Spring Custom SSO - spring

I am trying to integrate two separate web applications - one is an existing custom web application with it's own security paradigm and the other is a reporting platform (JasperServer). I want to be able to use Jasper's web services interface to integrate the reporting functionality into our application. Our security model is complex and is home grown but I think there is hope.
We set a cookie that is an encrypted string containing a web service URI as the authentication source and a token which is stored in the database that is created when the user logs in and is destroyed when he/she logs out. I think I can leverage this to implement a kind of SSO in Jasper since it uses Spring Security.
What I THINK I should do is implement a pre-authentication filter that checks for the cookie I mentioned above. It could then decrypt it, make a web service call to the authentication source provided to verify the token is active in the database. If it is, that token can be used to point to user and role information that could be returned as a UserDetails object.
Unfortunately, I know enough to be dangerous but not enough to be effective. Am I on the right track? Does this solution sound tenable? If so, where would be a good place to start and are there any examples of something similar you could point me to? I've searched around quite a bit and have found nothing that quite fits the bill.
Thanks in advance to any and all who can provide me a glimmer of hope

Cookies are tied to a domain/subdomain/path and port. It is possible to set a cookie at the domain level so if you have something like webapp.mydomain.com and jasper.mydomain.com you may be ok assuming they are on the same port.
However be very careful about implementing your own SSO/Authentication framework. It requires a great deal of thought. As it stands your proposed implementation would be vulnerable to: replay, man in the middle, and XSRF attacks ... there may be other vulnerabilities but these are just 3 that come to mind ... sorry! :D

Related

Standard way to implement login or signup in Spring

I have to implement a login authentication & user registration feature for my product.
What is the standard and effective way of doing this using spring which would provide standard security (meaning nothing super fancy, but nothing easy to get around as well)?
As this has been done so many times there has to be a standard way to achieve this ?
The implementation should include :
user registration form after registering through g+ or fb etc
login form
storing user profiles, passwords, preferences in some backend
db or system
role management : different roles like admin would have
access to all etc
Standard : that which can put in production.
I found too many things scattered all around the net and although this seems like a broad topic its difficult to get started with especially when this going straight into production and not as a hobby project. The tutorials are always good to get started however are a starting point only. I want to know whats the best route or path that can be used for a product in production.
Securing a web application is not small topic, so you will need to read some tutorials.
You'll find very quick an easy to understand guides (with working examples)
at Spring Boot guides web site.
Spring Boot guides
Securing web application
JPA for your hibernate requirement
If you want going deeper you could read these great tutorials:
Spring security form login

Cross Origins advice in relation to Rest API access and end user apps

I am not so much in need of code help here, more advice on how I should handle this scenario.
I have a REST API built, using Spring boot.
I also have a simple Hybrid app that I need to deploy to users within the company - and clients who "buy in" to the API access. The users can be anywhere in the world, which means I never know what domain they will be on.
I am told that using the header below is bad practice :
"Access-Control-Allow-Origin":"*"
Given that I know the only point of access with our API should be this frontend app, but that I never know where the user of that app will be, or what network they will be on, how should I do this?
Tagging spring community here, even though this is not a spring centric question. This is because I am actually using Spring, and I guess that community will have solved this problem before.
I believe that this question is not about CORS exactly.
"Access-Control-Allow-Origin":"*" is OK since you need your API to be accessible from anywhere.
Even if you know all the Origins you need to allow, you should not rely on Origin header sent from the client as one can send any header.
Authenticate your users and you'll know whether the user can access the API or not.
Thanks.

Linking Auth0 and Parse Server users

I am writing an app that uses Parse Server, with Auth0 as the authentication provider. For unrelated reasons, we need to use Auth0 rather than Parse for user management.
I'm having trouble figuring out how to "link" a user authenticated via Auth0 to Objects in Parse Server. Without this, the authenticated user will not have permission to write to his/her Objects on the Parse Server. I believe my issue is similar to this question, which has no solution: here.
I have found many articles discussing the migration of users from Parse to Auth0, but am finding surprisingly little documentation on how to link those users to Parse. There is one article (I believe written by the same person who posted the question I linked to), but I couldn't get it to work, and it involves storing passwords in cleartext in Javascript.
I thought to create a default Parse user that would simply own all the objects in Parse. This would be invisible to the authenticated end-user so they wouldn't know, but that's just security by obscurity and doesn't seem like a good approach.
If anyone has suggestions on how to approach this, or has done it before, I'm interested to read your suggestions. Thank you very much.
Auth0 supports the most common and used authentication protocols (OAuth2/OIDC, SAML and WS-Federation) so configuring an application to rely on Auth0 is really easy when that application already talks one of the previously mentioned protocols.
According to the Parse Server Wiki, it does support custom authentication leveraging OAuth so that seems your best starting point for integrating Auth0 with a Parse Server based application.
It is possible to leverage the OAuth support with any 3rd party authentication that you bring in.
Disclaimer: I never used the Parse service or Parse Server so I'm assuming that when you mean linking Parse objects to users this can be accomplished by simply having an authenticated user in Parse and the identity of that user is just verified and proven by Auth0 instead of something like built-in username/passwords managed by Parse itself.

Best way to authentificate Java sever app

I have created a Java Spring app with the idea to work as a server app for a web app (build with angularjs or reactjs, not defined yet) and a mobile app without any security concern. Now, I need to add security/authentification functionality. I was looking for the best approach for this, and I found that I could use JWT (JSON web token) for it.
My questions:
Is JWT ok for this approach? I mean, for my own authentification
system using a database, not just facebook/google login.
Is it better to start again having an app with the authentification
working and then add the business functionality (not too much) or it
is better to add the authentification to my existing app?
Do you have any example, step by step tutorial? I cannot find one that do
what I'm expecting.
JWTs are a very good authorizantion method for mobile apps. The two main advantages of JWTs in my opinion are: The user has to login just once and fewer database accesses are necessary (of course it depends on your implementation).
I always start with authorization first. I think this way you get cleaner code, but you have to decide if it is worth in your case to start new.
If you understand the basic concept of the JWT (JWT introduction) you just need a Java library (JWT libraries) and you will understand the description in the repository good enough to use it.

ASP.NET Web Api security using Active Directory

I've searched the posts and have not found exactly what I'm looking for pertaining to my question. For example Security ... through AD asks more the question is it wise? My question is this:
We are implementing WCF applications and we are now putting WCF ... I mean ASP.NET Web Api ;)
into our server stack. I want to secure the services by requiring that the user log on to ADS, but if they already have logged on (via network login or other means) then I don't request a login. Rolebased authorization then occurs within the services.
I cannot find good discussions or examples of how I handle ADS authorization especilly through all of the future endpoints (tablet and phone).
My one thought was that the user does a login to ADS and the token then becomes what gets handled for security and rights. So now I'm a little bit concerned about how much coding has to be done to accomplish this. We are looking at FederatedServices to handle this in WCF but there is no such control in this weak API.
So I'm interested in any input or direct me to a great article on this. So far all I see is self-rolled security which our old server has and I do NOT want that crap again.
Oh yes, did I mention our target is single signon throughout our web services??? :)
Best place to start is Dominick's Thinktecture Identity for Web API. It is the de-facto security framework for Web API and supports token based identity.

Resources