I'm involved in an Java Web Application Migration project to IBM Websphere Portal (IBM WP) Platform.
The actual application in production environment validates manually user credentials (username and password) against a Database Table that stores the data. I understand that the idea behind a Portal application is that the Portal Container handles this Security issues, but I'm not sure how IBM WP can consume the credentials that now are on Database.
There's a brand new Tivoli Directory Server in the Company, and I'm aware that I can't connect IBM WP to this LDAP Server so, do I need to migrate every user in the Database to this LDAP Server, or there's a Way that Tivoli recognize the credentials that are on the database?
Trust Association Interceptor are powerful, but they totally override Websphere Authentication mechanisms, so be sure to write a quite robust one! As Carlos Gavidia suggested, I'd also give a look to Custom User Registry. I'd also suggest to consider Property Extenstion Repository (also know as Lookaside), so you can define your own attributes and read/write them directly from Portal API
http://www-01.ibm.com/support/docview.wss?uid=swg21248674
You can hook in any kind of custom authentication you need using a Trust Association Interceptor. Your custom authenticator would probably work a lot like the authentication code in your existing system. It would display a page prompting the user for their credentials, and then check them against the DB.
I'm not sure how this relates to your Tivoli LDAP, but there seems to be a provided TAI for TAM integration: Tivoli Access Manager Trust Association Interceptor (TAI++)
Related
Hie Please explain which to use when, OpenDS OpenDJ OpenAM. Thanks.
OpenDJ is an open source project building LDAP and REST base Directory Services. OpenDJ is continuing in open source the development of OpenDS, a project that was started by Sun Microsystems, but abandoned by Oracle.
OpenAM is an open source Authentication, Authorization, Web Single Sign On, Federation solution that is flexible, extensible and highly scalable. For its configuration management, OpenAM embeds OpenDJ. For its user stores, it relies on LDAP directory servers, and is very well integrated with OpenDJ.
[Disclosure: I am product manager at ForgeRock, the company that supports and commercializes OpenDJ and OpenAM]
OpenAM is entirely different from that of OpenDJ or OpenDS. Let me clear all your doubts:
OpenAM is an open source access management and federation server platform, backed by ForgeRock. It was sponsored by ForgeRock until 2016.Now it is supported by Open Identity Platform Community.
What exactly OpenAM is ?
OpenAM provides a service called access management, which manages
access to resources, such as a web page, an application, or web
service, available over the network. Once it is set up, OpenAM
provides an infrastructure for managing users, roles, and access to
resources.
It centralizes access control by handling both authentication
(Confirming the identity) and authorization (Determining whether
to grant access to someone who has authenticated).
When you dive deep inside this beautiful service you will find,You can secure your resources and customize it through Open Access Policy and can implement social authentication, Multi-Factor Authentication ,Account Lockout, Single Sign-On etc. and can define Authorization policies in no time .
Moving on to OpenDJ ..
OpenDJ is a directory server which implements a wide range of
“Lightweight Directory Access Protocol” (LDAP) and also have
support for “Directory Service Markup Language” (DSML). OpenDJ is
written in Java language.
It was an internal project started by Sun Microsystems, which is now maintained by ForgeRock.
Let me help you with those big terms like LDAP and Directory :
Lightweight Directory Access Protocol (also known as LDAP) is an application protocol.
This protocol is used specifically for querying data as well as modifying said data.This is performed by using directory services –that is, a software system that stores, organises, and provides access to the information that is in a directory.
Conclusion:
OpenAM regulates who can access what resource ,when and under what condition while OpenDJ is the high-performance,Highly-available and
secure store for identities managed by the organization.
.
Is there an identity management mechanism available to control/manage user access to a service running on the cloudbees RUN#cloud platform i.e. force log in / sign up etc?
Thanks,
/W
Users you added to your cloudbees domain ("account") can access all services. For a FOSS account, resources are accessible read-only without authentication, but in all other cases login to the platform is required.
Only administrators can subscribe to new services. Jenkins on DEV#Cloud adds RBAC plugin so you can control fine-grain access to jobs and folders.
As far as I know there is no special support from the CloudBees platform for authentication of users of your application: this is just something you would implement in your app using any of numerous available libraries according to language and web framework, using the authentication system of your choice such as OpenID.
In my opinion you should consider Identity access management solutions from TeleSign. You should be able to control user access to services running on Cloudbees Run#cloud platform with ease.
I am working on some project involving Liferay Portal, CAS and Apache Directory Server. I am supposed to prepare proof of concept (or disproof) for the following model.
1. Liferay is integrated with CAS and supports SSL (needed for further usage of SSO). I have already done it and it works.
2. CAS communicates with LDAP server (Apache Directory Server) in order to perform not only authentication, but also authorization. I would like to achieve situation, when Liferay stores its dynamic privileges (to various Liferay objects) in his own database and static privileges (like user roles for instance) gets from CAS, which in fact gets it from LDAP. I want it transparent, namely that Liferay is not aware of LDAP existence.
As far as I know CAS out-of-the-box does only support authentication.
Is this possible? Anny ideas? Hints?
CAS as in Central Authentication Service? It's designed for authentication, as the name implies.
Authorization is something quite different, as you clearly know already. You'll need a framework designed for authorization - try Spring Security.
I agree with David M.: CAS handles only authentication.
But you could load all the roles of a user during the authentication-process (e.g. by implementing your own AuthenticationMetaPopulator) and provide these to a service using the later response of the serviceticket-validate call.
this is my first time trying spring security and ldap. I have couple of novice questions. My main confusions are:
How do we assign roles to users? Is it done on ldap server? or done via a configuration file in my webapp? By roles I mean, Couple of users would have all the access to webapp features(Admins), Regular users (Read only access to webapp data), Analytic group (Users which can run a report in webapp)
Currently application uses j_security_check for normal user authentication with ldap server. (Where is Websphere do we hook up ldap connection settings for this authentication?)
I found it confusing too, and developed my own module which ties in with Java EE Security.
Basically the webapp is set up with standard Java EE Security, and methods on spring beans can be given the #RolesAllowed annotation, in which case the logged in user's roles are checked against the required roles just before calling the method. See here for details.
You can use LDAP or a database or a file - where the roles and users are stored is up to you. Normally for production, you will use LDAP or a connector to some kind of directory server. Sorry I can't help with WebSphere - been a while since I set it up for security.
how can i setup security realm in weblogic 10.3? i wan't to add user roles and let weblogic server to check those users for what resources they can access. Where weblogic stores authentication data? how can authentication data can be accessed and updated by weblogic server automatically?
Thanks in advance.....
Your question is a bit vague since there are a lot of ways to configure security within Weblogic. Oracle's documentation would be a good starting point.
You can setup the security realm under Security Realms in the console. There are some default groups with specific roles that you could assign to user accounts (for example, monitor = readonly).
LDAP data is stored in the internal LDAP folder within the domain directory. However, you can configure it to use an external LDAP.