Need suggestions on security design for a web application - spring

i'm designing a security module for a web application using spring security . There are 3 separate wars(3 Apps)using separate login, deployed in a JBOSS Server.
The requirement is , If the user is authenticated in one app then he should be able to access other applications without login . Is it possible to share the security context between the web application( different wars not in a single EAR ).
We discussed about the SSO , but we are trying to achieve this with spring security and with support of the App server . Is there any way ? Please provide your valuable suggestions and inputs.
If you need more information, please let me know.

The easiest way is to employ usual Spring Security authentication (e.g. form-based with username/password) and enable the remember-me feature.
As long as all three applications are deployed on the same domain (and can therefore share their cookies), the remember-me feature will work seamlessly for all of them, i.e. once user authenticates at any of the applications she will be able to access the others without need for re-authentication.
This of course doesn't address issues like single logout, but that doesn't seem to be your aim anyway.
You can set this up in a short time and don't need and third party SSO components. Although relaying on standard SSO protocols and dedicated technologies tends to be a more secure option.

I've done this recently with SSO and Spring Security however I wrote our own security filter to be used which grabs the HttpServletRequest.getRemoteUser() value provided by the SPNEGO filter. One thing with SSO: most mechanisms use Kerberos which only really works in local desktop environments. It is possible to write a fallback mechanism which will redirect the user to a login page but then you still have your issue at hand.
Another option would be to repackage your applications as an EAR (see here).

Related

Security concerns using Spring as backend for mobile app

Me and a team built a small "meet people" app last semester that used Spring linked to a MySQL database as the backend. I am working on my own app now and I'm worried about security because all of our user information was sent over HTTPS GET requests to the server. It seems weird to me that we were able to hop on google chrome, type in xxx.xxxxx.xx:xxx/user/2 and get back a JSON with all of a specific users information. If anyone knew our url/port, they would be able to access this information themselves.
I'm sure this is a basic question, but what steps do I need to take to create a Spring backend that isn't as easy to access? I'm basically a total beginner in this, but I did write the service in Spring last semester so I know the basics.
You can use Spring Security which is a very good project and easy to integrate.
There are many types of security features it provides :
Basic Spring Security
Role Based Spring Security
baeldung.com and howtodoinjava has a very good series on it.
You can also use jwt-authentication-on-spring-boot which is also a good way to secure the APIs.

Is there any build-in way to take advantage of "tomcat-users.xml" from external server?

I am trying to find out if there is any build-in option on Tomcat to use it's authentication credentials from remote server?
We build some application based on Spring Boot and that application should use authentication based on the credentials configured on another Tomcat server. Ideally I think about some kind of Web Service for the authentication which Tomcat may provide, but as far as I remember there is nothing like that available. Any thoughts on that?
Please don't advise LDAP or dedicated solutions - I can't use them on that particular case.
Thanks!
The components in Tomcat that authenticate users are called Realm, and there's quite a lot of them already implemented. You can find an overview of them, what they do and how to configure them on the Realm documentation page.
Check if any of the other existing ones (some access a database, which might qualify as an external server in your usecase - you judge that for yourself) will suit your needs.
You can even find a realm for LDAP in there if that will ever become an option ;)

Is it possible to set up one SAML spring application as a "man in the middle" to ADFS for other spring applications?

I have managed to integrated the Spring sample application against our ADFS to experiment with SSO just to understand the basics. We currently have 8 different modules all requiring the user to log in. I have been trying to use the sample application as a "relay" to ADFS for SSO, in order to reduce the amount of setup required? Or will I have to go through the same procedure as I did with the sample application and ADFS for all our modules?
If they are different "apps", they are also likely different SPs (or "relying parties") in ADFS.
The key things are: do each of these modules belong to a different security boundary? Can a token for one be used in another? Will user claims be different depending on the module they land on? (e.g. each module has a different expectation of user roles). If any of these are true, then these are different SP. If false, you might get away with having all as the same SP config in ADFS.
ADFS is rather clunky to configure/setup. So I understand your hesitation. Perhaps it's time for a more modern alternative, that does what you were thinking (Your modules -> Intermediary -> ADFS) ... :-)

Apache 2 - LDAP/eDirectory(Novell) Automatic Login / Authentication

So I've been tasked to develop some enterprise web applications, but our users hate logging in to every site. After our users authenticate to eDirectory, is it possible to provide a Single Sign On feature for them. I know it's possible to do with AD, but I was wondering if anyone has actually done it with Novell?
Currently, I'm testing out solutions on WAMP (Apache 2.2). I was looking into mod_auth_sspi but I'm not sure if it will work with Novell.
The typical issue on these setups is how you are going to pass credentials from the Browser to the Web Application. You can setup Kerberos on eDirectory which should work similar to Microsoft Active Directory using GSSAPI which is vendor independent.
You may need to make some changes to browser settings to make any of these work seamlessly.
However, SPPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types and AFIK, will not work easily with eDirectory or browsers other than IE.
If possible, look into a Access Manager product that will be (at least nearly) seamless. Most will allow any(?) WEB based application to utilize SSO in one form or another.
-jim

I have two java applications with different domain names. How can i authenticate to both with one login

I was asked to do a peculiar task today. I have two Java applications developed using struts framework. My boss asked me to provide a link to the second application in the first one and when a user clicks it, he needs to be redirected to the second application.. ok this is easy. But the user should not be required to authenticate on the second application again. How can this be acheived?
Note: the same Tomcat server where my 2 applications are deployed has other applications hosted which do not need single sign on.
There are many Single Sign On (SSO) solutions. It depends on your environment. Many server containers offer custom SSO solutions. For example, if your both applications run in Tomcat see an easy to implement SSO: http://tomcat.apache.org/tomcat-5.5-doc/config/host.html#Single_Sign_On

Resources