How to provide custom athentication/authorization manager in Wildfly - rest

I have a backend REST service providing authentication and authorization. How can I configure my Wildfly server or the deployed application so that the REST calls are made to verify any user credentials and retrieve user roles over REST? The application itself can access the REST service.
I try to authenticate the user by calling javax.servlet.http.HttpServletRequest.login(username, password).

http://www.mastertheboss.com/jboss-server/jboss-security/creating-a-custom-jboss-login-module
Try create custom login module

Related

How does quarkus support basic authentication with keycloak as identity provider?

I want to secure a rest service with basic authentication. The credentials should be used to obtain an access token from a keycloak instance for that client and check the allowed roles on the service.
The quarkus security architecture guide states that at least one extension installed that provides a username/password based IdentityProvider is required. It refers to JPA IdentityProvider and JDBC IdentityProvider, only. But I want to authenticate agains keycloak.
I have successfully setup a web app and a rest service with quarkus-oidc. It authenticates the user and provides access to the rest service via access token.
I also used properties files with basic authentication successfully.
My keycloak myclient setup has Direct Access Grants Enabled with Access Type set to confidential.
My configuration in application.properties:
quarkus.oidc.enabled=true
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/myrealm
quarkus.oidc.client-id=myclient
quarkus.oidc.credentials.secret=secret
quarkus.http.auth.basic=true
Is this a valid combination?
When I debug into HttpAuthenticator constructor the only mechanism found is OidcAuthenticationMechanism, I'd expect BasicAuthenticationMechanism to be present.

How to obtain a JWT token via an AuthenticationProvider from an internal Oauth2 server without redirecting to the server for login

We have a microservice based environment running our own authentication server that will produce JWT tokens using the /oauth/token endpoint but this server does not provide a web login page.
For our front end application we have tried the oauth2Login setups but they all want to try and redirect the browser to the authentication server, authenticate and then redirect back to the application. Likewise oauth2Client setups add an AuthenticationProvider but that will only authenticate a OAuth2AuthorizationCodeAuthenticationToken but the user login request will generate a UsernamePasswordAuthenticationToken so oauth2Client provider never gets evaluated.
We were looking for something similar to the ldap authentication providers in that the username and password is collected locally and sent to the authorisation server. While we can write our own custom AuthencationProvider which accepts the UsernamePasswordAuthenticationToken, communicates with the oauth server and return the generated JWT. We were hoping there was something pre-existing that was part of the current spring-boot framework. If our understanding is correct then the oauth2Client setup is what we are after but can't work out how to enable the initial authentication.
We are using spring boot 2.2.5.

Keycloak client vs user

I understand that keycloak has built-in clients and we add the users later on.
But in general, what is the difference between a client and a user in Keycloak?
According to the Keycloak documentation
User - Users are entities that are able to log into your system
Client - Clients are entities that can request Keycloak to authenticate a user. Most
often, clients are applications and services that want to use Keycloak to secure
themselves and provide a single sign-on solution. Clients can also be entities that
just want to request identity information or an access token so that they can
securely invoke other services on the network that are secured by Keycloak
In short words, not only for keycloak but for OAuth and OpenId Connect too, a client represents a resource which some users can access. The built-in clients for keycloak represent some resources for keycloak itself.
Clients and users are two completely different constructs in keycloak.
In plain English, client is an application. Example for an application could be a e.g. yelp.com or any mobile application. Client can be a simple REST API. Keycloak's built in clients are for keycloak internal use, But any user-defined application has to be registered as a client in keycloak.
Users are the one which authenticate via keycloak to gain access to these applications/clients. Users are stored in keycloak DB or any externally hosted LDAP but synced with keycloak.

Need to provide both Basic Authorization and SSO on Bluemix Liberty server

I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?

Sharing Security Context between web app and RESTful service using Spring Security

We are designing security for a green field project with a UI web module (Spring MVC) - the client, and a RESTful services web module (CXF) - the server, to be deployed as separate war files in the same Websphere app server. The system should be secured with Spring Security, authenticating against LDAP and authorizing against a database. We have been looking for the best solution to share the security context between the 2 apps, so a user can authenticate in the web UI and invoke its AJAX calls to the secured RESTful services. Options found:
OAuth: seems overkill for our requirements, introduces a fairly complex authentication process, and reportedly some enterprise integration issues
CAS: would amount to setting up an enterprise SSO solution, something beyond the scope of our engagement
Container-based (Websphere) security, although not recommended by Spring Security, and we're not clear if this could provide a solution to our specific needs
We're looking for a simpler solution. How can we propagate the Security Context between the 2 apps? Should we implement authentication in the UI web app, then persist sessions in the DB, for the RESTful services to lookup? Can CXF provide a solution? We read many threads about generating a 'security token' that can be passed around, but how can this be done exactly with Spring Security, and is it safe enough?
Looking forward to any thoughts or advice.
You want to be able to perform the REST web services on the server on behalf the user authenticated in UI web module.
The requirements you described called SingleSignOn.
The simplest way to do it is passing the HTTP header with the user name during REST WS calls.
(I hope your REST client allows to do it).
To do it in secure way use one of the following:
Encrypt the user name in REST client and decrypt it in REST server
Ensure that the header is sent from the local host (since your application deployed on the same container)
Therefore, protect both application using SpringSecurity authenticate against LDAP.
In the first application (Rest Client) use regular Form Authentication
In the second application (Rest Server) add the your own PreAuthenticatedProcessingFilter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167
Edited
The “Authentication” is the process of verifying of a principal’s identity.
In our case both REST Client (Spring MVC application) and REST server (CXF application) verify an identity against LDAP. LDAP “says” OK or Not. LDAP is a user repository. It stateless and does not remember the previous states. It should be kept in applications.
According to my understanding, a user will not access directly to REST server – the user always access REST Client. Therefore, when the user access REST Client he/ she provides a user name and a password and REST Client authenticate against LDAP. So, if REST Client access REST server the user is authenticated and REST Client knows his name.
So, if request come to REST server with a user header name - REST server for sure knows that the user was authenticated and it should not authenticate it again against LDAP.
(The header should be passed in the secured way as described above).
Rest Server should take the user name, to access to LDAP and to collect related user information without providing of the user password (since the user already authenticated).