Secure authentication in jboss portal - authentication

I am developing a Portal application and using jboss portal for this purpose. My current application authenticates the user from jboss DB, using the j_security_check servlet with username and password as POST parameters.
Now, if I use firebug or any HTTP monitor, then I can see the username and password, which is a security issue.
What is the better and secure way of authentication in jboss?

Securing web applications is a vast subject. It entirely depends on your needs.
From your post, what you want (to start with) is a secure communication. You can use SSL with JBoss to ensure a secure channel. I recommend you to take a look at the JBoss security documentation. I am sure you will have more concrete doubts / concerns when you start working with it - then we will try to help :)
I found a very good source of JBoss information JBoss in Action. It refers to JBoss 5 so many areas might be outdated, but other would still apply. I am using JBoss 6 and has been of great help.

Related

HTTP Basic Authentication and Attlassian JIRA, Confluence and Bitbucekt

I have JIRA, Confluence and Bitbucket deployed on my server behind Apache reverse proxy. Each of them is connected with others using Application links. Now, I want to add additional layer of protection by implementing HTTP Basic Authentication in front of this. When I do this, I lose connection between apps. How to configure Apache properly in order to have HTTP Basic Authentication in front of whole stack AND connection between apps?
Where did you configure basic authentication?
Normally Atlassian applications handle authentication themselves, so you should not have to configure anything in apache.
Application links use OAuth to handle authentication between applications and there are 2 flavors:
if both applications have the same set of users, you can use plain OAuth
if both applications have a different set of users, you can use OAuth with impersonation
More info is available in the Application Links documentation here.

Authentication over Kerberos in ActiveMQ (embedded in Spring Boot)

I'm looking for a solution from title.
I have ActiveMQ broker embedded in Spring Boot application.
What I want to do is to authenticate some domain technical users (dedicated for some applications) over Kerberos. I know there is solution for LDAP authentication but I need Kerberos authentication.
Is there any possibility to do so?
Is there any possibility to do so using spring-security?
Could you explain how to do this?
I'm actualy stuck on this.
Thanks for all your answers!

SSO for web application hosted on S3

I have been scratching my head for a while now. Went through tons of documentations but everything seems very confusing. Please forgive if it appears to be a duplicate question, but believe me, the more content I find, the more its confusing me.
Below is the configuration of my project and what I need to achieve:
The project is a web based application developed using Spring framework with Java 8 that is hosted on S3(linux server). HTTP server used is Apache. JBoss is used as an application server and the exact version used is wildfly-8.2.0.Final.
Currently, the user enters his credentials which are validated against Microsoft Active directory using LDAP and is let in. The requirement now is that when the user logs into the machine using his AD credentials in his intranet environment, and he tries to open the application, he should directly log in and not prompted for credentials again. If he is outside his intranet network, the existing log in method should be followed.
While researching I found the below things I assume can be useful but not able to reach to a conclusion.
Kerberos along with Shibolleth: I went through below two references which somewhat matched with my requirement but not very sure am I looking at the right thing or not.
http://richardjohnson798.blogspot.in/2011/10/single-sign-on.html
http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.pdf
My confusion revolves around the below things.
Is Shibolleth the right choice. If yes, what is the exact role of Shibboleth?
What things needs to be setup on the linux server(Kerberos implementation for example), and what changes would be needed in the client's AD environment?
Is the implementation possible on the Wildfly server? (as all the references have the thing implemented using Tomcat).
What are the security aspects I should be concerned about.
Help is much appreciated. Thank you.
Since you are using S3 I assume you are using AWS.
Go to IAM and add the Active Directory as a SAML provider
https://aws.amazon.com/blogs/mobile/announcing-saml-support-for-amazon-cognito/
Then use AWS Cognito Federated Identity Pool via the JavaScript SDK in the front end code you have hosted on S3.
http://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html

Implementing PicketLink as iDP in Weblogic

Excuse my ignorance but can PicketLink be implemented as an IDP within weblogic?
I am looking to create a light weight IDP Proxy to be able to accept SAML requests and issue SAML Assertions based on simple authentication handled elsewhere so not looking for anything that provides too much.
I wondered if picketlink offered a simple API to do this and whether it would work on a welbogic domain.
Weblogic has its own, built-in SAML implementation that is tightly integrated with the rest of their platform. It is fully configurable from their admin console. Use that instead of PicketLink.
http://docs.oracle.com/cd/E28280_01/web.1111/e13707/saml.htm#SECMG252

Using weblogic Authorization without authentication

I have implemented OAM SSO Authentication for my web application deployed on weblogic. Now i want use weblogic embedded LDAP to provide app level authorization. I dont want to use the weblogic authentication, just the authorization since i already have authentication handled by OAM. Is that possible? Can someone please point me to any examples, tutorials, or ideas to achieve this?
Depending on your OAM version, you need to add a OAMIdentityAsserter Provider in your WLS domain. I say depending on your OAM verison, because you need to tell it which type of cookies to use.
OAM Admin guide will tell you how to do this.