I want to build a web application with JSF where I use JAAS for authentication.
I will run the application on Glassfish v4 and I want to use a custom realm/login module to have my user credentials stored in a database and moreover having the passwords salted and hashed. As far as I know the JDBCRealm of Glassfish does not give me possibility to have the passwords salted.
I already found resources on how build such login modules and security realms for it.
Now I reached a point where I still have too many questions open and no answers found on the web.
My first question now is more like a conceptual question.
So for me it actually seems like a disadvantage if I use JAAS since that would require me to write custom realms and login modules for each application server I want my application to be deployed to.
I mean I see the advantage to have the authentication seperated but still it seems quite a bit of extra work compared to a solution where I would do the login procedure on my own.
Since I could also do the access control using custom filter in JSF this seems to be a more universal way because there is no extra effort when I change the application server.
Do I miss something here?
This also leads me to another point. Is there a way to perform the login procedure by myself but assign the current user specific roles in the context of JAAS during my custom login?
Another question: I have seen that it is also possible to create/update/delete users with a custom realm which sounds awesome for my needs... Sorry if this is a kind of a noob question but I still could not figure out how to retrieve the JAAS realm from within my JSF application...
Related
I've developped a REST based service using Express and initially started implementing authentication myself. A simple username/password authentication where
passwords are encrypted using BCrypt
user info + hashed passwords are stored in a mongoDB
password verification checks are done.
authentication tokens (limited TTL) are generated / validated
I have some knowledge on Node.JS, but not nearly sufficient to make me feel comfortable about rolling out my own authentication (login/signup) mechanism.
For that reason I would like to replace my in-house mechanism with something else.
Something proven, extendable, pluggable and easy to use.
Given the amount of secure websites / REST APIs out there based on Node.JS, I'm sure there are out-of-the box solutions that people / companies have to offer that can get service implementors up and running very quickly, without having to worry about the security/user aspect.
I'm looking for an even higher level of abstraction than that of libraries like passport or everyauth. Something that provides out-of-the-box functionality, capable of fulfilling my requirements including :
providing a login page / signup page / profile page
different authentication modules (google,facebook,github,....)
storing user info (+credentials if required) in a datastore (mongoDB).
remember me
forgot password / reset password
So the question here is :
Are there out-of-the-box solutions like that available that offer a higher level of abstraction than passport/everyauth/... ?
If any, would you recommend some of these out-the-box solutions ?
Should I instead forget about the notion of outsourcing my user authentication and just start looking at passport and everyauth and start implementing my requirements using those libraries ?
Is it possible to focus on my business logic and not worry at all about any aspect regarding user authentication (writing login / signup pages , implementing forgot password / reset password flows, storing user info in the DB).
The service API should largely live independent of your authentication mechanism, so I'd recommend starting this behind a simple password protected folder or some such. In my opinion it would be better to make sure you're API works and can gain traction. Meaning it'll be more a long term project. Nothing kills a project quicker than focusing on the painful stuff right out of the box.
As far as what service to use? It's non-trivial to setup security well. So for a small startup project, it's probably more cost-effective to integrate with another service. Might take a look at Mozilla Persona. It's built on Node and pretty straight forward.
If you do try to roll your own get some outside expertise, and DON'T do stupid stuff like use a hashing algorithm like SHA1 to store passwords. Instead use something like bcrypt. Then there are other things like, don't store server logs on the server they're created. Pipe out all logs elsewhere so if there's an intrusion you have a forensics trail back to what happened.
I guess you could use https://stormpath.com/ . I'm looking for a free alternative myself..
I am about developing a web application using jsf 2.0 and netbeans 7.1
so I want to authenticate users before they can access the application
My question know is how can I be sure of that user along his "session"?
I searched and found that I have to use session beans but I didn't get
the "remedy" of my problem
thanks for help
the answer really depends on your requirements. the simplest solution would be to use container managed authentication (via JAAS). all j2ee/servlet containers support this, but some implement it "their own way", so you have to check the docs. i know for tomcat and jboss, it's very simple to turn on and (assuming you configure your web.xml properly) just trust that if they are loading your pages, the session is authorized. you might want to bulk up the question with some of your requirements. that will really spur people to give you a much more concrete answer than i'm providing.
TIA
I have deployed two applications onto the glassfish server, each of which uses its own security realm (file, jdbc). The problem is that the glassfish allows only one default realm to be set which results in only one application to be functional at a time. I'm a newbie with the glassfish so I might be missing something fundamental or should approach this problem differently (do I need a separate domain for each of mine applications to be able to set the security with specific realm?).
Any suggestions would be appreciated.
Thank you.
It's possible to create more file Realms in the same GlassFish domain, you simply have to specify a new file name for the keyfile storing the users / passwords information. You can follow this tutorial if you wish.
Concerning the other part of the question, you can also consider to use a LDAP server, which is a scalable and more general solution, because it can be used also by other applications inside the same firm. You can use OpenLDAP or OpenDJ for example, and use JNDI API for letting your applications access the LDAP realm.
Here you can find a JNDI and OpenLDAP Tutorial, but you can easily find other tutorials around on the subject.
I have been building quite a few MVC based websites locally and am finally ready to deploy the first, but, I am getting rather nervous.
During testing, I noticed several things that worried me - I am using the default forms authentication with a few tweaks (although nothing to the underlining security).
I noticed that if I created a user in one application and logged in, then launched another application... it would keep me logged in* as the user from the previous application. The user doesn't even exist in the new application!
* - I used [Authorize] on controllers, and was surprised I could just get straight in without any sort of authentication
I assume it is because the cookie is being set for localhost instead of the application/port (although, not too much I can do about this in development).
Based on this, how secure is the default authentication?
1. Is there anyway to check from the code that the user doesn't have a "faked" cookie? / Check the user has logged in from my application?
2. I was just wondering if there are any sort of check lists or anything I can go through before deploying?
Sort of - 3.As of writing this, For question 1. I am guessing I could add a column with a random number that is saved to the cookie, and then that number is checked every time any authentication is done... however, I did not want to start mucking around with the membership provider... but I think this could work. Is this a good idea?
Try using IIS on your machine instead of VS Dev Server. Solves your problem 1.
Other than that I don't think you will need any extra effort to make default membership mechanisms of asp.net to make more secure if of course you don't need a real custom things to do in your projects. These things are around for a while now and I think they have been well tested in terms of security.
You just need to remember to put [Authorize] attribute to right places. If not on your controllers put them to right methods.
Basic Web Authentication shouldn't be trusted for applications which contain truly sensitive information. That being said it's sufficient for most applications. Be sure to check your application as often as possible before and after release for XSS vulnerabilities.
Here is Microsoft's recommended "Secure yourself" list. http://msdn.microsoft.com/en-us/library/ff649310.aspx
No matter how strong your authentication is, one small XSS mistake and a malicious user can do as they wish to your site, and your users data!
I recently read a good book: Worx Professional ASP.NET, it talks about these steps in more detail on securing yourself as well as exposing examples of problems. After reading this I was able to "deface and steal" my own sites information with relative ease, was a good eye opener on the importance of securing for XSS.
I'm working on a web site and I plan to use strictly OAuth in for user authentication. I've never implemented session management/user authentication before; and so - naturally - I'm reading up on a lot of how tos to get this done.
The problem I'm running into is that a lot of examples out there for doing things like setting up your realm, authenticator, etc etc seem to rely on the user/password paradigm for authentication. The whole point of going for OAuth is to avoid this in the first place!
That being said; I'm actually not looking for examples of full OAuth implementations right now. I understand that I need to understand that for myself. BUT with a future OAuth implementation in mind; how should I structure my user authentication/session management FOR THE TIME BEING in a way that will allow me to move forward on developing the functionality on my site that I really care about? I suppose I could throw some stuff together for that; but I'm just afraid that down the road I will be shoe horning an OAuth implementation as opposed to do something now which allows me to lay down the basic framework for it and then move on to other things.
So; does anyone know of a good example of laying the groundwork for OAuth on Tomcat 7? For example, which authentication mechanism (Basic, digest, etc) I should use or how I should represent user credentials in my database?
I know that this is kind of a vague question; so I'm not expecting someone to come out and tell me all of the answers I need to know. I'm just looking to get pointed in the right direction here.
Perhaps Spring Security would be useful? Your webapp could leverage Spring Security and use whatever login mechanism you need (i.e., you could do the default form-based authentication or Basic Auth for now, and replace the login/auth piece with an OAuth implementation when you're ready), but still have Spring Security manage authorization to particular resources in your webapp.
Someone has also built OAuth for Spring Security, so it may be a useful addition to your web app all around.