I have a feeling I've stumbled into a technical black hole. There have been many questions and not many (recent) answers out there.
Short summary:
I have a Windows environment operating with a domain controller and Active Directory implementation (soon to be operating with Quest's Authentication Services). I have a series of Spring-based web applications I want to deploy to this environment and we need them to operate seamlessly with Single Sign-On using the domain credentials.
It looked like the answer was this:
http://blog.springsource.org/2009/09/28/spring-security-kerberos/
I was informed by some of the local AD admins that ktpass, though, was an unsafe (principals and keys stored in plain-text file) and outdated solution. Given the blog linked above is 3 years old, it was tough to argue.
Then I came across this:
http://forum.springsource.org/showthread.php?134465-JDK-7-0-and-Spnego-Extension-don-t-work!
Posted just a week or so ago, it looks like recent efforts to integrate SPNEGO extensions have shown that it's incompatible with JDK 7 and no longer supported!
It seems like this would be a common thing for people to want to do. I'm surprised that with a framework as widespread as Spring that there's not a simple way to achieve this. Is there another approach I haven't found in the documentation?
Thanks for any insights or suggestions.
Check out WAFFLE.
WAFFLE is a native Windows Authentication Framework consisting of two
C# and Java libraries that perform functions related to Windows
authentication, supporting Negotiate, NTLM and Kerberos. Waffle also
includes libraries that enable drop-in Windows Single Sign On for
popular Java web servers, when running on Windows.
It has a tutorial for using it with Spring Security.
Related
My enterprise application is developed in .net framework 4.5 and is using windows authentication. In which case, as we all understand, it is the underlying AD(active directory) that authenticates the user.
I have to replace windows authentication with token based authentication, keeping the .net framework 4.6 and AD(active directory). I guess oAuth is a possible solution, could you please share some thoughts on other possible solutions and as how could I get started.
HISTORY
It was common some years ago for apps to be developed for a corporate intranet, in which case Windows Authentication was a good solution. When token based authentication came along the benefits typically were:
Extend reach so that apps could be used over the internet
Support cross domain scenarios, eg APIs in a different domain
Support multiple authentication methods / policies depending on user location and device type
Write less security code and make new security features available to multiple apps
IMPLEMENTATION
An OAuth migration is a major architectural change and needs to be managed in terms of costs and benefits, though once done your apps will be quite cutting edge. Here is how Windows Authentication typically works in an OAuth 2.0 / Open Id Connect world, which requires a more complex setup:
Your UI redirects to a Cloud Authorization Server (AS), such as Azure Access Control
The AS redirects to an identity provider - such as an on premise version of ADFS (Active Directory Federation Services) - that is configured to use Windows authentication
When in the corporate intranet the user is automatically signed in and ADFS posts tokens to the AS
The AS posts different tokens to your UI
Your UI calls the API with the AS token and the API validates it
GETTING STARTED
If you decide that the effort is worthwhile then there are 2 parts to the job. Note that your application code will only ever interact with the AS and doesn't need to know or care about the authentication method:
Infrastructure migration
Updating the code in your UIs and APIs
If it helps, my blog and code samples are designed to help people deal with some of the challenges of OAuth tech. Maybe have a look at my first tutorial to get set up.
Apologies in advance for the seemingly naive question, I'm a hobbyist developer learning the ropes. I noticed the opentok REST API documentation deal mainly with command line stuff, whereas the SDKs (web/node SDKs for example) come packaged with class instances, methods, etc. So is one a reference for the other? How/when does one use the REST API instead of the SDKs?
Vonage Developer Advocate here.
Our server SDKs provide a language specific wrapper for our REST API. Both are focused on session & token generation and archiving. This logic is usually processed on the server side.
The client SDKs are different in that they provide capabilities for the front-end.
I'm choosing a serverless platform for my projects. I have explored AWS and found it excessively complicated: they provide an enormous bunch of settings but some basic scenarios are been too hard to implement.
The other platform looking promising for me is IBM Cloud with its OpenWhisk. And I'd like to check if the necessary capabilities are either implemented or in close plans for implementation.
Questions
Can I use websocket for my functions as a trigger for connect, message and disconnect? I found only a half year old discussion and nothing more. But this feature is demanded for real time applications.
Can I have static websites in both my custom domain and in subpath? I saw recipes where a docker container and lambda functions were employed. But writing my own implementation of Nginx looks nonsense. But this feature is also strongly demanded for single page applications (SPA) and there can be multiple such SPAs on one domain.
This blog with an IBM Cloud Functions overview has links and answers to your second question. There are tutorials on how to use custom domains with IBM Cloud Functions as backend for applications (see this tutorial with static page / SPA custom domain, and recipes for Express and Flask).
IBM Cloud Functions also has a package to post to Websockets. AFAIK there is functionality to listen to Websockets. My understanding is that serverless is incompatible with the "always on" nature of Websockets and the serverless runtime would need an API gateway or similar to manage the communication. If something is received, the action would be invoked.
Support for websockets for the ActionLoop proxy (used by Go,Swift,Python,PHP,Rust and Java) is here: https://github.com/sciabarracom/incubator-openwhisk-runtime-go/tree/websocket-support.
It can be used to build runtimes that support websocket but you need to deploy the runtime by yourself using Kubernetes. The support had ben postponed as an integration of OpenWhisk with Knative is a better path to include it in OpenWhisk.
So I've been tasked to develop some enterprise web applications, but our users hate logging in to every site. After our users authenticate to eDirectory, is it possible to provide a Single Sign On feature for them. I know it's possible to do with AD, but I was wondering if anyone has actually done it with Novell?
Currently, I'm testing out solutions on WAMP (Apache 2.2). I was looking into mod_auth_sspi but I'm not sure if it will work with Novell.
The typical issue on these setups is how you are going to pass credentials from the Browser to the Web Application. You can setup Kerberos on eDirectory which should work similar to Microsoft Active Directory using GSSAPI which is vendor independent.
You may need to make some changes to browser settings to make any of these work seamlessly.
However, SPPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types and AFIK, will not work easily with eDirectory or browsers other than IE.
If possible, look into a Access Manager product that will be (at least nearly) seamless. Most will allow any(?) WEB based application to utilize SSO in one form or another.
-jim
I am investigating developing an app for Windows Phone 7 that requires access to email/calendar information from Exchange Server (read only).
The way I see it there are 2 options EWS or ActiveSync.
WP7 only supports Basic Authentication.
By default on Exchange server installations the EWS virtual directory has Basic Authentication disabled meaning a configuration change of Exchange Server to allow EWS to be used.
The ActiveSync protocol looks like it would take some time to get your head around and develop an implementation.
The questions are
1. How common is it for people to enable basic authentication for EWS? Is this something that most businesses are likely to not want to do?
How difficult is it to learn and use the ActiveSync protocol? Is it something that could be done in days, weeks or months?
1) To find out about the common configuration of EWS servers I'd spek to some sysadmins and ask them. Maybe try on https://serverfault.com/
1) How difficult something is to learn very much depends on the skills and experience of the person learning and the teaching resources available. This is a non-trivial protocol so I wouldn't expect learning it to take days. There will also be a licensing cost of implementing Excahange ActiveSync which I suspect would make it an expensive option.
Option 3: Create your own web service that acts as a proxy to EWS and does the authentication for you. Ugly and a bit painful, but if your app is architected well, once WP7 supports better authentication, switching to directly hit EWS should be pretty simple.
ActiveSync is painful and does not support everything that EWS supports. I would recommend going the EWS route if you have that option.
If your going to use ActiveSync, think again... it uses wbxml and you would need to create your own API for doing calls - this means crating tokenized blobs which must be 100% perfect and account for all aspects of whatever type of messaging items you are going against or will risk creating bad items or even poison ones. The devistation caused by bad EAS calls could well exceed your customer base... so, you need to be very careful. Also, while the specs are public, it needs an very expensive license. If you license, you would need to get a support contract with a specific schedule in order to get develper support. With a team of developers, it will likely take 3-5 or so years to do a full implementation client side and work out most of the bugs. So, as far as the skills in email development, you and your other developers would need to be pretty hard-core. There may be third party APIs which wrap EAS calls... however, you should be sure that they are licensed and that that the license would cover your development - so, you would need to research those on your own.
EWS has more features and is far, far easier to use and is what is suggested... further, there is no special licensing, etc.
Using a proxy web service+Exchange Managed APIs so that WP7 can go against Exchange without writting a ton of code:
http://www.telerik.com/products/windows-phone/getting-started/exchange-client.aspx
... can also use this approach to use NTLM.
Before considering EAS...
http://blogs.msdn.com/b/webdav_101/archive/2011/09/29/new-to-exchange-activesync-development.aspx