I have created a class to provide connection pooling with OpenDJ. Now i am trying to authenticate a user using another class which picks a connection from the pool.
If I use newAuthenticatedConnectionFactory method to create the pool then it gives UnsupportedOperation exception while it works fine if I use newFixedConnectionPool.
Why is it so? Is bind method not allowed with newAuthenticatedConnectionFactory ?
An authenticatedConnectionFactory is a method to obtain a connection on which a well known user is already authenticated. Therefore it's not suited to do other authentication and Bind request.
Related
So, I would like to implement complex session management in my application. Essentially, I would like to store user sessions both in the postgre and Redis.
So, the algorithm should be the following:
A request is sent to the app, the application parses incoming request cookies and extracts a session parameter;
Spring server tries to retrieve respective session object by id from Redis
If the previous step succeeds, then the server verifies the session and lets the request pass through if the session is active and valid. Otherwise - unauthorized path.
If the session object isn't present in the Redis, then the server tries pulling a member session from the postgre. Does the same verifications and caches the response. If the session isn't valid or isn't present in RDBMS - go to the unauthorized path.
Is there any elegant way to implement the following mechanism using existing packages? Or will this require custom logic?
So, I watched this video - https://www.youtube.com/watch?v=TggWLDAXmb4
And I was able to get a gist of how basic security mechanisms work in Spring and implement the workflow described above;
Basically, you will need to have:
Custom security filter that will be preparing specific Authentication;
Custom authentication provider that will be performing authentication (checking session)
I have a request service and I want to get tenant's address with its id. So I need TenantAppService in another service. I can't pass it from javascript, because it is an object and I think ajax converts my parameters to url. Do I need to serialize it or can I create an instance of TenantAppService in my service? Is there an applicable constructor?
Or can I use stored procedure? I tried it but even though i imported
using System.Data.SqlClient;
SqlConnection could not be found.
I am using spring-security 3.0.2.RELEASE with spring-security-kerberos-core 1.0.0.M2 to implement SPNEGO based authentication.
The server has more than one valid DNS name. One refers to the machine itself (machine.domain), the other refers to the application (app.domain). Currently there is no reverse proxy set up.
I need to ensure that SPNEGO works for both valid DNS names. As it is, I have the machine name set up as the SPN. If I use IE7 to connect to the application, it works to connect to the machine name, but not the application name (HTTP 401).
I am using the SunJaasKerberosTicketValidator to validate tickets, but it only allows for one SPN to be configured at a time.
How do I configure my application to work with multiple SPNs? Do the SPNs just have to be added to the list with setspn? Or do I need to set up multiple ticket validators?
My question is very similar to this one (which was unanswered):
http://forum.spring.io/forum/spring-projects/security/122250-spring-security-3-kerberos-spn
Thanks so much,
James
Just a quick thought:
You can define two SunJaasKerberosTicketValidator instances, each for its domain and then implement your own KerberosTicketValidator which will delegate to the underlying JAAS validator based on the HTTP request.
You can get to the request from the validator if you use RequestContextListener:
HttpServletRequest request = (HttpServletRequest) ((ServletWebRequest)
RequestContextHolder.currentRequestAttributes()).getNativeRequest();
Pavel is right, just in case of ClassCastException try:
RequestAttributes requestAttributes = RequestContextHolder.currentRequestAttributes();
HttpServletRequest request = ((ServletRequestAttributes) requestAttributes).getRequest()
I want someone to tell me where to search for how to make a session between the client(s) and the server in RMI, i.e what is the name of that concept for searching purposes?
I named this the Remote Session pattern in my 2001 book.
The idea is to have a singleton RMI object, bound in the Registry, with nothing but a login() method. That method, if successful, returns a new RemoteSession object for every call, that contains the API you need for the session. RemoteSession is another remote interface of course. It also contains a logout() method, which unexports the object, and it also implements Unreferenced, as another way of terminating the session.
Each instance of RemoteSession can maintain client state, so it is a session object, and as the only way to get a RemoteSession object is via login(), it is secure to a first approximation.
i have a Swing-client and a Server running on tomcat 7, which communicate with each other using Spring (3.1) HTTP invoker. The communication works fine so far (even with TSL), but now i am trying to add Spring Security.
side-note: In a typical webapplication i would use basic authentication to authenticate the user. After my CustomAuthenticationProvider returns an Authentication object for the user, everything "just works", meaning that on every further request the SecurityContext is automatically set. I guess the login returns a session-key to the client which is send on every request to identify the session.
That is pretty much what i am looking for with HTTP-Invoker. At the moment it seems like i get a new context on every request, which is bad, because my customAuthenticationManager.authenticate(Authentication auth) method is pretty costy and should really only be called once per user-session.
Any Idea?
edit i found some hints on this at http://forum.springsource.org/showthread.php?10764-Maintaing-State-while-using-HttpInvoker ,but as this link is more then 8 years old, i was hoping for an easier solution.
I found the solution now. First you need to know that the spring-security part is completely the same as it would be in a webapplication (which is great).
On client-side you need a more complex HTTP-client implementation. I used org.springframework.remoting.httpinvoker.HttpComponentsHttpInvokerRequestExecutor. On server-side you could use the create-session="always"-Attribute of the <http-element to ensure that a session is always created. However, i found it better to create the session myself (just call httpServletRequest.getSession() which creates a session if non exists), because that way you can specify when to do that. In my case i create the session in my authenticationProvider only if authentication was successful.