Since version 1.61, the BouncyCastle library supports the Argon2 password based key derivation function. However, I cannot find an example how to use the Argon2 algorithm through the BouncyCastle API. Can someone give a hint? Thanks a lot.
If you look for an example, you can look into the Spring Security source code on GitHub, because Spring Security Crypto uses BouncyCastle for Argon2 password hashing.
If you just want to use a library for Argon2 password encryption, you could also use Spring Security Crypto (has only 2 optional compile dependencies).
Argon2PasswordEncoder argon2PasswordEncoder = new Argon2PasswordEncoder();
String aCryptedPassword = argon2PasswordEncoder.encode("password");
boolean passwordIsValid = argon2PasswordEncoder.matches("password", aCryptedPassword);
Related
Currently, I'm struggling with automation our API over SSL with Karate DSL, and the main problem is that I'm not able to automate this API without keeping that cert.pfx in some directory with below configuration:
// enable X509 certificate authentication with PKCS12 file 'certstore.pfx' and password 'certpassword'
configure ssl = { keyStore: 'classpath:certstore.pfx', keyStorePassword: 'certpassword', keyStoreType: 'pkcs12' }
Is there any other approach to load the cert store? instead of using certstore.pfx form local directory/cloud/sftp dir?
I was thinking about creating a KeyStore java object(with chain certs& private key) and pass it to configuration instead of (pfx file) { keyStore: keyStoreObj, keyStorePassword: 'xxx' ..}, or some other memory object, which will provide all needed certs/keys to connect over SSL.
thanks for your advice!
Thank you Peter, so I decided to go to that advanced way, so decide to extend HttpClient, where I override configure(HttpConfig config, ScriptContext context) and decide to pass there KeyStore object, which was constructed before with certificates, which I got from HasiCorp Vault.
Btw Karate DSL is great!
Use Java interop: https://github.com/intuit/karate#calling-java
For example: you can implement some custom way to get the cert that you need and save it to /tmp and then use file:/tmp/mycert.pfx to load the cert.
It is up to you to implement in any way that you want. If you want to do something more advanced, consider extending the ApacheHttpClient - and tips on how to do this are provided here.
What I have done
First, I cloned the repository of the CAS project from github and switched to the tag v4.2.7.
git clone https://github.com/apereo/cas.git
git checkout v4.2.7
Then I build using gradlew tool
./gradlew
Finally, I copied the artifact ./cas-server-webapp/build/libs/cas-server-webapp-4.2.7.war, and extract it to run, it just works well.
But since I want to configure the CAS using the X.509 Authentication method, the result is frustrated, because the login web flow XML file is different: all of solutions to using a X.509 Authentication method say first to substitute the generateLoginTicket with startAuthenticate like this: https://wiki.jasig.org/display/CASUM/X.509+Certificates, but the "generateLoginTicket" is gone in the file /WEB-INF/webflow/login/login.xml of the version 4.2.7. And the documentation of the CAS is also of no help, https://apereo.github.io/cas/4.2.x/installation/X509-Authentication.html
I want to study how to configure the CAS v4.2.7 using a X.509 Authentication method. I would be appreciate if you could help me out.
As per my personal experience with 5.0 version overlay add to pom.xml
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-x509-webflow</artifactId>
<version>${cas.version}</version>
</dependency>
And add proper CA certificates to the server keystore.
Some pointers more than anything required here.
I'm trying to get both X509 and LDAP working in my application. I want users to be authenticated using their PKI certs and then for the APP to get their authorities from our LDAP server.
I have LDAP working with a customer userDetailsContextMapper at the moment however how to add the x509 properly stumps me a little.
I think what I want is a PreAuthenticatedAuthenticationProvider that uses an injected ldapUserDetails service.
How can I do that? Do I need a UserDetailsByNameServiceWrapper to wrap the LdapUserDetailsService up to be used within the pre-authentication provider?
I ask because unfortunately the testing platform and the development environment at the moment is detached, and I don't have local LDAP or PKI set up to test against so its about a 6 hour process getting a new war onto the dev environment... Restrictive I know... So I want to get it right first time.
Cheers!
NOTE: THE FOLLOWING WORKS WITH Spring-Security-Core v1.2.7.3, Configuration names are different in 2.0RC2
Following a few different ideas, this is what I came up with. This assumes you already have LDAP working with a custom and UserDetailsContextMapper (see: ldap documentation):
Ensure both the LDAP and a PreAuthenticatedAuthentication Provider are in the provider list:
grails.plugins.springsecurity.providerNames = [
'preAuthenticatedAutehnticationProvider',
'ldapAuthProvider',
'daoAutehnticationProvider',
'anonymousAuthenticationProvider',
'rememberMeAuthenticationProvider']
Then in your spring resources (grails-app/conf/spring/resources.groovy) configure the following beans:
ldapUserDetailsService(org.springframework.security.ldap.userdetails.LdapUserDetailsService,
ref('ldapUserSearch'),
ref('ldapAuthoritiesPopulator')) {
userDetailsMapper = ref('ldapUserDetailsMapper')
}
userDetailsByNameServiceWrapper(org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper) {
userDetailsService = ref('ldapUserDetailsService')
}
preAuthenticatedAuthenticationProvider(org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider) {
preAuthenticatedUserDetailsService = ref('userDetailsByNameServiceWrapper')
}
And bobs your uncle and you have some aunts!
For reference the pages I used to come up with this solution are:
No AuthenticationProvider found using spring security
Wrap your LdapUserDetailsService in a UserDetailsByNameServiceWrapper
Instead of the LdapAuthenticationProvider configure a PreAuthenticatedAuthenticationProvider that will be able to process the PreAuthenticatedAuthenticationToken issued by your CustomX509AuthenticationFilter.
Inject the wrapped LdapUserDetailsService into the PreAuthenticatedAuthenticationProvider.
http://blog.serindu.com/2011/05/26/grails-spring-security-using-preauthenticated-authentication-provider/
Covers how to wire up a preAuthenticationAuthenticationProvider in grails
http://forum.spring.io/forum/spring-projects/security/108467-combine-pre-authentication-with-ldap-for-user-details-and-authorities
there's an LdapUserDetailsService that does all the good things the LdapAuthenticationProvider does - except for authentication
http://pwu-developer.blogspot.co.uk/2012/02/grails-security-with-cas-and-ldap.html more on how to wire up that ldapUserDetailsService
Hope this helps someone else!
I'm relatively new to Restlet, so currently I am experimenting with Restlet 2.1, and I want to add user authentication
I am currently using Apache ReverseProxy, and planning to use it as SSL-proxy, so I'll probably encrypt/decrypt on Apache, Restlet will get plain text
I found sayings about using the Restlet ChallengeAuthentication, but can not find it on 2.1 API doc, and since Restlet just updated their site, most Urls are just broken
so it'd be really nice if someone can give me some guide on how to build it or give me a functional link to some examples eg:
how do I check for authentication,
how do I detect cookie,
how do I set a secure cookie,
how do I read from that encrypted cookie
also another design question, would I be better off using a function that tries to decrypt the cooke for auth, than actually storing the cookie data in a DB like Redis?
Thanks in advance!
i did authentication using 2.1.2 restlet on GAE.
following code may help you how to provide authentication in restlet
ChallengeAuthenticator guard = new ChallengeAuthenticator(getContext().createChildContext(), ChallengeScheme.HTTP_BASIC,"Your application.");
MapVerifier verifier = new MapVerifier();
verifier.getLocalSecrets().put(userName, password.toCharArray());
guard.setVerifier(verifier);
guard.setNext(this);
guard.setNext(anyclass.class);
router.attach("/v1", guard);
and this link http://restlet.org/learn/tutorial/2.1/ for more information about restlet.
mod_authn_otp is an Apache web server module for two-factor authentication using one-time passwords (OTP) generated via the HOTP/OATH algorithm defined in RFC 4226. The developer's has listed only one compatible device (the Authenex's A-Key 3600) on their website. If a device is fully compliant with the standard, and it allows you to recover the token ID, it should work. However, without testing, it's hard to tell whether a device is fully compliant.
Have you ever tried other devices (software or hardware) with mod_authn_otp (or other open source server-side OTP program)? If yes, please share your experience :)
Any device that claims to be "OATH Compliant" should -- and probably does -- work.
The hard part is not compliance, it's getting the vendor to give you the secret key associated with the token. The don't like to do this because they make their money off the servers, not the tokens.
Note this new iPhone app also works if cell phones are an option for you.
If you're looking for more options, consider using mod-auth-radius or mod-ldap. Most two-factor auth solutions support radius and ldap and you will get far more options and flexibility. Plus, you can do things like run your radius auth through Active Directory and then have IAS/NPS proxy the request to the 2FA server. Thus, when a user is disabled in AD, they are disabled for 2FA too.
There are a couple of ways to do mod-radius:
https://www.wikidsystems.com/support/how-to/how-to-configure-apache-to-use-radius-for-two-factor-authentication-on-ubuntu// and https://www.wikidsystems.com/support/how-to/two-factor-authentication-for-apache-22-or-higher/