Securing /admin/ in Struts 1 - struts

I have a Struts 1.1 web application and now it needs an admin tool. I need /admin/* secured so that only registered users can login and view its content. The data store is MongoDB.
Is Spring Security my best option for securing my site? Why?
And does anyone know from experience whether Spring Security 3 and Struts 1 works fine together?

I wound up using Spring Security 3 without any problems.

Related

Spring for client side angularJS single page application architecture

After some investigations, I'm wondering about the benefits to use Spring Boot for client side web single page web applications foreseen with angularJS2 and Bootstrap4 ?
We will have to manage the navigation from 3 to 6 SPA and the security (openAM).
The use of Spring Boot for the backend that will embbed REST, activiti, JPA and our business logic seem very valuable.
Any recommandations about such achitecture ?

Should Keycloak be used in my website user registration and log in?

I am using JBoss JSF to develop a personal project, and the website needs a user registration and login feature, as many other sites do. There are lots of tutorials on how to develop a user registration component in Java EE and JPA framework. I just happened to find the KeyCloak project. It seems that KeyCloak can be used for user registration and management purpose, especially if you use JBoss to develop the application.
My question is, do I really need to use this for user registration? It seems very heavy, and I didn't find any API docs that I can refer to integrate it into my web application.
What's the best use case of Keycloak? And how to integrate it in a Java EE application? Any quickstart or tutorial for Java application would be appreciated.
The main Keycloak project includes a adapters documentation (to be used to secure clients) examples project showing how to secure a JEE application using JEE application security.
If you use Spring, there's a Spring Security adapter that support a more very flexible security implementation as well, including examples for this as well.

Azure Websites Authentication / Authorization

I am using new feature of Azure that enables the active directory authentication for your website without writing any code.
http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/
But the problem is my web application is also hosting some Web APIs, which need to be called without any authentication.
Is there a way (some attributes?) so that I can call Web APIs without any authentication?
Tushar, I see that Byron also replied to your question on his post- and suggested creating another website as for APIs as a work around. However I suggest that you wire-up auth separately for your Web App and APIs following our samples here: https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet, https://github.com/AzureADSamples/WebApp-WebAPI-OpenIDConnect-DotNet
Let me know if you run into any issues.
From the very same article you refer:
Current Limitations
There are some limitation to the current preview
release of this feature:
...
With the current release the whole site is placed behind login the
requirement.
Head less authentication/authorization for API scenarios
or service to service scenarios are not currently supported.
So, no, you cannot have partial APIs or pages anonymously available - all pages and API will be protected by the Azure Active Directory.

securing SPA multi-tenant SaaS application

I need some help with securing a single page multi-tenant saas application.
Questions:
1) What is the best way to implement it? I am trying the build the application using angularjs, spring mvc and REST.
2) Can this be done using Spring Security? Any example with creating login page and securing REST, calls will be helpful?
I have found a sample for implementing spring security with Spring JPA (http://krams915.blogspot.com/2012/01/spring-security-31-implement_3065.html) but it is not for SPA and SaaS.
I understand this a very broad question but i am new to SPA, REST and SaaS so any pointers will be helpful.
Thanks...
I have already participated in two projects with SPA and security aspects. Last of them was GWT + Spring Security. I am sure that you can use successfully Angular and Spring Security together.
Unfortunately there is no built-in config parameter 'we are in SPA mode' in Spring Security AFAIK. So some tweaking / conf from Spring Security side will be necessary. Example:
imagine that during login you call built-in into Spring Security login controller. In a case of successfull authentication by default user will be redirected to index page, where in a case of failure it will be redirected to corresponding error page. It is a normal behavior for standard web applications that will be not so useful for SPA web applications. In a case of SPA you need to detect AJAX call and print JSON with username / roles for successfull cases or send 401 code for failures (then detect 401 in JS and show corresponding error). You can use corresponding extention points from Spring Security to do so: AuthenticationSuccessHandler and AuthenticationFailureHandler.
Some another thing to tweak: by default after session expiration user will be redirected to login page (and SPA app receive login page as a response to the next AJAX call).
Looking into my personal exprience general guide will be like so: after login load list of roles into JS. Use it to show / hide corresponding components on UI side. Apply the same list of restrictions on server side too. To make sure that user do not edit JS in browser (although in a case of minified JS of some medium size app it will very complex task). On the server side you must choose between:
Secure URLs of AJAX calls
Secure some Java methods.
I prefer second one (secure business methods on services). I think it is more convinient because normally we want secure business operations, not some endpoints. As adwantage you will be able expose your business logic via some other protocol, and security will be there already. From other side I can imagine some business requirement to have different permissions for different endpoints / protocols. So it depends more on your actual situation.
Lage size JS applications must be splitted into modules. To decrease direct dependencies it may be better to use events insted of direct calls to cummunicate between modules. There are interesting thoughts of Addy Osmany about how to do security in these coditions. I did not found good link to it, maybe this or this will be helpfull (search "permission").
Feel free to post any questions. Good luck.

CAS authentication with Play framework

I need to use CAS to authorize access to a web application built with the Play! 2.x framework. Play! 1.x has a module for CAS (http://www.playframework.org/modules/cas); Play! 2.x does not (that I've been able to find).
Does anyone have sample code they would be willing to share? Tips/tricks/gotchas? Otherwise, I'll dig into the 1.x module and see if I can adapt it to work with 2.x.
I'm developing with Scala.
Thanks,
Byron
[Update]
I also asked this on the Play! google group. James Roper replied to say:
Well, Play 2 is quite different from Play 1, so don't expect it to be easy to port. You have two general approaches:
1) The easy but not as good approach, use the official CAS Java client to make blocking calls on the CAS server. Make sure your Akka thread pools are tuned for this, by default they give you one thread per core, if you go with this approach you probably want 100-200 threads all up, otherwise other requests are going to get blocked by requests that are trying to talk to the CAS server, especially if the CAS server is ever slow to repsond.
2) The hard but better approach, implement your own non blocking CAS client using the Play WS API. The protocol is described here: http://www.jasig.org/cas/protocol
My current thought is to put an Apache server in front of Play to do the CAS authentication.
I've created what you're looking for : a Play 2.x client in Scala and Java which supports OAuth/CAS/OpenID/HTTP authentication and user profile retrieval : https://github.com/leleuj/play-pac4j.
It completely supports the CAS protocol :
CAS 1.0 / 2.0 / SAML valition + proxy ticket validation
logout request
CAS proxification