I am using JBoss JSF to develop a personal project, and the website needs a user registration and login feature, as many other sites do. There are lots of tutorials on how to develop a user registration component in Java EE and JPA framework. I just happened to find the KeyCloak project. It seems that KeyCloak can be used for user registration and management purpose, especially if you use JBoss to develop the application.
My question is, do I really need to use this for user registration? It seems very heavy, and I didn't find any API docs that I can refer to integrate it into my web application.
What's the best use case of Keycloak? And how to integrate it in a Java EE application? Any quickstart or tutorial for Java application would be appreciated.
The main Keycloak project includes a adapters documentation (to be used to secure clients) examples project showing how to secure a JEE application using JEE application security.
If you use Spring, there's a Spring Security adapter that support a more very flexible security implementation as well, including examples for this as well.
Related
Context:
I'm researching about how to easily implement SSO for an enterprise on-premise Service Provider to enable SAML and OIDC both. I came across multi-provider wrappers but I wasn't able to find python(tornado) specific ones.
Research:
The only active one I found is this but as it’s mostly for social and looks like it doesn’t support saml.
This link mentions some client based python wrappers like sanction, rauth but both doesn't support SAML
Apart from wrappers I also looked at dev tools provided by oneLogin for SAML protocol.
https://www.onelogin.com/resource-center/saml-toolkits
Python SAML OneLogin - How to support multiple Identity Providers
Questions:
which are the multi-provider authentication wrapper for python enterprise apps?
Are there other options apart from the ones mentioned above to ease the SP development?
Could I potentially use a wrapper like python-social-auth for OIDC support and OneLogin devtool for SAML support?
I'm a Product manager and not a dev. I have been researching a lot but to no avail.
python-social-auth supports SAML and OIDC. It supports multi-tenancy as well (overriding the default strategy).
I recommend you to use it rather than trying to implement them yourself if you want to save time/money or if your dev team has no much idea about authentication in general.
We are working with MobileFirst 7.0 version. We want to achieve authentication using adapter based authetication process. Earlier we used HTTP Adapter and it worked. But we changed it to Java Adapter and want to acheive authentcation with Java Adapter Based authetication.
My questions are :
Is it possible?
If yes, how can we move forward?
If not, what is the alternative of doing authentication usig Java Adapter?
There is some documentation covering your question.
Here are links to get you started:
Authentication concepts in MFP 7.0: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-0/authentication-security/authentication-concepts/
Adapters overview: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-0/server-side-development/adapter-framework-overview/
Java adapters: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-0/server-side-development/java-adapter/
Adapter-based authentication: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-0/authentication-security/adapter-based-authentication/
You need to use a JavaScript adapter.
Read the documentation.
Use OAuth.
I found this blog entry, and in particular the second video answered many questions.
OAuth Blog
In all cases I have ever seen we set up a Worklight security Realm and use adapter-based authentication to authenticate to that Realm. Our OAuth-protected resources then reference that realm.
In principle we could define realms that do not depend upon a JavaScript adapter for authentication, the MFP Security model is open to extension. In practice this is probably more work than you want to do. I find that the JavaScript model is itself quite extensible, as it can call down to Java code when something complex is needed.
I am getting myself familiar with all the stuff related to authentication using active directory (both Azure AD and Windows Server AD).
Currently I am inspecting MS Katana project which is based on OWIN specification.
There are three libraries and one of them is kind of confusing for me:
Microsoft.Owin.Security.ActiveDirectory
Microsoft.Owin.Security.OpenIdConnect
Microsoft.Owin.Security.WsFederation
As for OpenId and WsFederation I understand what they are for, there are plenty of examples and articles about that.
What confuses me is the purpose of the ActiveDirectory library. I mean is this another way how to authenticate against active directory besides OpenId and WsFederation?
I am unable to find any relevant clear articles and examples about this one. Even on this site is the libraty only listed, but missing example:
Azure Active Directory Authentication Libraries
So my question is what is this library for and what are the use cases for using it over OpenIdConnect and WsFederation ways.
Thanks
That library contains middleware used for securing Web API with Azure AD. Any sample featuring a web API project in https://github.com/AzureADSamples/ uses it.
I have come across a post where SSO is supported or can be used using Rally.RestApi.dll, and C#. Below is the link
How to SSO using Rally.RestApi.dll?
Excel plugin available in Rally website works fine even with SSO. Then this should even work with Java Rest API, I believe.
But I would like to know whether Rally RestAPI.jar for Java can be used for SSO enabled Rally or not.
Is there any tips or tricks that can be employed to make it work?
I want to generate a customized rally report for my team. I am using Java and RallyRestAPI.jar for this.
Please suggest & help
C#
Rally Excel and VisualStudio plugins support SSO, and the next version of dll for the .NET toolkit will eventually replace the currently available dll v2.0.1, which is a year old. The new dll will use the SSO mechanism used in Rally Visual Studio plugin, and not the one implemented in current version of Excel plugin, and eventually Excel plugin will be updated with that mechanism as well. A timeframe for all this is not available yet.
Java
There is currently no work in progress and no plans to add SSO support for Rally Rest toolkit for Java.
It means that if your Rally subscription allows either a hybrid authentication (SSO and Rally authentication) or SSO with exceptions, your java code can use basic Rally authentication. In the former case your api user account has to be added to the exceptions list by your subscription administrator.
I am using new feature of Azure that enables the active directory authentication for your website without writing any code.
http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/
But the problem is my web application is also hosting some Web APIs, which need to be called without any authentication.
Is there a way (some attributes?) so that I can call Web APIs without any authentication?
Tushar, I see that Byron also replied to your question on his post- and suggested creating another website as for APIs as a work around. However I suggest that you wire-up auth separately for your Web App and APIs following our samples here: https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet, https://github.com/AzureADSamples/WebApp-WebAPI-OpenIDConnect-DotNet
Let me know if you run into any issues.
From the very same article you refer:
Current Limitations
There are some limitation to the current preview
release of this feature:
...
With the current release the whole site is placed behind login the
requirement.
Head less authentication/authorization for API scenarios
or service to service scenarios are not currently supported.
So, no, you cannot have partial APIs or pages anonymously available - all pages and API will be protected by the Azure Active Directory.