I would like to use CAS to make authentication and database to manage roles and permissions with JEE7 on JBoss wildfly, does it support this kind of realm ?
Thanks
Yes, CAS provide a filter for JBoss integration, it hide the boilerplate related to CAS protocol
Your principal is injected, you can retrieve it and then get its roles and permissions from the database
Related
We have several custom developed online applications as well as open source application such as KOHA, moodle and bugzilla.
We are attempting to integrate their authentication using a Single Sign-On service. So far we have tried JASIG CAS and this seems to solve most of our issues.
However we would also like to link the authentication to an LDAP compatible directory service.
My questions are:
1. Why do we need to use CAS with LDAP?
2. Can a LDAP only service work? (all of our application either directly supports LDAP or can be modified to work with LDAP)
3. Assuming CAS is running on a MySQL database, can LDAP compatible sysmtem such as Active Directory, contact the CAS server to login?
With CAS, you centralize your security in one place, instead of having each application integrated with your LDAP
Yes, it's generally more work and a lot less secure (see 1)
CAS relies on your LDAP for authentication, applications connected to CAS benefit from SSO, but applications can directly authenticate users via your LDAP (without SSO)
I'm involved in an Java Web Application Migration project to IBM Websphere Portal (IBM WP) Platform.
The actual application in production environment validates manually user credentials (username and password) against a Database Table that stores the data. I understand that the idea behind a Portal application is that the Portal Container handles this Security issues, but I'm not sure how IBM WP can consume the credentials that now are on Database.
There's a brand new Tivoli Directory Server in the Company, and I'm aware that I can't connect IBM WP to this LDAP Server so, do I need to migrate every user in the Database to this LDAP Server, or there's a Way that Tivoli recognize the credentials that are on the database?
Trust Association Interceptor are powerful, but they totally override Websphere Authentication mechanisms, so be sure to write a quite robust one! As Carlos Gavidia suggested, I'd also give a look to Custom User Registry. I'd also suggest to consider Property Extenstion Repository (also know as Lookaside), so you can define your own attributes and read/write them directly from Portal API
http://www-01.ibm.com/support/docview.wss?uid=swg21248674
You can hook in any kind of custom authentication you need using a Trust Association Interceptor. Your custom authenticator would probably work a lot like the authentication code in your existing system. It would display a page prompting the user for their credentials, and then check them against the DB.
I'm not sure how this relates to your Tivoli LDAP, but there seems to be a provided TAI for TAM integration: Tivoli Access Manager Trust Association Interceptor (TAI++)
I am working on some project involving Liferay Portal, CAS and Apache Directory Server. I am supposed to prepare proof of concept (or disproof) for the following model.
1. Liferay is integrated with CAS and supports SSL (needed for further usage of SSO). I have already done it and it works.
2. CAS communicates with LDAP server (Apache Directory Server) in order to perform not only authentication, but also authorization. I would like to achieve situation, when Liferay stores its dynamic privileges (to various Liferay objects) in his own database and static privileges (like user roles for instance) gets from CAS, which in fact gets it from LDAP. I want it transparent, namely that Liferay is not aware of LDAP existence.
As far as I know CAS out-of-the-box does only support authentication.
Is this possible? Anny ideas? Hints?
CAS as in Central Authentication Service? It's designed for authentication, as the name implies.
Authorization is something quite different, as you clearly know already. You'll need a framework designed for authorization - try Spring Security.
I agree with David M.: CAS handles only authentication.
But you could load all the roles of a user during the authentication-process (e.g. by implementing your own AuthenticationMetaPopulator) and provide these to a service using the later response of the serviceticket-validate call.
Currently we are having a servlet application which is getting authenticated against the Jboss portal.But now we are forced to move to Liferay portal from Jboss portal, we need to find the way to authenticate against Liferay portal Database from my servlet application.Currently in my servlet application , I am using webauthentication class to authenticate against Jboss portal.But in liferay I am not finding any custom class which is responsible for doing the servlet authentication. So do I need to write my custom login module ? Anybody please share me if u have any idea/reference on servlet Liferay authentication
Any help is appreciated..
Regards,
Suresh
Take a look at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter specifically at getLoginRemoteUser method.
Also take a look at classes in com.liferay.portal.security.auth package.
There's a virtual LDAP plugin for Liferay, offering the Liferay user database through the LDAP protocol. Caveat: It seems to be "enterprise edition" only.
this is my first time trying spring security and ldap. I have couple of novice questions. My main confusions are:
How do we assign roles to users? Is it done on ldap server? or done via a configuration file in my webapp? By roles I mean, Couple of users would have all the access to webapp features(Admins), Regular users (Read only access to webapp data), Analytic group (Users which can run a report in webapp)
Currently application uses j_security_check for normal user authentication with ldap server. (Where is Websphere do we hook up ldap connection settings for this authentication?)
I found it confusing too, and developed my own module which ties in with Java EE Security.
Basically the webapp is set up with standard Java EE Security, and methods on spring beans can be given the #RolesAllowed annotation, in which case the logged in user's roles are checked against the required roles just before calling the method. See here for details.
You can use LDAP or a database or a file - where the roles and users are stored is up to you. Normally for production, you will use LDAP or a connector to some kind of directory server. Sorry I can't help with WebSphere - been a while since I set it up for security.