In our current setup we have about a dozen web applications that deploy to a single Tomcat server. One of these applications is CAS which is used for all authorization.
This works pretty well and in our jRuby web application we use the rubycas-client gem, point to CAS and we're done.
Now we have a requirements where, in a Java component, we need to be able to call out to another web application via a rest service that resides on the same server. My first thought was to use CAS proxy tickets but the web application we have to hit currently doesn't have this enabled and, due to the nature of the environment, this cannot be changed.
So as far as I can tell we're left trying to impersonate the user by using an iframe in our web application that points to the other one (we're all on the same domain and server) and scrape its sessionid for impersonation and pass it down to the Java layer. But I really, really don't want to do this.
Am I missing anything? Is there any better ways of doing this? Is there a way to get the sessionid without an iframe maybe?
Thanks!
If you want to call a web service from a web application using CAS identity, you certainly should use the CAS proxy feature.
If you can't cassify your web service, there is another option for you : you could use the Apache module for CAS : https://wiki.jasig.org/display/CASC/mod_auth_cas.
Related
I have to give my recommendations for an architecture for SSO using Site Minder.
We have few J2EE applications. These J2EE applications are designed to work when http headers have information after authentication by SSO provider. We have kept our applications SSO provider agnostic. This means we only rely on headers from SSO provider. This worked well with RSA as the SSO provider.
Now there is another architecture proposed with SiteMinder. The way request will flow is
SiteMinder with IIS -> Apache Reverse Proxy -> Tomcat Application -> Backend Applications.
To break down we will have
a) SiteMinder with IIS (public facing site)
b) Apache Reverse Proxy ( For routing)
c) Tomcat Application (For routing and a logic for site access based on time)
d) Backend applications
The reason for bringing the new architecture is that all back end applications have code for site access. The site can be down for some time, which is controlled by a property file.
I find this architecture wrong. I do not understand why Apache Reverse Proxy is requried. I would still go with simple architecture with flow as
a) SiteMinder with IIS doing the routing -> Backend Applications(accessing a common service to check whether site can be accessed or not)
Am I missing something?
The Apache reverse proxy would make it easier to load balance between multiple IIS instances. As far as I know to do something similar on IIS you would need to use the ARR (application request routing) module which won't be optimised to work with Tomcat etc.
However, the SiteMinder with IIS does seem an added overhead in your architecture. The Apache reverse proxy also supports SiteMinder agents. Why don't you push for setting up the SiteMinder agent on the Apache proxy and remove IIS completely from the picture. I can think of the following benefits:
Remove one extra layer from the architecture
Remove an extra network hop
Clean up the stack. Apache + Tomcat is very standard in enterprises while IIS + Apache + Tomcat definitely isn't.
Hope this helps
I don't see either the rationale behind the second architecture. The first scenario is a much more common deployment of Siteminder.
Be aware that this kind of architecture potentially opens vulnerabilities (logon bypass notably). See my answer on this question. Those remarks are true for both architectures.
I developed a Rest web service with Play! Framework. I aim to secure access to this WS. I'm discovering OAuth2 and it seems to be a good solution in my case. However, instead of using an external OAuth2 provider, I prefer to manage this part myself. So, I installed the last snapshot of OpenAM (12.0.0), which can do this. I have an instance of Active Directory on which the authentication should be based.
I have access to the documentation but I don't know how proceed. I would like to have some tracks.
Thanks for your help.
I have developed a Catalyst application, which runs via the catalyst development server at, say, localhost:3000. Next I configured Apache to proxy requests to http://myhost/myapp/ to localhost:3000 using mod_proxy.
I would now like Catalyst to know that it has been publicly relocated to the base url myapp/ and take it into account when forming URLs via uri_for.
How can I do it?
KT, the easiest thing to do is to install Catalyst::TraitFor::Request::ProxyBase, as it is specifically designed to replace request base with the value passed by HTTP proxy.
The module is completely transparent and requires no modification of the existing app.
I'm working with SOAP based web services that require authentication. I usually use the Eclipse Web Service explorer to explore the offered services but for the services requiring authentication, there does not seem to be an authentication option and I keep getting the 401 response.
I tried online clients as well. There is one at http://soapclient.com/soaptest.html but it also exhibits the same behavior.
When I try to access the web services through the browser I get the username/password prompt and it works.
I have also tried using https://username:password#webserviceURL. Again, this works in the browser but not in Eclipse or the online SoapClient utility.
Any ideas how I can get do this ?
It was pretty trivial in SoapUI.
I also found an online client that works with the http://username:password#webserviceURL pattern. Its at : http://tools.pointbeing.net/wsdlviewer
New to JAVA. I developed Web application(JSP) successfully delpoyed on TOMCAT 6.0. Now the client want to use external SSO to authenticate users. As of now when the users are authenticated the website is displayed with Login Page where the user has to login again.
I am using the Login.jsp to bring the user roles from the SQLDB for Website.
What I want to accomplish now is when User is authenticated login.jsp should retrieve the credentials from the SSO and display the website thus accomplishing the purpose of Single sign on process.
I read a lot from this forum and other websites but kinda lost in the process.
Any help would be appreciated.
thank you
We developed a Tomcat extension (valve) which does just that. Basically you use standard J2EE security (role-ref etc) in your app and our Tomcat valve then acts as a bridge between Tomcat and our SSO platform. You can find out more at www.cloudseal.com
Of course you may not want to use our SSO platform :-( but you can still use our Tomcat valve and modify it to fit your needs. It's released under an Apache 2 license and you can grab the source from Github