I am completely new to login and authentication concepts. I am working on a Glassfish web application that should present general content to any visitor, and some extra content for registered users logged in with username and password.
I have been reading the Java EE tutorial about security, and I thought that the Form-based or HTTP authentication would fulfill my needs ( the visitor is asked for credentials when trying to browse a secured content ).
However, my first guess was that the registred users should be stored in an external database along with their hashed and salted password.
The security for web application in Glassfish seems to rely on the realm populated manually directly on the application server ( defining user and groups and mapping them to the Roles in the application ).
Did I misunderstood what security on Glassfish is intented to ? Or can a realm be a external database outside the application server ? Any link to documentation on this topic would be useful to me.
Thank you in advance
Tart
It is actually possible.
In Glassfish, go to Configuration/Security/Realms, create a new realm and set the classname to com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.
Indicate the JDBC Resource bound to the database, and indicate the table and the columns where username/password are stored. The database shall also contains a table for the groups which the user must belong to be granted access. Indicate those also.
In the application, set up the web.xml and sun-web.xml with the realm name as usual.
Here is an article about jdbc realm in glassfish with scenario you described: http://java-cookbook.blogspot.com/2011/02/jdbc-security-realm-with-glassfish-and.html
Related
Sorry but it doesn't accept "hi everyone "
I have several apps which are authenticated by ldap. can keycloack replace this authentication with ldap? and in this way I do not touch to the configuration Of applications ?
Thank you
You can read this article https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/user-federation/ldap.html
By default Keycloack copy your ldap data but you can choose keycloack use your ldap data :
By default, Keycloak will import users from LDAP into the local Keycloak user database. This copy of the user is either synchronized on demand, or through a periodic background task. The one exception to this is passwords. Passwords are not imported and password validation is delegated to the LDAP server. The benefits to this approach is that all Keycloak features will work as any extra per-user data that is needed can be stored locally. This approach also reduces load on the LDAP server as uncached users are loaded from the Keycloak database the 2nd time they are accessed. The only load your LDAP server will have is password validation. The downside to this approach is that when a user is first queried, this will require a Keycloak database insert. The import will also have to be synchronized with your LDAP server as needed.
Alternatively, you can choose not to import users into the Keycloak user database. In this case, the common user model that the Keycloak runtime uses is backed only by the LDAP server. This means that if LDAP doesn’t support a piece of data that a Keycloak feature needs that feature will not work. The benefit to this approach is that you do not have the overhead of importing and synchronizing a copy of the LDAP user into the Keycloak user database
I'm a newbie in the LDAP + Liferay + OpenAM world, so I wonder if someone could point me in the right direction in a problem I have. In a real life environment, there are 2 LDAP servers, a OpenAM server and a Liferay application. What the customer needs is to authenticate users in Liferay against OpenAM, and OpenAM should use the LDAP servers. Problem is, the user exists only in one of the LDAP servers (it will be moved from one to the other in one point of the future). What the customer wants is:
Users must be able to authenticate independently of what LDAP contains the user.
The obtained token must be valid for both LDAP servers, as it will be used in a different service (I have no control over it) against only one of them to validate authentication.
As I said, I'm new to this world so, if the answer is too complex (I'm afraid it will be for me), maybe you could point me to books or docs that could resolve this scenario.
Thanks
You should configure LifeRay to use OpenAM for all authentications and you can configure OpenAM to use both LDAP servers (use different realms).
Details for OpenAM configuration will be in the OpenAM documentation.
As the previous answer states you should route all your authentication requests to the OpenAM server and let it validate the credentials against the right LDAP server. Using two different realms (one for each LDAP server) won't work in your case since that will require LifeRay to know where to find the user before hand. Also, sessions are linked to a specific realm.
There are multiple solutions to your problem. Here are just a couple:
Option 1
If you have control over the authentication flow. That is, if your application uses a custom UI and communicates with OpenAM via REST, you could create two different authentication module instances under a single realm (let's say two instances of the DataStore authentication module) each one pointing to a different LDAP server.
Let's call this module instances DataStore1 and DataStore2. Your application can collect the user credentials (username and password) and submit them to DataStore1. If authentication succeeds the user is already logged in. If it fails, the application can try with DataStore2.
Of course this is not ideal since you'll be making two authentication requests per login instead of just one.
Option 2
A better option (though more complicated to implement) would be creating a custom authentication module. This module can try authenticating the user against LDAP Server 1 and then try with LDAP Server 2 if the first authentication failed. Notice that with this option you don't need custom logic on the application side since it will only send a single authentication request to the OpenAM server. In fact, you can protect your application with an OpenAM Policy Agent.
Another advantage of this approach over Option 1 is that you can migrate your users behind the scenes assuming that the end goal is to migrate users from LDAP Server 1 to LDAP Server 2. If the first authentication succeeds your custom code could read the user entry from LDAP Server 1 and copy it over to LDAP Server 2.
Hope this helps you solve the problem.
I am trying to protect a Java servlet with OpenAM + J2EE tomcat agent. I got this part working by using embedded OpenDJ of OpenAM.
Now I am trying to authenticate against a LDAP server, so I added a LDAP module instance for OpenAM, but I get "User has no profile in this organization" when I am trying use uid/password of an user from that LDAP store.
I checked OpenAM administration guide on this the description is rather brief. I am wondering if it is even possible to do this without using the data store configured for OpenAM?
The login process in OpenAM is made of two stages:
Verifying credentials based on the authentication chain and individual authentication module configurations
User profile lookup
By configuring the LDAP authentication module you took care of the authentication part, however the profile lookup fails as you haven't configured the user data store (see data stores tab). Having a configured data store allows you to potentially expose additional user details across your deployment (e.g. include user attributes in SAML assertions or map them to HTTP headers with the agent), so in most of the scenarios having a data store configured is necessary.
In case you still don't want to configure a data store, then you can prevent the user profile lookup failure by going to Access Control -> <realm> -> Authentication -> All Core Settings -> User Profile Mode and set it to Ignore.
This is unrelated to authentication but it's related to authorization ... you have to configure appropriate policies ... see OpenAM docs.
Agents will enforce authorization, OpenAM determines if the user has the permission to access a protected resource.
As Bernhard has indicated authentication is only part of the process of granting access to a user. He is referring to using a Policy to control access.
Another method is to check if the authenticated user is a member of the desired group programmatically. This can be useful when you want access control over resources that OpenAM doesn't know about (e.g. specific data).
For example, lets say that you want different groups to have access to different rows in a table in a database. You can retrieve the group information associated with the user and add that to your database query, thus restricting the data returned.
I'm sure that you could do this with OpenAM as well using custom modules to allow the policy to use information in the database as resource, but I've found it is much simpler to perform this fine grained access control in your code, and is in all likelihood significantly faster.
I am trying to learn CAS and I have the cas-server-3.4.10 running in tomcat6 by just moving the war into the webapp.. I am following the install.txt which show me to use NetID for the user name and password and it works but where is the user information?
If you are just using the standard WAR file without making any changes, the default authentication handlers works such that the userId must be the same as the password you put in, so that you can login. This is just a sample and should never really be used in production.
Your user credential store is usually maintained elsewhere, typically inside an LDAP or ActiveDirectory instance. You'll then need to configure the config file with the right authentication handler that received the connection info to that instance and validates user accounts.
CAS is not responsible for user account management, etc. It works with existing solutions that provide a remedy for that need.
how can i setup security realm in weblogic 10.3? i wan't to add user roles and let weblogic server to check those users for what resources they can access. Where weblogic stores authentication data? how can authentication data can be accessed and updated by weblogic server automatically?
Thanks in advance.....
Your question is a bit vague since there are a lot of ways to configure security within Weblogic. Oracle's documentation would be a good starting point.
You can setup the security realm under Security Realms in the console. There are some default groups with specific roles that you could assign to user accounts (for example, monitor = readonly).
LDAP data is stored in the internal LDAP folder within the domain directory. However, you can configure it to use an external LDAP.