• Post Reply Bookmark Topic Watch Topic
  • New Topic

Integrating Authentication and Authorization

 
Michael B Allen
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We have an Active Directory integration library that implements the Windows NTLM Security Service Provider including the server-side using the NETLOGON service. Naturally one of the areas we want to expose this to is the web stack. So far we have a Servlet Filter that does SSO authentication and Windows group based authorization.

However, I can see that I'm somewhat out of touch with the current state of using Java for web applications and I'm concerned that I'm not exposing this functionality in an optimal way for developers.

If our Filter overrides HttpServletRequestWrapper methods like getRemoteUser and isUserInRole, is that sufficient for developers to utilize our library?

Is there anything else that can we do to make integrating authentication and authorization easier for Java web developers?

What are some popular "frameworks"? Do they utilize Filters or do they require writing a framework specific module or plugin?

We also have a JAAS LoginModule. Are LMs applicable to the web stack? Can application servers automatically utilize LMs?

Mike
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think this'd be more appropriate in the Servlets forum, so I've shifted it there for you.
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is no standard for integrating web app security with a servlet container, so each container does its own thing; e.g., Tomcat uses realms. You may want to make sure that your library works well with one of the existing realms, or provide your own.

Filters are a common approach; SecurityFilter is one library that does it this way.

JAAS isn't commonly used for web apps, as it doesn't integrate well with them (see Using JAAS in Java EE and SOA Environments for some discussion). It can be made easier by using it through something like jGuard or Tomcat's JAASRealm.

You may also want to check out the various Java SSO solutions, like OpenSSO, JOSSO and CAS (all linked in the http://faq.javaranch.com/java/SecurityFaq).
 
Sandeep Kumar Jakkaraju
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
looks like the sheriffs have missed the JBOSS culprit ..... you can just use some xml files and do auth !! using JBOSS .....
Move this to JBOSS forum ..... .
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sandeep Kumar Jakkaraju wrote:looks like the sheriffs have missed the JBOSS culprit ..... you can just use some xml files and do auth !! using JBOSS .....

Which is how Tomcat realms work as well. But this is a generic discussion, and -as I understand it- a generic product.
 
Michael B Allen
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:
You may also want to check out the various Java SSO solutions, like OpenSSO, JOSSO and CAS


Just being a little pedantic here but the term Single Sign-On (SSO) is highly overloaded so I want to clarify how our SSO solution (http://www.ioplex.com/jespa.html) is completely different from the SSO solutions you cite above.

Many browsers support the WWW-Authenticate: NTLM and WWW-Authenticate: Negotiate authentication mechanisms that transparently authenticate clients using their workstation credentials in an IntrAnet environment. For example, our product specifically targets clients on a Microsoft Active Directory network where workstations are "joined" to a domain and domains have "trusts".

The important part about this type of SSO is that users only enter their password a single time when they log into their workstation a la Ctrl-Alt-Del. Then when they visit a site running our Filter they go right in and it automatically knows who they are (and has their fully expanded list of group SIDs which makes group based access checks extremely fast). And if they do need to enter a password (because they're not joined to the domain or because they want to change their identity), the password is never even transmitted over the network. A nonce that is encrypted by the browser with the password is transmitted in stead. This type of authentication us much more secure. Actually one of the key things about our solution is that it supports NTLMv2 and other features that are required by the security policies of financial institutions and governments.

The solutions you cite use HTTP redirection to direct the client to a central server for authentication and then redirect the client back to the target site. So those solutions are only necessary in an IntErnet environment where the client is not already associated with a central authority. And even on the IntErnet, the WWW-Authenticate: NTLM method is superior for the authentication step.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!