Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

Integrating Authentication and Authorization

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We have an Active Directory integration library that implements the Windows NTLM Security Service Provider including the server-side using the NETLOGON service. Naturally one of the areas we want to expose this to is the web stack. So far we have a Servlet Filter that does SSO authentication and Windows group based authorization.

However, I can see that I'm somewhat out of touch with the current state of using Java for web applications and I'm concerned that I'm not exposing this functionality in an optimal way for developers.

If our Filter overrides HttpServletRequestWrapper methods like getRemoteUser and isUserInRole, is that sufficient for developers to utilize our library?

Is there anything else that can we do to make integrating authentication and authorization easier for Java web developers?

What are some popular "frameworks"? Do they utilize Filters or do they require writing a framework specific module or plugin?

We also have a JAAS LoginModule. Are LMs applicable to the web stack? Can application servers automatically utilize LMs?

Mike
 
Sheriff
Posts: 67750
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think this'd be more appropriate in the Servlets forum, so I've shifted it there for you.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There is no standard for integrating web app security with a servlet container, so each container does its own thing; e.g., Tomcat uses realms. You may want to make sure that your library works well with one of the existing realms, or provide your own.

Filters are a common approach; SecurityFilter is one library that does it this way.

JAAS isn't commonly used for web apps, as it doesn't integrate well with them (see Using JAAS in Java EE and SOA Environments for some discussion). It can be made easier by using it through something like jGuard or Tomcat's JAASRealm.

You may also want to check out the various Java SSO solutions, like OpenSSO, JOSSO and CAS (all linked in the http://faq.javaranch.com/java/SecurityFaq).
 
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
looks like the sheriffs have missed the JBOSS culprit ..... you can just use some xml files and do auth !! using JBOSS .....
Move this to JBOSS forum ..... .
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Sandeep Kumar Jakkaraju wrote:looks like the sheriffs have missed the JBOSS culprit ..... you can just use some xml files and do auth !! using JBOSS .....


Which is how Tomcat realms work as well. But this is a generic discussion, and -as I understand it- a generic product.
 
Michael B Allen
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:
You may also want to check out the various Java SSO solutions, like OpenSSO, JOSSO and CAS



Just being a little pedantic here but the term Single Sign-On (SSO) is highly overloaded so I want to clarify how our SSO solution (http://www.ioplex.com/jespa.html) is completely different from the SSO solutions you cite above.

Many browsers support the WWW-Authenticate: NTLM and WWW-Authenticate: Negotiate authentication mechanisms that transparently authenticate clients using their workstation credentials in an IntrAnet environment. For example, our product specifically targets clients on a Microsoft Active Directory network where workstations are "joined" to a domain and domains have "trusts".

The important part about this type of SSO is that users only enter their password a single time when they log into their workstation a la Ctrl-Alt-Del. Then when they visit a site running our Filter they go right in and it automatically knows who they are (and has their fully expanded list of group SIDs which makes group based access checks extremely fast). And if they do need to enter a password (because they're not joined to the domain or because they want to change their identity), the password is never even transmitted over the network. A nonce that is encrypted by the browser with the password is transmitted in stead. This type of authentication us much more secure. Actually one of the key things about our solution is that it supports NTLMv2 and other features that are required by the security policies of financial institutions and governments.

The solutions you cite use HTTP redirection to direct the client to a central server for authentication and then redirect the client back to the target site. So those solutions are only necessary in an IntErnet environment where the client is not already associated with a central authority. And even on the IntErnet, the WWW-Authenticate: NTLM method is superior for the authentication step.
 
reply
    Bookmark Topic Watch Topic
  • New Topic