J2ee security newbie: integrated authentication question

I am trying to build a set of JSPs/servlets that require authentication and probably authorization. The jsp / sevlets should be able to authenticate against any underlying password system, or should cope with most common systems such as win2k / unix etc. I do not want to force the organisation to build a new database of users / passwords or to type in passwords in clear text in xml files.
I would preferably like to use form-based authentication to avoid Http basic clear text password sending. This will also allow me to custmize the UI of the login screen.
The solution should not be container specific. or at least the containers (tomcat + webspehere) should allow for it in their own way.
After a lot of reseasrch on the web, I cant seem to find an accepted way of doing this. I would like comments on the choices I have made so far and the choices I should be making. Any links to reading material would be helpful. I would like to understand which lower level technologies to depend upon eg LDAP / Kerberos etc. Any help will be appreciated
TIA,
Zdz

I would preferably like to use form-based authentication to avoid Http basic clear text password sending.
This will also allow me to custmize the UI of the login screen. form based auth is just like basic auth. Both is sending userid and password in clear text. basic auth sends it base64 encoded in the http header. Form based auth sends it in the http message body.
/Bo
http://appliedcrypto.com

Similar Messages

J2ee security newbie: integrated authentication help

I am trying to build a set of JSPs/servlets that require authentication and probably authorization. The jsp / sevlets should be able to authenticate against any underlying password system, or should cope with most common systems such as win2k / unix etc. I do not want to force the organisation to build a new database of users / passwords or to type in passwords in clear text in xml files.
I would preferably like to use form-based authentication to avoid Http basic clear text password sending. This will also allow me to custmize the UI of the login screen.
The solution should not be container specific. or at least the containers (tomcat + webspehere) should allow for it in their own way.
After a lot of reseasrch on the web, I cant seem to find an accepted way of doing this. I would like comments on the choices I have made so far and the choices I should be making. Any links to reading material would be helpful. I would like to understand which lower level technologies to depend upon eg LDAP / Kerberos etc. Any help will be appreciated
TIA,
Zdz

Most container come with the ability to put security constraints in the web.xml file.
Then, you can set up your container to do the authentication (tomcat call this Realm). And there is a JAAS realm that can be configured a little bit like PAM in Unix/Linux.
There is also a Security Filter around on the net.
Hope this helps.

Custom Policy vs. J2EE Security

Hi there, Java Security architecture gurus,
I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
Now, I have the following questions:
- Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
- Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
Thanks,
Christoph

Chris,
There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
Now, I have the following questions:
- Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
- Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
// If the permission is not found here then delegate it
// to the standard java Policy class instance.
java.security.Policy policy = java.security.Policy.getPolicy();
return policy.getPermissions(codeSource);
Hope this helps.

Adobe PDF/Acroforms & Digital signatures/Integrity/Authentication/Non repudiation

Hi folks,
I have been investigation the feasibility of using PDF as a customer-facing data collection mechanism, starting with Acroforms for a pilot, initially at least (we may consider XFA/Livecycle in a later phase).
I've got a demo application up and running using the FDF toolkit, presenting PDF forms to the web user, collecting and processing/storing the collected data etc.
My question is around how this process can be secured.
(Q1) (This may be strictly a web dev question, please ignore if considered not relevant here) : If the web application communicates over HTTPS, then the conversation between client & server is secure (encrypted at least, so that others cant sniff the content?) - but it does not necessarily authenticate the end user to the server?
(Q2) If we wish to ensure that the FDF data Submitted from the PDF form (via submit button to an ASP.NET url) is (a) known to be authentic from a particular known user, and (b) signed in some way to be non-repudiatable ... how can be do this with FDF ? If we re-generate a flat PDF document from the data they entered, is there any digital signature mechanism that can be employed for the public end-user to "sign" the PDF document in a manner that ensure Integrity/Authentication/Non repudiation ?
any pointers to Adobe or Third party toolkits, products etc. ?
best regards & thanks,
Aidan.

Q1. That's right. But if the form includes fields for a username/password, this could be sent along with the rest of the data and used to authenticate the user. Or you could use other common means, but as you said, this has nothing to do with Acrobat.
Q2. FDF can contain digital signature data. So the form would have to contain a signature field and the user would have to sign it. Assuming a self-signed signature, it's up to you whether to trust such a signature. The signed PDF is constructed from the original PDF that was served by concatenating the appended saves contained in the FDF. You can then validate the signature.
George

How to find solution for avoiding WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product

HI All,
We are using Oc4j version 10g 10.1.3 , and while starting conatiner getting below warning , let me know if anyone have solution for this,.
14/01/10 01:01:29 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product!
Please take the appropriate actions to migrate to an alternative strategy! **********
2014-01-10 01:01:29.833 WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release
of this product!

I just checked my BIOS and my current setting is set at IDE although it also mentions that the default should be AHCI. Currently I have a dual boot of Windows 7 (need it for Tax software) and Arch
So I guess, when I get the new HDD, I will first set it to AHCI and then install the OSes on it. See if NCQ helps any, and if not I will turn it back and re-install (if I have to). I am planning to have Windows only in virtualbox in the new drive.
Anyhoo, while I was in the BIOS I found two things which I had questions about :
1) Under Onboard Devices --> Integrated NIC , my setting is currently set at "On w/PXE" and it says the default should be just "On". Would it be ok to change it back to On since its a single machine and its not booting an OS on any server. I just don't want to have to re-install anything now since I will be doing that in the new HDD.
2) How would I know whether my BIOS would support a 64 bit OS in Virtualbox? I checked some setting under Virtualization, but they weren't very clear.
I will edit this post and let you know exactly what settings were present under the Virtualization sub-section.

SOAP and J2EE security

We have deployed several SOAP services (Apache SOAP) on a WLS6.1
server. Since there are more and more services are being deployed
people are getting worried about security. I was wondering what the
best solution was to to authentication and authorization on EJB and
method level for SOAP clients ? I was thinking about the following
solution: use the standard J2EE security by defining security
constrainst in the ejb-jar.xml file. Therefor every client needs to
provide credentials to use the EJB's (this should work for both
RMI/IIOP and SOAP clients).
What are your ideas and opinions about this solution ?
If you post a reply please CC to [email protected]

Hi,
Let me know if you find answer of your question.
thanks

Exchange 2013 CU1 Outlook Web App LogOff with Basic or Windows Integrated Authentication

Hi all,
Exchange 2013 CU1 has a new OWA LogOff behaviour when Basic or Windows Integrated Authentication is configured. When clicking the LogOff Button you receive the message "Close All your Browser Windows.." but OWA does not sign out. This is not the
case when using Formbased Authentication...
The problem in our case is the OWA publishing over the Internet via TMG. When publishing via TMG, only Basic and NTLM authentication is supported. This means you have to change the Authentication for the OWA Virtual Directory to basic or Windows Integrated.
OK so far, now we can use the TMG Authentication Form. but... TMG is not able to Catch the OWA LogOff. So we will still receive "Close all your Browser Settings.." and no log out from OWA.
It is a known issue that TMG cannot catch the OWA Logoff with the Exchange 2013 CU1 Release..So my Question:
Does anyone get that "Real LogOut" fixed via TMG or directly on the CAS Server for Exchange 2013 CU1?
I know another possibility is to activate Form Based Authentication on the CAS Servers and external users directly authenticate against the CAS Server without pre-authentication at TMG Level, but this of course does not provide the highest security
we can have.

Hi SLShare,
As far as I know, if there is no TMG involved, with Exchange 2013 when the user signs out of mail, the authentication tokens are cleared and the user will be presented with the
Login Screen. There will not be a need to click on "Close Window" or any other pop ups that may appear.
Therefore, you may ask the TMG forum about this question and see whether there are still some other workaround we can temporary bypass this issue. For your convenience:
Forefront TMG and ISA Server Forum - TechNet - Microsoft
http://social.technet.microsoft.com/Forums/forefront/en-US/home?forum=Forefrontedgegeneral
Thanks,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Simon Wu
TechNet Community Support

SSRS and SharePoint Integration Authentication Issue

We recently turned on SSRS for our SharePoint 2010 Test Environment. We are using an account that has rights to SharePoint as a site collection administrator, the feature is enabled on the site collection and site level, it has access to the SQL instance
to pull the reports. The report config file specifies NTLM authentication. It acts as if it will configure and goes through the SP Central Administration steps successfully. When I try to deploy a report, I receive the following error:
Exception encountered for SOAP method GetSystemProperties: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.     at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SetConnectionProtocol()
at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SoapMethodWrapper`1.ExecuteMethod(Boolean setConnectionProtocol) 1afe9dfd-9846-4194-bddf-fcb0ded634be
06/14/2012 15:37:43.03 w3wp.exe (0x1E78)                       0x1754 SQL Server Reporting Services SOAP Client Proxy
0000 High    Exception encountered for SOAP method GetSystemProperties: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.     at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SetCo
If I turn on trusted accounts, it works, but then it argues when the report loads because our reports use windows integrated authentication. We would prefer to have windows integrated authentication to control who can see reports by their
login name. Any ideas? I feel like I have exhausted options.

Can you please elaborate on how to avoid using Kerberos and use the Secure Store to access our external SQL data? In our test environment, we have SharePoint 2013 Ent, SQL 2012 Ent. I am trying to use PowerView to access a Direct Query data model created
in SSAS tabular mode. My connection from SharePoint to the model is successful but fails with a reporting service error:
Cannot create a connection to data source 'EntityDataSource'.
<detail><ErrorCode xmlns="rsErrorOpeningConnection</ErrorCode><HttpStatus">http://www.microsoft.com/sql/reportingservices">rsErrorOpeningConnection</ErrorCode><HttpStatus xmlns="400</HttpStatus><Message">http://www.microsoft.com/sql/reportingservices">400</HttpStatus><Message
xmlns="Cannot">http://www.microsoft.com/sql/reportingservices">Cannot create a connection to data source 'EntityDataSource'.</Message><HelpLink xmlns="http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsErrorOpeningConnection&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3000.0</HelpLink><ProductName">http://www.microsoft.com/sql/reportingservices">http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsErrorOpeningConnection&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3000.0</HelpLink><ProductName
xmlns="Microsoft">http://www.microsoft.com/sql/reportingservices">Microsoft SQL Server Reporting Services</ProductName><ProductVersion xmlns="11.0.3000.0</ProductVersion><ProductLocaleId">http://www.microsoft.com/sql/reportingservices">11.0.3000.0</ProductVersion><ProductLocaleId
xmlns="1033</ProductLocaleId><OperatingSystem">http://www.microsoft.com/sql/reportingservices">1033</ProductLocaleId><OperatingSystem xmlns="OsIndependent</OperatingSystem><CountryLocaleId">http://www.microsoft.com/sql/reportingservices">OsIndependent</OperatingSystem><CountryLocaleId
xmlns="1033</CountryLocaleId><MoreInformation">http://www.microsoft.com/sql/reportingservices">1033</CountryLocaleId><MoreInformation xmlns="<Source>Microsoft.ReportingServices.ProcessingCore</Source><Message">http://www.microsoft.com/sql/reportingservices"><Source>Microsoft.ReportingServices.ProcessingCore</Source><Message
msrs:ErrorCode="rsErrorOpeningConnection" msrs:HelpLink="http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsErrorOpeningConnection&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3000.0"
xmlns:msrs="Cannot">http://www.microsoft.com/sql/reportingservices">Cannot create a connection to data source 'EntityDataSource'.</Message><MoreInformation><Source>Microsoft.AnalysisServices.AdomdClient</Source><Message></Message><MoreInformation><Source>mscorlib</Source><Message>Access
is denied.
</Message></MoreInformation></MoreInformation></MoreInformation><Warnings xmlns="http://www.microsoft.com/sql/reportingservices" /></detail>

Struts/servlet page flow problem due to j2ee security

Whe I type url such as http://localhost:7777/myapp/action.do, I want to see the execution result page from this action. However the result page will always be index.jsp because j2ee security which I have a loginaction.do and its result page is index.jsp. How can I have overcome this problem.
Thanks,

To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be able to view his result page after login.
cheers.

Weblogic.security.acl.realm.authentication... Exception

Hello All
the reason I'm moving a post-question from JMS to this section is people there
suggested this. anyway,
when I tried to use an applet which implemented MessageListener to send message,
I got the following exception ( the port 7001 had been granted to connect, resolve
in java.policy)
javax.naming.AuthenticationException [root exception is java.lang.SecurityException:Authentication
for user admin denied in realm webogic start server side trace: java.lang.SecurityException:Authentication
for user admin denied in realm weblogic at weblogic.security.acl.Realm.authentication(Realm.java
212) at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java 233) at weblogic.security.acl.internal.Security.authenticate(Security.java
135) at weblogic.kernel.bootSevicesImp.authenticat(BootServicesImp.java 119) at
weblogic.kernel.ExecuteThread.run(ExcuteThread.java:120 ..
My Question is why servlet or swing or other application out of applet don't generate
such exceptions even most codes are similar ? How to deal with this?
Thanks
John

Hello All
the reason I'm moving a post-question from JMS to this section is people there
suggested this. anyway,
when I tried to use an applet which implemented MessageListener to send message,
I got the following exception ( the port 7001 had been granted to connect, resolve
in java.policy)
javax.naming.AuthenticationException [root exception is java.lang.SecurityException:Authentication
for user admin denied in realm webogic start server side trace: java.lang.SecurityException:Authentication
for user admin denied in realm weblogic at weblogic.security.acl.Realm.authentication(Realm.java
212) at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java 233) at weblogic.security.acl.internal.Security.authenticate(Security.java
135) at weblogic.kernel.bootSevicesImp.authenticat(BootServicesImp.java 119) at
weblogic.kernel.ExecuteThread.run(ExcuteThread.java:120 ..
My Question is why servlet or swing or other application out of applet don't generate
such exceptions even most codes are similar ? How to deal with this?
Thanks
John

J2ee security and page flow problem

To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be able to view his result page after login.
cheers.

In the future, please post JSP/Servlet questions in the appropriate forum: http://forum.java.sun.com/category.jspa?categoryID=20
This is pretty simple to do:
1) set up a Filter that applies to a specific url pattern, such as " /protected/* " so that the Filter is invoked when resources within the "protected/" path get accessed
2) in the Filter code, store the user's desired path in the session scope (let's call it "loginRedirectFrom") and redirect the user to the login screen.
3) in your login servlet/jsp, after the user has been verified, redirect to the url you stored in "loginRedirectForm".

OID Dynamic Groups and J2EE security roles

Hi
I've searched the forums but can't get a definite answer. Is it possible to use OID dynamic groups and map them to J2EE security roles? I can't find anything that says specificially not but I can't seem to get it to work.
Thanks
Adam

Hi,
Let me know if you find answer of your question.
thanks

Authentication questions I never answered

when I try to buy something from my itunes account with my iphone it asks for authentication questions that I have never seen or answered before. How can I fix this?ASu

You need to ask Apple to reset your security questions. To do this, click here and pick a method; if that page doesn't list one for your country or you're unable to call, fill out and submit this form.
(120440)

Authentication Question in SAP IDM 7.1

Hi All,
I am currently working on SAP IDM 7.1 , My requirement is to set authentication question in SAP IDM and enforce the same at the first time login of the user. Presently I am setting my authentication question answer in OOB attributes -- MX_AUTH_Q01 - Q05.
For the first time login user i am getting the default password change screen , thereafter i need to enforce Set Authentication for every user , logged in for first time. Please, suggest if SAP provides any feature like this to set authentication question, at the time of login. Thanks in advance
Regards
Swati Pandey

Hi Christian,
I have implemented the security question using the same concept i.e by limiting access to process throgh access control. Now, my requirement is to store Dynamic question in user profile, i.e users can store his/her own custom question /answer. Do we have any such facility in sap idm, presently the auth question provided are static for each user profile.
Thanks
Swati Pandey

J2EE Security Provider Service in NWA on 7.10?

Hi,
In versions up to 7.0, there was a J2EE Security Provider Service which could be configured in Visual Administrator to control fine-grained security between deployed components on the system. I cannot find anything similar in NetWeaver Administrator in 7.1. Has this become obsolete or am I overlooking something?
Thanks,
Thorsten

Hi,
NWA -> Configuration Management -> security -> authentication
here you can find the required policy configurations
regards,
Jozsef

J2ee security newbie: integrated authentication question

Similar Messages

Maybe you are looking for