Context:
I'm researching about how to easily implement SSO for an enterprise on-premise Service Provider to enable SAML and OIDC both. I came across multi-provider wrappers but I wasn't able to find python(tornado) specific ones.
Research:
The only active one I found is this but as it’s mostly for social and looks like it doesn’t support saml.
This link mentions some client based python wrappers like sanction, rauth but both doesn't support SAML
Apart from wrappers I also looked at dev tools provided by oneLogin for SAML protocol.
https://www.onelogin.com/resource-center/saml-toolkits
Python SAML OneLogin - How to support multiple Identity Providers
Questions:
which are the multi-provider authentication wrapper for python enterprise apps?
Are there other options apart from the ones mentioned above to ease the SP development?
Could I potentially use a wrapper like python-social-auth for OIDC support and OneLogin devtool for SAML support?
I'm a Product manager and not a dev. I have been researching a lot but to no avail.
python-social-auth supports SAML and OIDC. It supports multi-tenancy as well (overriding the default strategy).
I recommend you to use it rather than trying to implement them yourself if you want to save time/money or if your dev team has no much idea about authentication in general.
I am using JBoss JSF to develop a personal project, and the website needs a user registration and login feature, as many other sites do. There are lots of tutorials on how to develop a user registration component in Java EE and JPA framework. I just happened to find the KeyCloak project. It seems that KeyCloak can be used for user registration and management purpose, especially if you use JBoss to develop the application.
My question is, do I really need to use this for user registration? It seems very heavy, and I didn't find any API docs that I can refer to integrate it into my web application.
What's the best use case of Keycloak? And how to integrate it in a Java EE application? Any quickstart or tutorial for Java application would be appreciated.
The main Keycloak project includes a adapters documentation (to be used to secure clients) examples project showing how to secure a JEE application using JEE application security.
If you use Spring, there's a Spring Security adapter that support a more very flexible security implementation as well, including examples for this as well.
This is really basic.I want to implement a RESTful web API.
Now I know you can write custom applications and scripts to integrate with the API.
What I need to know:
In what languages can you write this API? C#, Java, php?
When building/programming a program that implements this API, is this the client and the software that issued the API the server? (eg. Dropbox would be the server and the custom app that integrates with the Dropbox API is the Client?
Thank you.
A REST API can be built in any programming language that allows you to handle HTTP requests (or can be attached to a Web server as a handler for requests). The two methods I've been using:
Stand-alone Windows service implementing a REST service using WCF
WEB server Apache + PHP
You are correct about the terminology. A program consuming a service is called the client, a program providing a service is called the server (while actually in the PHP approach, Apache would be the server as it is taking the request and having the script handle it).
Additional nitpicking: JQuery is not a language, but a framework to help you use some JavaScript features more easily.
On your comment Recap:
Close :-) The Client transfers JSON/XML/whatever to a server using HTTP requests. The Client can be written in any language that can perform HTTP requests.
On the server side, there needs to be some application that handles the HTTP requests (service), also written in any language, as long as it "speaks" HTTP.
The API is the definition of which operations are possible, for example, adding user accounts, getting the current time, etc. (this is what you define - what do you want your service to do?).
The JSON/XML/whatever that you transfer is the workload, the parameters for the API call. For example, if you want to add a new user to your system, the workload could be the new user name, the real name, the eMail address and some other details about the user. If the API call returns the current server time, you might not need any parameters at all, but you get back JSON/XML/whatever from the service.
The actual call being made is determined by the URL you call. For example, the URL for adding a user could be http://localhost/myrestservice/adduser and you'd perform a POST request against that URL with the required workload. For the time example, the URL could be http://localhost/myrestservice/getservertime and you'd perform a GET request against that URL.
I suggest that you read about how REST services actually work before you start, as I see some question marks on your face ;-)
Short:
API = available operations (=> URLs)
Parameters to API calls = JSON/XML/Plain Text/whatever
Client = calls the service through HTTP
Service = handles the calls, replies to client in response to HTTP requests
If you are a php programmer and familiar with Codeigniter framework then go here : Working with RESTful Services in CodeIgniter.
visit also : Rest Tutorial
First of all, you should begin with learning what is a RESTful API.
http://en.wikipedia.org/wiki/Representational_state_transfer
http://www.restapitutorial.com/
http://rest.elkstein.org/
In what languages can you write this API? C#, Java, php, jQuery?
You can write an API in any language. What can help is the framework you'd be using. JQuery is not a language, but a framework for integrating Javascript application in every web browser, so it won't help.
I'd advice you to use a microframework to write your first RESTful API, because they usually are easy to use and help focus on the important (bottle/flask in python, express in javascript, silex in php, spark in java or nina in C#)
When building/programming a program that implements this API, is this the client and the software that issued the API the server? (eg. Dropbox would be the server and the custom app that integrates with the Dropbox API is the Client?
You're right, the server is providing you the service, hence the API. The client is user to that API, and implementing it into something useful.
As most of the people stated already, you can do this in just about any language.
Might I suggest that you look into NodeJS? If so, check out Restify: http://mcavage.github.io/node-restify/
There's a nice community behind NodeJS and I think it's quite open to newcomers. Just try not to pick up bad habits from JavaScript pitfalls. If you're new to programming, I'd suggest reading some intro book.
good luck!
I need some help with securing a single page multi-tenant saas application.
Questions:
1) What is the best way to implement it? I am trying the build the application using angularjs, spring mvc and REST.
2) Can this be done using Spring Security? Any example with creating login page and securing REST, calls will be helpful?
I have found a sample for implementing spring security with Spring JPA (http://krams915.blogspot.com/2012/01/spring-security-31-implement_3065.html) but it is not for SPA and SaaS.
I understand this a very broad question but i am new to SPA, REST and SaaS so any pointers will be helpful.
Thanks...
I have already participated in two projects with SPA and security aspects. Last of them was GWT + Spring Security. I am sure that you can use successfully Angular and Spring Security together.
Unfortunately there is no built-in config parameter 'we are in SPA mode' in Spring Security AFAIK. So some tweaking / conf from Spring Security side will be necessary. Example:
imagine that during login you call built-in into Spring Security login controller. In a case of successfull authentication by default user will be redirected to index page, where in a case of failure it will be redirected to corresponding error page. It is a normal behavior for standard web applications that will be not so useful for SPA web applications. In a case of SPA you need to detect AJAX call and print JSON with username / roles for successfull cases or send 401 code for failures (then detect 401 in JS and show corresponding error). You can use corresponding extention points from Spring Security to do so: AuthenticationSuccessHandler and AuthenticationFailureHandler.
Some another thing to tweak: by default after session expiration user will be redirected to login page (and SPA app receive login page as a response to the next AJAX call).
Looking into my personal exprience general guide will be like so: after login load list of roles into JS. Use it to show / hide corresponding components on UI side. Apply the same list of restrictions on server side too. To make sure that user do not edit JS in browser (although in a case of minified JS of some medium size app it will very complex task). On the server side you must choose between:
Secure URLs of AJAX calls
Secure some Java methods.
I prefer second one (secure business methods on services). I think it is more convinient because normally we want secure business operations, not some endpoints. As adwantage you will be able expose your business logic via some other protocol, and security will be there already. From other side I can imagine some business requirement to have different permissions for different endpoints / protocols. So it depends more on your actual situation.
Lage size JS applications must be splitted into modules. To decrease direct dependencies it may be better to use events insted of direct calls to cummunicate between modules. There are interesting thoughts of Addy Osmany about how to do security in these coditions. I did not found good link to it, maybe this or this will be helpfull (search "permission").
Feel free to post any questions. Good luck.
I am developing a Flex application that will need to 'pull' information from an ERP system such as SAP or Peoplesoft via the clients web service.
My application will need to pass credentials & query to a Query_URL and receive the returned data. I saw a Flash Builder 4 presentation where the Adobe evangelist created a similar application using Twitter.
Insights or links to example code would be appreciated.
Tour de Flex contains some examples for making SOAP and plain old XML Web Service requests (under Data Access). This is the typical way that requests are made to a back-end ERP (or similar) system.