn't have much issue.
The service can run under any account, but it would be easy enough to have it run under one of the standards (Local Machine or Network Service). Configure the database so that only this account can access it. In Sql Server, I'd only grant that user account (and admins on the box) login and access rights to the database.
This is the only security you need, if the users aren't admins. Now, when the frontend connects to the service, the user can provide the username/password and the service can authenticate against salted and hashed passwords stored in the database. All this is secure as long as 1) each user has their own login 2) communications are secure (using named pipes or SSL) and 3) no virii or keyloggers are running under an admin's credentials.
You can configure your service as to what account it runs under by running services.msc (or right-clicking on MyComputer and selecting Manage or clicking on Services under the Admin tools menu in Control Panel or probably in a number of different ways).
Bring up the list of services, right click on your app and hit Properties. From there, make it look like this:

Legacy application with JDBC and JNDI REALM authentication

My application currently relies on JDBC realm authentication. Recent needs have forced us to think about having LDAP authentication as well. We are thinking about using Active Directory for both authentication as well as authorization (roles). As a standalone test, I was able to authenticate my application with AD. But here is the confusion I have going forward.
If the user chooses LDAP authentication when he logs in, I authenticate the user with AD, get the user's roles and do I replicate(create a new) windows user in my database?. I have to have the user in the database, because many parts of the application is designed to retrieve the user from database
If the users chooses local login, I still should have JDBCRealm somewhere that I should use to authenticate the user. Is it possible to have multiple realms in tomcat? (I sort of know it is possible, but havent seen much documentation around it)
Any thoughts, comments, suggestions would immensely help me
Thanks
K
If you can run your app on Tomcat 6, there is a realm called CombinedRealm that will let you do what you are trying to do: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm. It is possible to do what you want in older versions but it's a real pain. You basically will have to implement your own custom Realm. I've not yet used this new CombinedRealm, but if it works as advertised it will save you a lot of effort and pain. Trust me.

Can I Change the Logged-In (Windows) User While an Application is Running?

Let's say we have an application that has a number of features and each feature as a permission set of users that are allowed to use that feature. The application is designed to be always-on, but at different times during the day we want different users to log on and use it.
Rather than reinvent the wheel and create yet another user account and password system, we'd like to use built-in Windows user accounts (for authentication) and Windows groups (for feature access).
Is it possible to leave the application running but have different users come along and log in and log out of the application without logging out of the Windows session?
There is a mechanism called Impersonation (link points to .NET documentation, but the core Windows APIs provide similar features). It allows you to programmatically run code in a context of a different user than the one currently being logged in. There are, however, other security implications to the model you describe. In particular: how do you protect the rest of the workstation your program is running on?
Well, you could certainly have the application get the user's windows credentials. You could also simply query for group membership without requesting any credentials. More specific information will help with a more specific answer. For instance, what language are you working in?

Resources