I need to implement a feature to take user session credentials.
Then to use them to authorize in a proxy server.
It should be implemented the same way as in the VMware vSphere Client.
I tried to use CredWrite/CredRead but CredRead works only for the names produced by CredWrite call.
Can you help me to understand how to do that or give me an article describing this?
Many thanks!
Related
My question may be too broad or vague, but I cannot best describe it in any other way than I am doing it.
I have multiple Django applications. I have implemented SSO successfully for the same. All this things work. Now, I have been given a new task and its like this.
I have to integrate Microsoft ADFS authentication into my suite of applications and broaden the scope of current SSO.
My understanding of it is as, when I log into my laptop which is on corporate network (I assume this is how I have to put it) I also get logged into my django applications
I seriously have no idea of how this work as I have no experience with ADFS. Can anyone with experience of this explain it with a scenario of how it works so that I can understand it and think of a solution to it.
PS: If there is any more information needed I will provide. Also, if downvoting the question do put a reason so that I can edit the question and post it as it should be.
if Django supports SAML based login, then you set it up to trust ADFS. ADFS will automatically take care of logging in using your logged in credentials to a domain joined machine inside the corporate network. If the user accessed externally, it would prompt for password or a certificate based auth (e.g. smartcard) to login the user.
I have developed a REST web service using JAX-RS, hosted on Apache Tomcat server. I used Eclipse for developing this and hosted on a Windows 7 Enterprise machine. Now I need to provide Kerberos Authentication to access my service from any client (for example SoapUI). I have tried to get information from many sites but, all I get is configurations on linux machines.
I'm a newbie to the security concepts and authentication mechanisms and architectures, I would appreciate a good detailed explanation.
Here is a good description of how to integrate Tomcat with Windows authentication:
https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
Please note that there might be 2 separate things you might want, I'm not sure which one you are looking for.
Authenticate transparently with the Kerberos tickets the user already has.
Authenticate with username+password always, using MS AD to check them.
The first is always transparent, meaning the user does not have to enter username+password again. In the second one she obviously has to.
If you are looking for other services (like SoapUI) to access your services with Kerberos tickets, then those services would need to get a ticket themselves. If you just want those services to use username+password (instead of Kerberos), then you don't need a ticket of course.
Edit after clarification: Using username+password from a windows domain actually does not involve Kerberos at all. It is using LDAP to authenticate, which maps to JNDI in Java. There is a JNDIRealm in Tomcat to set it up, described here:
https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
At work we have a system set up running a ThinkTecture IndentityServer SSO provider which currently provides authentication for several .NET and ColdFusion sites. I am currently working on a new site we are supporting in Ruby on Rails and am having difficulty figuring out how to connect it to the SSO. (I'm pretty new to rails, but a long time developer in CF and .NET)
I've looked at the omniauth-oauth2 and oauth2 gems but it seems there are important parts missing from the documentation and explanations I can find. There is a ton of info if I wanted to authenticate using Twitter, Facebook or something similar, but I can't find anything that just addresses the client side for any generic OAuth2 provider.
I'm just looking for someone to point me in the right direction to find information on how I can do this. I don't care if it's specific to IdentityServer or just generic regardless of the provider. Thanks for the help.
Update: Just so you know, I would prefer to use OAuth2 for this connection, but I am not opposed to using any of the other ways that IdentityServer provides, including ADFS, WSFed or Simple HTTP. I can't use OpenID, though, because these accounts are specific to our system and can't be used for other systems.
You really need an open id connect library.
http://openid.net/developers/libraries/
It turns out this is pretty easy, overall. The difficulty is that there is no straight answer to the question. How you connect to IdentityServer entirely depends upon how IdentityServer is set up.
I'm not going to post my exact code, as this will not help anyone who doesn't have IdentityServer set up exactly the same way we do, and as I don't have access to the IdentityServer, I can't say exactly how that is. I will explain the overall solution, though.
The only gem needed for this is JWT
Get key codes from IdentityServer admin (client id, secret key, sign key)
Build login URL according to configuration of IdentityServer
Redirect user to login path generated in the last step
Receive token back from IdentityServer
Decode and verify using the JWT.decode function
From there you just have a JSON string with your data.
I am working on a cross platform app that will be created using C++-> mobile devices, and using Perl-> Desktop PCs (like Windows /Linux/Mac OS).
Now, since the app will be downloadable, I have concerns regarding the ability of hackers to obtain the source code of my app.
Specifically, the app will connect to my central database-- at the minimum, I want that hackers are not able to obtain my database connection details. Ideally, I would want no part of the code to be hacked.
Basically, the user can update some of his information using this app-- if hackers get hold of this data they can easily change any unfortunate user's data. One thing that I have thought of is that the user will have to initially authenticate with OAuth/OAuth2 ( using his email ID #yahoo/#hotmail/#gmail)-- and only after that the app will actually show the admin interface. But at any rate, at some point the app will connect to the central database-- which is why I dont want the database's access details to be compromised.
Many organisations make such apps, so they must be facing this type of problem themself? I would like to know how I can protect my app (ideally entire code), and atleast the db credentials.
The simple answer is you do not expose your database. Ever.
Add a service layer (could be HTTP-based but doesn't have to be) on top that will deal with authentication and authorisation. Your app then logs in using the user's credentials and acts on their behalf. Your service layer exposes an API which your application talks to, but your service makes and controls all calls to the DB.
You already mention OAuth - that's a perfectly acceptable way of adding authentication to such an API.
You cannot.
On the bright side you can put security on your server. The connecting client provides credentials that they are a given user. The server generates the SQL command after proving the request is allowed. Backers can do anything your app can do, but your app becomes incapable of behaving badly to your database.
The previous answers are absolutely correct. You want a server based service layer that provides the authentication/authorization code and interacts with the database. However, it isn't always a perfect world and if you are stuck with the requirement that these applications must act as a database client you want to limit the exposure as much as possible. Typically this is done by having the client use a specific account which has not been granted any access to the general database. You then create specific stored procedures that can only do the operations and queries that are required of the application. This prevents anyone finding the credentials in the code from doing anything in the database that isn't intended, but you still have the problem that anyone can impersonate someone else by reviewing the code. There isn't a way to prevent that without a server side component. This might be okay for a closed/trusted group of users, but I wouldn't release anything to the general public with this method.
If you can do it, use OAuth2 and allow a trusted third party handle authentication. Twitter, Facebook and GitHub are all relatively paranoid about security; and the other poster is correct: never expose direct db access as part of the app the user has access to; put it behind a service of its own.
Good luck! :)
I have a SharePoint server running on my network and I am trying to build an app in Delphi which allows me to access the various SharePoint Web Services hosted there.
Running my app on the same network as the SharePoint server works fine, however, when I attempt to run it on a VM which is not part of the same Domain I can't get authenticated. I was looking for some advice as to how I should be handling authentication for this type of scenario, more specifically, should I be prompting the user for their credentials or is there some built in security model I can use for this?
Ideally I would like to try avoid dealing with Usernames & Passwords in my app and let the OS handle that sort of thing, however, at the moment I can't seem to see any other way around this.
After some investigation, for my particular scenario I decided that the best approach would be to use WinINet. I chose this approach over Indy because after some thorough investigation I found Indy did have some bugs & also it didn't have all the authentication handling we needed built in.
WinINet supports prompting for credentials & automatically authenticating across the wire. See Handling Authentication.