SPNEGO on Bluemix Liberty - ibm-cloud

On the Bluemix Liberty feature list, it says Spnego-1.0 is supported. Does anyone have any Bluemix documentation (not plain Liberty, because this would mean I installed the Liberty server on my own enterprise domain) on how to even begin to use this? It seems to me that if SPN are locked down to a domain name, how would this even work for an app running on a domain such as this: "www.ng.bluemix.net"?
Does this mean there is a requirement to have Bluemix infrastructure installed onto our enterprise infrastructure to even begin thinking about Spnego?

SPNEGO makes sense if you're trying to achieve SSO between say a Microsoft Desk Top and say a WASaaS (WAS or Liberty) running a web app in a Softlayer VM behind a private firewall, then a SPNEGO solution would work. In a more public setting, OpenID Connect should be considered as an option.
If SPNEGO really needs to be used, see the Liberty documentation. You can then customize a Liberty server.xml file in Bluemix to get this to work. To use a custom Liberty server.xml file, see the info noted under standalone applications.

Related

Wildfly and OIDC

We are a Java shop and use maven. Our app is on wildfly 18. Does anyone have any experiences on migrating a wildfly app to OIDC? We were given a security library that we can use to make OIDC calls to, but it requires a config file co-located with this library. Do we need to use a module for this? If so, do we need a particular section filled out in our standalone.xml?
You asked about Wildfly 18. This one for sure needs add-on modules, such as those provided by the keycloak project (https://www.keycloak.org/downloads).
Since Wildfly 25 the OpenID Connect functionality was added to the Wildfly releases, and since then the addon modules are no longer required. In fact, they should no longer get installed as they seem to break Wildfly.
See also
Secure WebApp in Wildfly 25 using OpenID Connect (OIDC) without installing a Keycloak client adapter
https://docs.wildfly.org/25/WildFly_Elytron_Security.html#validating-jwt-tokens
https://www.youtube.com/watch?v=2gQO4_7Z5CI

REST Spring Boot Web Service on Websphere 9

I want to create a Spring Boot REST Web Service and deploy and publish it in Traditional Websphere 9 Application Server. Is it possible ?
What all challenges I might encounter? Can someone please provide me few pointers for reference?
Yes this can be done. It is not a good design, but yes it can be done. Back in the day when I was working for a big bank, they deployed java spring-boot microservices in IBM websphere(Not liberty).
How to do it?
1) Package your deployable as war. You can do this by editing your pom to package as WAR.
2) You can either add connection string config in your springboot starter class or get a JNDI created in the websphere instance. We observed that performance of the API's improved when the app used websphere JNDI as opposed to app created connection bean.
3) If you use IBM MQ, the best course of action is get a non-ssl and ssl based channel created at MQ and a JNDI for the MQ connection as well.
4) If you plan to create MQ connection beans within the app, like we did, ensure the JKS file has all the valid set of signers of your org.
Problems we faced
1) Our app used a lot of third party rule engine like drools, so ensure the websphere server.xml is configured to servlet version 3.1 or higher
2) Webshpere admin console is helpful, but don't just blindly believe if it says green to your container, always check your app logs for errors.
3) Common pain points are establishing a successful connection with IBM MQ host. Get a MQ server admin to troubleshoot all MQRC errors.
4) If you plan to use Oracle as backend, ensure the DBA has created a wallet for you to enable both SSL and Non SSL connections. Some organisations are picky with non-sssl db connections. It is easier to handle all this if you leverage webspehere JNDI for DB connections.
Let me know if this helped.
Both WebSphere Traditional and WebSphere Liberty support Spring boot.
Are you looking for something like this?
http://www.adeveloperdiary.com/java/spring-boot/deploy-spring-boot-application-ibm-liberty-8-5/

JBOSS EAP 6 - Siteminder integration components

I need to set up JBOSS EAP6 WebApp to integrate with Siteminder with IDP initiated SAML2 artifact binding.The current integration is using Form based header authentication. Siteminder is onPrem and JBOSS/App is in AWS. I have little visibility to the siteminder set up or it's requirement to integrate to JBOSS. I have a clarity on setting up the ServiceProvider in JBOSS for SSO and Single Log out with post binding.
My question are:
1. To integrate with an OnPrem Siteminder IDM, what components other than JBOSS and it's configurations are to be present in the server hosting JBOSS?
Something like a siteminder agent to be run in the server?
From a purely JBOSS perspective ,where does the JBOSS set up boundary starts?
I went through the net and could not find a conclusive list of components required to meet this integration.
2. Artifact binding is not supported by JBOSS EAP 6 per doc, so I must ask the IDM team to support SSO with post binding, correct?
Thank you in advance for your help.
You need to implemented your own JAAS security module. There is information on JBoss and CA websites on how to do this. This module will provide the authenication (user) and authorization (roles) to the applications deployed on JBoss. When developing I suggest setting the log level of org.jboss.security to trace.
It is picketlink that needs to be configured.Github has [examples][1]
[1]: https://github.com/jboss-developer/jboss-picketlink-quickstarts .
There is no need of siteminder agent if SP set up alone in the scope.
Also IDM team has to be requested to stick to POST Binding.
This covers the questions I asked.

Can Bluemix environment be replicated on developer laptops?

Can Bluemix environment with Liberty be replicated on developer laptops for offline development? Will I be able to run Bluemix local with Openstack on a quad core i5?
You can run Cloud Foundry in a VM on your laptop using bosh-lite. You could also install the open source Liberty buildpack into this local CF with the buildpack dependencies cached giving you an environment that could work offline.
The Bluemix services will not be available to you though, if you are offline, so the answer really depends on what services you need. You could reasonably set up some kind of local database but many of the services would just be unavailable.
I am not sure what exact your requirement is. IBM Liberty profile can be setup with Eclipse and you can create a server in local to test your java/JEE code. This is very simple, you need to install liberty plugin in Eclipse and create a server. See documentations in IBM web site.
See this url if it helps.. you can integrate BlueMix server to your Ecplise IDE
https://console.ng.bluemix.net/docs/manageapps/eclipsetools/eclipsetools.html

External SSO and Web Application running on TOMCAT 6.0

New to JAVA. I developed Web application(JSP) successfully delpoyed on TOMCAT 6.0. Now the client want to use external SSO to authenticate users. As of now when the users are authenticated the website is displayed with Login Page where the user has to login again.
I am using the Login.jsp to bring the user roles from the SQLDB for Website.
What I want to accomplish now is when User is authenticated login.jsp should retrieve the credentials from the SSO and display the website thus accomplishing the purpose of Single sign on process.
I read a lot from this forum and other websites but kinda lost in the process.
Any help would be appreciated.
thank you
We developed a Tomcat extension (valve) which does just that. Basically you use standard J2EE security (role-ref etc) in your app and our Tomcat valve then acts as a bridge between Tomcat and our SSO platform. You can find out more at www.cloudseal.com
Of course you may not want to use our SSO platform :-( but you can still use our Tomcat valve and modify it to fit your needs. It's released under an Apache 2 license and you can grab the source from Github