Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation?
I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user.
EDIT: To clarify, I need to impersonate under Win32 using the GSS/SSPI context so when legacy code connects to another server, the delegated credentials are used.
WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.
It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.
How about using the JAAS realm and using the kerberos 5 JAAS module?
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
Looks like it might require a little coding, but the pieces should be there.
Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.
Related
I have an authentication/authorization server that currently uses a local ADAM instance to hold the authentication and authorization information for use by a Service Provider (SP).
What I want to do is change from the ADAM instance to a remote ADFS for authentication and authorization. The remote ADFS talks SAML but the Service Provider (SP) only talks with LDAP (and I cannot change the SP to talk SAML).
This suggests that I need to provide a LDAP to SAML converter (or bridge) to produce SAML messages from the SP's incoming LDAP authentication and authorization requests.
Currently it's like this:
LDAP
SP <------------> Authentication Server
I want it to look like this:
LDAP SAML
SP <------------> Authentication Server w/LDAP/SAML bridge <------------> ADFS
So essentially the current authentication server will cease to authenticate itself and will
merely act as a "proxy" for passing on authentication/authorization requests and relaying
responses back to the SP.
Is this possible?
Does anyone have experience with this sort of effort?
Are there any tools on the Net that could perform this bridge functionality?
The current authentication/authorization server runs on gasp Windows 2003 but I do have the
option of porting it to a newer version of Windows Server.
I have tried using OneLogin with the SAML toolkit/Flask websever, and writing my own Python module for handling the SP's requests but I'm getting bogged down with that code (and exposing my own Python limitations)
I also tried SimpleSAMLphp but determined that the LDAP stuff they support is for the IDP side rather than the SP side. The system performs SP-side initiatation.
Have you considered using ADFS to LDAP directly?
Your application would then use ADAL / MSAL to connect.
I would like to check if my understanding is correct about the way to use Keycloak.
After Keycloak server is installed and running, we would have 2 options:
Use the javascript adapter in the application we want to authenticate
Use the mod_auth_openid to use Keycloak with Apache webserver
In the case of web application, since it must have an web server, does it mean only option 2 is available? And even if option 1 is available, should I use it?
It depends on the type of your application. If you want to provide your application as SPA (Single Page Application) using JavaScript, JavaScript Adapter will be good option. But if you want to provide it as traditional server-side web application which doesn't support standard federation protocol like OpenID Connect, mod_auth_openidc will fit.
Also keycloak provides several types of client adapters. You can check them with the following document.
https://www.keycloak.org/docs/latest/securing_apps/index.html#supported-platforms
In addition, if your application is already OpenID Connect or SAML 2.0 compliant, you can integrate with keycloak server without any client adapters because it based on open standard protocol which keycloak supports. Please refer the following document to understand securing your application.
https://www.keycloak.org/docs/latest/securing_apps/index.html#overview
I would like to authenticate automatically to wso2 IS with a kerberos ticket obtained from kerberos authentication (using Windows server 2K12 as KDC).
I didn't find any information related to kerberos authentication on WSO2 documentation. The list of all handled are defined here : https://docs.wso2.com/display/IS460/Managing+the+Identity+Server.
The one that is closer to kerberos authentication is the "integrated windows authentication".
Have I missed the documentation page or is it impossible to authenticate with this methods ?
I think I should go with https://docs.wso2.com/display/IS500/Creating+Custom+Authenticators but not sure about it.
Thanks.
I think, you basally need the window authentication? It means once you login to windows machine, you can access the service protected with Identity Server by default. In IS 5.0.0 version, you can find IWA authentication that can be used for external application authentication and login to WSO2IS management console. There is some aricle that explain about this. Please refer it from here you can use it.
Yes. you can plug custom authenticator.. But i guess IWA can help you to achieve this.
Is it possible to implement OAuth 2.0 or 1.0 using an Apache HTTPd server module?
I am choosing this route because each and every request will first reach the HTTPd module, so from there I have to authenticate.
If it is possible, please share a related link for that.
I'm going to add to Eugenio's answer by saying that mod_auth_openidc supports two modes of operation:
it can function as an OpenID Connect Relying Party authenticating users by consuming and verifying ID tokens, access tokens and refresh tokens as issued by an OpenID Connect Provider; it will relay information about the authenticated user (and possibly the tokens themselves) to the protected application that runs on or behind the Apache server
it can function as an OAuth 2.0 Resource Server, controlling access from OAuth 2.0 clients by consuming and verifying access tokens that have been issued by an OAuth 2.0 Authorization Server; it can pass on information associated with the access token to the protected application that runs on or behind the Apache server
For both cases, Apache's Require logic can be used to enforce access based on certain claims that are present in the ID token resp. access token.
Update April 12, 2019:
There's now a dedicated module to handle the OAuth 2.0 Resource Server functionality: https://github.com/zmartzone/mod_oauth2
Yes, this is possible. In fact mod_auth_openidc does exactly that for Apache (and for OpenId Connect, which is a protocol built on OAuth2).
More on the scenario here: https://auth0.com/blog/sso-for-legacy-apps-with-auth0-openid-connect-and-apache/
We have an existing Java EE application running under WebLogic and I want to authenticate a user programmatically as though the user was logged in via the existing web login process. That is to say, in the end, I want to have a valid session (cookie) that can be returned to the caller and later returned back the server without re-authentication. (This is to enable JAX-WS stateful Web Service calls).
We have a custom LoginModule that, when the user logs in via Forms Authentication, is eventually called via j_security_check. I guess what I'd like to do is to somehow get WebLogic to invoke that LoginModule on my behalf, ask me for the credentials, and yield an authenticated session and a valid subject etc. (i.e. all the JAAS goodness).
Is this a JAAS thing? Is there a WebLogic call?
You can do this using the HttpServletRequest#login method. This will trigger the same kind of login chain that would otherwise be executed if your used accessed a protected resource.
WebLogic security uses a security service plug-in (SSPI) architecture that allows you to implement security providers. Container (such as servlet) authentication is handled by authentication providers that use the SSPI. An authentication provider wraps a JAAS login module.
Writing and configuring security providers is extensively documented.
If you implement an authentication provider to wrap your login module and configure it for the WebLogic domain, it will be called automatically by the WebLogic security framework for all container authentication.