ive read somewhere that the WS-Security specification (in JAX-WS) is concerned with three main area of focus:
Security token validation (authentication)
Message integrity (signing)
Message confidentiality (encryption and decryption)
QUESTION:1
Number 1 can be implemented using WSS4j. I'm looking for ways how to implement #2 and #3 or does WSS4J handle that too? if yes how?
QUESTION:2
Can this be done in REST? or anything similar to this.
Thanks,
Yes, WSS4J takes care of all of these things, in conjunction with a SOAP Stack such as Apache CXF. There is lots of content online about using WS-Security with CXF.
Yes it can all be done for REST too. Message integrity and confidentiality can be done using the JWS/JWE specs (implemented by CXF as well btw), authentication can be done via OpenID Connect, SAML SSO, Kerberos, HTTP/BA, etc etc.
Related
I have generated JAX-RS stubs for a REST service using Swagger and want to set up the security.
The security side is very new to me and I would like to use standards as far as possible. (In the past, for other J2EE applications, I have used Filters to handle Authentication which put User objects into a Session. As I understand it, Sessions should be avoided for REST.)
There are 4 types of user who will access the services
Customers and business partners (Authentication via oAuth or similar)
Employees (Authentication via NTLM & LDAP)
Developers (Mock authentication/authorisation of some kind)
Integration test (JUnit with pre-defined users and roles)
Is it possible to define a security mechanism which would handle all of these users?
How would I use the Swagger security directives?
Am I making this more complicated than it needs to be?
You could use an open source API gateway like Tyk? Here’s a link to some handy info on API Security in the tyk docs.
And here is a blog post that describes taking a layered approach to API Security that goes beyond the gateway.
Disclosure: I work for Tyk!
Updated: Thanks for responding on my post. I am very sorry, as of today these were the requirement details. However, I can elaborate more on what I understand. I some idea on WIF, where I can write my own STS, RP and publish policies.
Couple of queries here. Do we need to have an IdP and should we connect STS to IdP. if not, can we go without IdP. I will have to use claim base authentication and federated identity mgmt in the application.we do not depend on AD/LDAP integration.
Imp Requirements are in this way. 1) we allow customers to do self registration who are direct users of this portal-M and the other set of users come from partner-X where the company claims are verified using SAML Req/Resp to access the portal-M. 2) once the direct user or user-thru-partner-X enters the portal-M, he/she should get access to another portal-N of partner-Y sending SAML request in similar fashion.
I have provided as much as details I know, since I am new to this technology of SSO/FIdM
I would happy to provide more information, if needed
Original
I have got a complex task to build a solution of externalized SSO with SAML that would be used by customers of different partners over web. the constraints are to build IdP/STS/Issuers/RP/Trusts/Policies with no open source or commercial product support choosing specific technology platforms such as Microsft or/and J2EE.
On top of these, IdP must have to use in house custom data store available on SQL Server and Oracle.
your ideas are appreciable and thanks in advance
So you want to implement a SAML stack without using any commercial or open source software?
That is a HUGE amount of work and you will need to spend a non-trivial amount of time getting your head around SAML.
In terms of a DB as your Identity repository, refer: Thinktecture IdentityServer.
In terms of SAML stacks, refer: SAML : A SAML stack .
I need some information on how to issue security token with sender-vouches subject confirmation method in a picketlink STS service.
I have searched for informations and examples but i didn't find anything useful, i don't even know if picketlink (token providers and login-module) support such tokens!
I need this kind of authentication/authorization system for a project i am working on where a subject logs in to web application and the resulting indentity must be propagated to the a SOAP web service deployed on an other server.
I would like to use standard solution for this scenario avoiding the implementation of proprietary solutions and "SAML STS profile" seems to do the trick, any other ideas?
Thank you all
I have setup FORM-authentication within web.xml (java-webcontainer) successfully.
I did not find a way to sent the username/password within the get-request of the restful-uri from my client when using FORM-Authentication. So I have to use BASIC-Authentication only for the restful-uri.
So I have this question:
How can I set up both form-based authentication and basic authentication?
Basic authentication should only be enabled for the restful-uri.
I was also facing a similar problem and I realized that if you are using Wildfly then its possible to configure multiple mechanism using web.xml:-
<auth-method>BASIC?silent=true,FORM</auth-method>
Using this silent basic authentication will be tried first, which is basic authentication that only takes effect if an Authorization header is present. If no such header is present then form authentication will be used instead.
Maybe its too late for a reply but I just updated this in case someone finds this useful :P
There were no responses here for a while, so I did a quick servlet refresher myself. Servlet specs indeed allow only one <login-config> element per web application, so there is no way to have an entry point with BASIC authetication for the REST API and another with FORM-based authentication for the UI. The only option is to build them as two independently deployable applications. To avoid code duplication, it might be a good idea just to let the UI application talk to the REST API the same way the third-party clients are supposed to.
I'm a newbie at SAML. My question is simple:
Upon a SAML request, what do IdPs usually do?
I guess they first parse the XML — and then? Can anybody describe the steps? I mean the common steps, that every IdP has to do at the very least.
The wikipedia article on this actually contains a lot of the information you need:
http://en.wikipedia.org/wiki/SAML_2.0
Look at the example SAML 2.0 Auth Request and Response plus the list of steps involved. The simplest method is the "SP POST Request IdP POST Response" so start with that. It's not the only option for deploying SAML 2.0, there's others also described there as well. Hope that helps.