My application currently relies on JDBC realm authentication. Recent needs have forced us to think about having LDAP authentication as well. We are thinking about using Active Directory for both authentication as well as authorization (roles). As a standalone test, I was able to authenticate my application with AD. But here is the confusion I have going forward.
If the user chooses LDAP authentication when he logs in, I authenticate the user with AD, get the user's roles and do I replicate(create a new) windows user in my database?. I have to have the user in the database, because many parts of the application is designed to retrieve the user from database
If the users chooses local login, I still should have JDBCRealm somewhere that I should use to authenticate the user. Is it possible to have multiple realms in tomcat? (I sort of know it is possible, but havent seen much documentation around it)
Any thoughts, comments, suggestions would immensely help me
Thanks
K
If you can run your app on Tomcat 6, there is a realm called CombinedRealm that will let you do what you are trying to do: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm. It is possible to do what you want in older versions but it's a real pain. You basically will have to implement your own custom Realm. I've not yet used this new CombinedRealm, but if it works as advertised it will save you a lot of effort and pain. Trust me.
Related
I am trying to find out if there is any build-in option on Tomcat to use it's authentication credentials from remote server?
We build some application based on Spring Boot and that application should use authentication based on the credentials configured on another Tomcat server. Ideally I think about some kind of Web Service for the authentication which Tomcat may provide, but as far as I remember there is nothing like that available. Any thoughts on that?
Please don't advise LDAP or dedicated solutions - I can't use them on that particular case.
Thanks!
The components in Tomcat that authenticate users are called Realm, and there's quite a lot of them already implemented. You can find an overview of them, what they do and how to configure them on the Realm documentation page.
Check if any of the other existing ones (some access a database, which might qualify as an external server in your usecase - you judge that for yourself) will suit your needs.
You can even find a realm for LDAP in there if that will ever become an option ;)
I want to build an web application in Oracle APEX, where i want users to enter into the database server through the application server, thus i can ensure more security in my application. IF this is hard, then is there any other way where i can ensure more security in a web application in Oracle APEX?
Oracle APEX is a very stable and secure environement.
As is,
you can encrypt and enforce high level passwords for the users
you can lock account to avoid brute force attacks
Devs and admins have accounts locked after a few attempts by default to avoid this issue
The service can be easily configured with any SSL
Webservices, like most of them, can be programmed to use access_tokens and other validations.
To my knowledge any additions security could be configured on the server and firewall. So I would say that you can do I lot, but it is up to you to perform good practices when defining your system's security.
Hope ity helps and good luck! :)
So, I have multiple grails apps, but I'd like to package them into a single mega app that manages user login, permissions, which appscan they access, etc. I can already links to the other apps depending on the logged in users role.
I'm using Spring Security with all of the apps, and they already share a database for users and roles. The problem I'm having is that I want the users to be instantly logged in on all of the apps when they log in into the "mega app", I want them all to share a login session.
Right now, I have a login for the users to access the "mega app" where they are linked to the other apps, but they have to manually log in again for each of the different grails apps they are linked to. And I don't like this, I want all apps to share a session, atleast for login. Any way to do this?
Having all the source from all the apps inside one single grails project is not a possibility here, it would be too heavy and some users don't even install all of the apps, since this is installed on their own private servers for them to use in their own local network. Also, login sessions time out after a while of not being used, making the problem even worse.
Help would be greatly appreciated, thank you in advance.
The spring-security-cas plugin is one option; it uses the open source CAS single sign-on server to let you authenticate to any server and be automatically authenticated on all of the others.
i'm designing a security module for a web application using spring security . There are 3 separate wars(3 Apps)using separate login, deployed in a JBOSS Server.
The requirement is , If the user is authenticated in one app then he should be able to access other applications without login . Is it possible to share the security context between the web application( different wars not in a single EAR ).
We discussed about the SSO , but we are trying to achieve this with spring security and with support of the App server . Is there any way ? Please provide your valuable suggestions and inputs.
If you need more information, please let me know.
The easiest way is to employ usual Spring Security authentication (e.g. form-based with username/password) and enable the remember-me feature.
As long as all three applications are deployed on the same domain (and can therefore share their cookies), the remember-me feature will work seamlessly for all of them, i.e. once user authenticates at any of the applications she will be able to access the others without need for re-authentication.
This of course doesn't address issues like single logout, but that doesn't seem to be your aim anyway.
You can set this up in a short time and don't need and third party SSO components. Although relaying on standard SSO protocols and dedicated technologies tends to be a more secure option.
I've done this recently with SSO and Spring Security however I wrote our own security filter to be used which grabs the HttpServletRequest.getRemoteUser() value provided by the SPNEGO filter. One thing with SSO: most mechanisms use Kerberos which only really works in local desktop environments. It is possible to write a fallback mechanism which will redirect the user to a login page but then you still have your issue at hand.
Another option would be to repackage your applications as an EAR (see here).
Here is what we have :
An Oracle database driven software which requires users authentication to start the application.
An Active-Directory controller with which users authenticate to log on a session
Oracle 10, Windows Server 2008, Windows 7 WS, C# (2010), DevExpress, old VB6 Framework
Here is what we'd like to do:
Use the MS credentials to authenticate users skipping login in our application
Map users' authentication informations (with A-D) to an Oracle privileges table
Remove the login box unless the user has not enough privileges to use the app
Any clue, book reference, tutorial, guide, howto, sample, documentation will be MUCH appreciated!
Reading your Question, I was delighted to see you were in the same box as I was.
We, have an Oracle 9i driven application. I read with much interest that of Oracle 10g having AD functionalities, but regrettably we could not have our hands on it, but nevertheless be happy of what we have.
In this context, there is nothing but designing your own solution. For that, we have converted our Oracle username to AD equivalent username. Our idea was for each user session, the application checks whether the user is already authenticated with AD, if then we will create a session by applying a new application generated password to the AD authenticated user and then to connect to the Oracle DB using it. The Password generated is not known to the user or neither anybody planning that it will be in encrypted form. For each session, the password is generated and applied to the user.
There were drawbacks like overhead of changing password regularly but we could not find a better solution, If you have pls. share with us for the benefit of the community.