I have built spring web application by using spring security module for authentication and authorization functionality along with LDAP. Now I am planning to implement kerberos based authentication using spring security module and perform windows based authentication. Is it feasible to use kerberos for web applications. I am totally new to this kerberos and how its going to fit in web application architecture.
Yes, it is feasible to implement Kerberos for web applications.
http://spnego.sourceforge.net/
This opensource library performs SSO without a username/password prompt.
It can also get groups/roles from LDAP...
"the javax.servlet.http.HttpServletRequest API is an interface that defines the method named getRemoteUser, in addition the API defines the method named isUserInRole. The SPNEGO Library also implements both of these methods"
Related
We have our own authentication server developed in NodeJs, which acts as identity provider for users. So We are looking for how we can integrate it with Kibana-opendistro.
The security responsibility lies with the security plugin, so most of the configuration should be made there.
Opendistro Security provides support for a couple of authentication backends that you can refer here https://opensearch.org/docs/latest/security-plugin/configuration/configuration/. You can configure the security plugin based on the authentication mechanism used.
Alternatively, there is this concept of injected user where the authentication is completely handled by another service fronting the security plugin. Though I did not find documentation on this, you can refer to the code here https://github.com/opensearch-project/security/blob/565f47e804ec03aeeba02ca8def563b91307fcc7/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java
I have a blockchain network built using Hyperledger Composer, started the Composer Rest Server and generated Java client code from the Open API spec to consume the REST Api. I have looked at the documentation to enable authentication and multi user mode. I already have authentication in my web application. How would I go about granting access to the user to interact with the blockchain after they sign into my web app?
Thanks.
Can you please tell us what strategy are you using for your web-application authentication?
Recently updated documentation # https://hyperledger.github.io/composer/latest/integrating/enabling-rest-authentication
The REST server uses the open source Passport authentication middleware.
Administrators of the REST server must select Passport strategies to
authenticate clients. Multiple Passport strategies can be selected, allowing
clients of the REST server to select a preferred authentication mechanism.
Passport includes a wide range of strategies (300+ at the time of writing),
including a mix of social media (Google, Facebook, Twitter) and enterprise
(SAML, LDAP) strategies.
You need to configure an appropriate passport-strategy to generate the access_token that will be used by REST API SERVER.
We are developing a product that consists of a set of micro services developed as Spring Rest API, those APIs will be called using Angular JS client (not confidential client to server communication) and will also interact with each other (server-to-server communication );
We are in the stage of developing an SSO solution where we also want to implement authorization based on user roles for each API, while diving more through Spring Security, I have noticed the great support for OAuth2 standard, but at the same time I saw
Implementation for a CAS server integrated with spring client;
Now my question, why would someone goes with CAS server instead of using native spring security implementation and how roles will be passed from the CAS server?
You need to further study the concept of centralized single sign-on and different components in the architecture. Spring Security is a client library mostly used by the app to contact a server of some sort. CAS, as a software system, is a server. Your client application can use any library you like to contact the "account source" or the "identity provider" server. The server on the other hand, depending on the capabilities of the client will respond and react according to the semantics of the authentication protocol used.
Roles or more accurately put, attributes and claims are passed to the client app once tokens/tickets are validated using the CAS protocol. Other protocols more or less provide the same concept.
I have 3 applications
old JSP based java app
Spring Boot webapp
SPA
5 java micro services REST API built using Spring Boot
I need to secure all of them at the same time. I have picked keycloak as it seemed like a good idea. As we are using Apache for reverse proxy. We have picked mod_auth_openidc to limit access to services at reverse proxy level.
We have built Extensions for Spring Webapp and old JSP app to use headers provided by mod_auth_openidc to handle active users and aithentication.
At this point now we have run into the issue that the we also secured the APIs using mod_auth_openidc headers. Although this has a serious drawback as APIs can not talk to each other just using JWT tokens as the reverse proxy needs them to be authenticated.
Should we secure the APIs using JWT only instead ?
Any mod_auth_openidc guru knows the best approach to this scenario?
I need the REST API to be able to talk to each other without any user interaction. E.g. only using tokens.
Our webapps ( JSP and SPA ) are always fully secured e.g. the user has to be logged in to access any part of it.
I would appreciate any suggestions.
Thanks
Friends,
Recently I have created one web-services application using spring-boot and now its having few unsecured entry points. (This is a pure rest based application having only rest entry points doesn't have any UI components).
Now I would like to add CAS client with this application for securing the rest entry points.
My CAS server is ready and its up and running. And I have configured CAS Rest protocol as well in my cas server to access TGT/ST through rest call and I'm in the planning of using only the rest call rather than using login pages.
So, when an user tries to access my rest application, I'm going to call CAS rest entry points internally (by using restTemplate) to validate user credentials and generating TGT and ST.
Available CAS entry points are (from jasig reference docs),
POST /cas/v1/tickets HTTP/1.0
username=battags&password=password&additionalParam1=paramvalue
POST /cas/v1/tickets/{TGT id} HTTP/1.0
service={form encoded parameter for the service url}
DELETE /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0
I think, I'm little clear on this part. Please correct me if I'm wrong.
And now my query here is, what should I do to add a ST ticket validator in my spring boot application? Do I need to add any filters using spring-security? Or do I need to call any other rest api for validating the ST? Please guide me to proceed further.
You can use existing Spring boot cas starter:
cas security spring boot starter
cas client autoconfig support
That will configure for you and magically your spring boot app with CAS authentication (and thus your application will be able to read ST or PT without effort).
I'm author of cas security spring boot starter, so I won't influence your choice but main difference from that project and cas client autoconfig support developed by Unicon is about Spring security integration.
Indeed cas security spring boot starter is fully compliant with spring security, thus you will be able to use any feature you know from spring security. Whereas cas client autoconfig support will instantiate and configure Apereo (Jasig) filters that is not designed to work out of box with Spring security.
You don't need a service ticket unless you want to call another service from your web service. Validating the received credentials via the CAS REST API is enough.
If you are looking for a security library to protect your web service via the CAS REST API, you should give a try to: https://github.com/pac4j/spring-webmvc-pac4j and especially this configuration: https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L74