I currently have an Keycloak Gatekeeper as a proxy, over an IIS web application, using ISAPi redirector to connect to a Tomcat server via AJP. The application running on Tomcat requires the REMOTE_USER variable to be set to authenticate a user in the system.
Ideally it would work like this:
User --(logs in)--> Keycloak Gatekeeper --(Headers)--> IIS --(Headers)--> Tomcat --(REMOTE_USER set + Headers)--> Web Application
I have tried using the Keycloak Tomcat adapter (which works for logging in existing users) but the application also requires particular headers to be set to sign users up if they do not exist in the system.
I have also tried using IIS URL Rewrite module, but it does not set the REMOTE_USER variable for some reason (I saw this post which suggests that the Rewrite rules run before authentication, URL rewrite - REMOTE_USER always empty).
I managed to get this working by using Keycloak Gatekeeper (to authenticate the user) and having the Keycloak Tomcat adapter (setting the REMOTE_USER variable on the Tomcat server). I also managed to get this to work using Keycloak Gatekeeper and a custom ISAPI redirector to set the REMOTE_USER variable.
Unfortunately this did not help us as the application we are authenticating for has another issue, but answering this question incase someone else has an issue similar.
Related
I'm currently working on a project with complex requirements and I do not feel comfortable with the solution I'm considering.
The main idea is to secure existing applications (which do not include security themselves) without modifying them. These applications are not accessible from outside and will be accessible only through a reverse proxy (OpenResty).
Users do not have access to all applications and the solution to identify users is Keycloak.
The main components are :
An angular portal : the entry point
A reverse proxy that redirect the user on the chosen application
The IAM : Keycloak
All the available application
this schema explain it
The idea is :
The user click sign in on Keycloak and gets back to the portal with an access token (JWT) that contains his roles (application he has access to)
The user click on an application on the portal and he is redirected to the targeted application through the reverse proxy
The reverse proxy check the validity of the token (exp, iss and the roles)
I know this is not a proper way to do some SSO between application, but the requirement here is that the application, that are not secured can't be edited bu have to be protect by an upfront system (the reverse-proxy here)
My question is : ok this will work for the first call, because the user have his JWT token on the portal and hits the application with it the first time, but after when the user will click on a link in this app.. there is no more token. This kind of architecture works well to protect REST API bu for a web application, sounds to me a little incertain.
Generally, you would have reverse proxy server to handle user authentication instead of login to keycloak first.
Flow will be like this:
User access portal.
Portal redirects user to application through reverse proxy.
The reverse proxy will first redirect user to keycloak for
authentication, and build a security session between browser and
reverse proxy server.
The reverse proxy forward request to your application
server.
For all subsequent requests, user always go through reverse proxy server.
Try to use github.com/gambol99/keycloak-proxy. It stores token in the cookie, which is better option for web apps.
!!! Warning: I guess any auth proxy can use only Authorization Code Flow, however Implicit Flow is recommended for Single-Page Application (Angular). It really depends what's your Angular app. Analyze sec. pros and cons first, to be secure.
I have to mention that I am new to IIS. I have a local IIS 8.5 on a windows server 2012 machine. When I enable the windows authentication (basic authentication is disabled), I can access and see the home page of IIS (http://localhost) with the credentials of a LDAP user in the same domain. However, when I enable basic authentication (windows authentication is disabled), I cannot access the home page with the same credentials I used for windows (The authentication pop up never goes away).
Shouldn't the same credentials work for both basic and windows authentication or basic authentication works differently ? If not, then how are the credentials validated in case of basic authentication ?
Note: Eventually I plan to write restlet java code to post resources using basic authentication.
So finally I got this problem solved. For Basic Authentication (click on edit), we need to set the default domain (realm is optional). Once I set the default domain, I could login using the LDAP user credentials.
I was trying to register an Application Login Module in Websphere but I don´t find any easy example in web.
There are a lot of IBM documents, but too much complex, and I can´t figure out how to register an Application Login Module.
I already have success with a System Login Module bounded to WEB_INBOUND, it works, but affects all my system. I want a Login Module to serve only my applications web, with JAAS authentication.
I´ve tried to bound a login module to existing WSLogin but it doesn´t seems to be working.
Any help ?
tks[]
You need to setup security domains to get the separation you are looking for wrt to the login configurations. The security framework uses the WEB_INBOUND login configuration to authenticate the user for all web applications irrespective of adminConsole or user applications. When you create a security domain and customize the WEB_INBOUND configuration at the server/cluster domain level, it will be used for all the user web applications deployed in those processes. You need to setup the multidomain in a cell topology and assign the domain to the server/cluster where you applications are deployed.
Once you setup the domains, the WEB_INBOUND configuration at the server/cluster domain will be used by the user applications hosted in that server/cluster while the WEB_INBOUND configuration at the admin/global domain will be used for the adminConsole application at the Deploymener Management process where it is deployed.
The application JAAS login configurations are meant to be used by the applications directly. One can create an application login configuration and programmatically use it in the application to perform direct login -
LoginContext lc = new LoginContext("myAppLoginCfg1", callBackHandler);
I asked around and this is the answer that comes from the owner of container security:
The WEB_INBOUND is a JAAS system login that is always configured by default. However, you can specify your own JAAS application login or customize the existing WEB_INBOUND system login. If you want only one application to use a different JAAS login from all your other applications, you can use a security domain that has those different security configurations. The only catch is that application server has to be in a separate server from the other apps. That way, you can map your security domain to that server.
Here's an info center article about security domains:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/tsec_sec_domains_config.html?cp=SS7K4U_8.5.5%2F1-8-2-33-1
And one on application logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/rsec_logmod.html?cp=SS7K4U_8.5.5
And system logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/usec_sysjaas.html
And here is a much more practical answer that comes from the security dev lead:
So an additional question is - why would you want to do that? Do you want to do anything specific for just one app during login that you do not want for other app logins? (I would think so) You can get the app name in your custom login module and can use that to provide your own app based login requirement in your login module (or skip it) if needed.
Me: Ya, this is what I would do. You can also implement this based on what is in the request. I did one where it would request a SAML token from an STS and put it on the runas subject if I could tell that the request came from WebSeal (and not if it didn't).
If what you need to do for the 'app-specific' case requires skipping what is done in ltpaLoginModule and wsMapDefaultInboundLoginModule (that should run for the other apps), you can't really do that. However, you can modify their behavior.
Read through the task I've given a link to below. Yes, I understand it is a WS-Security task, but its about using APIs. You'll get what I'm talking about if you read closely, particularly the 3rd ("When a caller...") and 5th ("To use a..") paragraphs. The parts that you should be concerned about in the code is the WSCREDENTIAL* stuff.
http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twbs_config_wssec_caller_no_reg.html
I'm running Mercurial's hgwebdir.cgi on WinXP over IIS as a central repo for sharing code with my team. I'd like to use ActiveDirectory to authenticate to the server when pushing/pulling through TortoiseHg and/or the command-line hg client. Has anyone done this or seen instructions on how to do this?
I know this has already got an accepted answer, but I did a four part blog post for set up of Mercurial on IIS with Active Directory authentication and using hgwebdir.cgi for push authorization. It goes over the whole process of:
Setting up Mercurial's hg web interface on IIS.
Setting up the IIS authentication for Mercurial so that only users authorized by the active directory (i.e. security groups/users) can view/access the repositories either via the hg web interface or through the file system.
Configuring Active Directory authentication for Mercurial users, so only authorized users can see/access the repositories they have access to.
Configuring hgwebdir.cgi via hgweb.config to set push authorization for specified users to repositories.
Hiding hgwebdir.cgi using Helicon's ISAPI Rewrite in your repository's URL.
Customizing the style/feel of the hg web user interface to your own taste.
Setting up and configuring Mercurial in a Windows/IIS/Active Directory environment (web.archive.org mirror)
hgwebdir.cgi doesn't really authentication, although it can do authorization. You probably want to take care of authentication in the IIS config. (I don't have any experience with IIS, but that's how it works with Apache, at least.)
Authentication is performed by IIS. In IIS Manager, allow Basic Authentication on the directory containing hgwebdir.cgi script. Then edit the Basic Authentication settings and set default domain and realm to your domain name.
In hgweb.config add
allow_push = <username>
replacing <username> with your username(s) for people who will be able to perform push.
This worked for me.
Excuse my necroposting, but I've just released an alpha version of HgLab, which is a Mercurial Server for Windows and it supports Active Directory authentication out of the box.
I have deployed an application on IIS Server and Servlet Exec configured. I need run the application with windows User Credentials rather than Anonymous User. I tries changing the username and password of annonmous user in properties/Security but the application stops responding changing it back to default Anonymous IIS user account works fine??
Abdul Khaliq
If it is on iis 6 or greater, there is a place you can create application pools. If you don't have a dedicated application pool for your application yet, create one. While creating you can set the default identity it should work with. You can set it to system defaults or a custom identity you've created...
You should change the identity for the application pool (not the website). So it's best to create a specific application pool for every site which needs specific user credentials.
But this question really belongs on serverfault.com