I have the following scenario:
I have an application (html files + javascripts hosted in a webserver)
There is a SOAP web service that we need to develop.
Web service will be called from java script (AJAX calls).
User will access the application in intranet scenario. Users are validated against active drectory.
Requirement states that user need to be logging in using logged in users network credentials. There should not be a login screen shown to user.
Web service interfaces need to be invoked with logged in users credentials. A login inteface of web service specifically needs to be called as first call.
I have a specific question on how to pass user credential to web service.
I am planning to configure Integrated windows authentication (NTLM) for web application to avoid login screen.
However I do not know a way to capture and send user id and password to login interface of web service.
Most of the questions and answers around this topic has been for microsoft technlogies. Any specific ideas?
Further research and several blog posts pointed me to Kerberos authentication and a single sign on framework. With NTLM i cannot delegate credentials to web service. However with Kerberos i can. I will be using SPNEGO and delegate the credentials after authentication. Please refer to below link for further details.
http://spnego.sourceforge.net/
Related
I have a Django application that currently stores user credentials and performs authorization and authentication. I am in the process of breaking off the front-end into an Angular SPA and converting the backend to a REST API. My Django API will live as an Azure API app protected by Azure API Gateway. I would like to remove the authentication piece from Django and allow users to sign in using OpenID Connect through either Google or Microsoft Account. What I would like to happen is this:
When a user visits the site, assuming they have never registered with my app, they will have the option to sign in with their Google account or Microsoft Account. If the user decides to sign in using their Google or Microsoft account, (this is where I'm confused and why i'm posting here ... ) I think what happens is the API Gateway performs the authentication, generates a JSON Web Token (JWT), and sends that token back to the Django API. Django receives the JWT, decrypts it, and checks to see if there is a user account matching the email address in the JWT. If there is not a user account, Django will add a user to the user accounts table (not storing a password). If there is a user matching that email address, then Django allows the user in.
All that said, I guess my question(s) are:
Should I do the authentication at the API Management Gateway or should I do it at the Azure Web API?
Can I use Django's built-in authentication system to do what I want or is that not needed?
Am I over-complicating all of this? Is there an easier way to do this? All this seems like a lot of work.
Is OpenID Connect what I should be using (instead of Oauth2)? I have no experience with either.
Azure API Management does not actually provide any kind of JWT issuing mechanism, so you'll have to implement that yourself. The end points for doing that may or may not be exposed via API management.
What possibly gets you confused is the fact that the APIm Portal supports various indentity providers, like Twitter or Google, to sign up for the API. But these are not your application users, these are for the API Portal Users.
What you can do with the APIm Gateway is to validate subsequent calls to your backend API that the supplied JWT token is valid (using the <validate-jwt> policy).
I have various RESTful Web Servicesin App Engine, which are secured Google Account authentication:
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication required</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Upon hitting these Web Services via a browser client, I'm redirected to the Google Accounts login screen where I authenticate myself first before proceeding with the REST call.
However I now need to run these web service via a command line scripts as part of automated IC run. Therefore I do not want to be prompted for a browser login every time. Preferably I would like to put the Google username and password in a encrypted file on the IC server and let it call the Web Services without any human intervention. As far as I can see there are several options:
manually logging in via the browser and then saving the access token to be used in the command line script. However when the token expire I would have issues.
obtain a access token via Service Account p12 authentication. This seems to only work for accessing Google APIs such as BigQuery and Cloud Storage, not your own code.
wrap my Web Service within a Remote API which I have yet to experiment with.
Based on my current understanding, it seems there is no way for a Google Account authenticated custom written Web Service to be accessed by a non-human user. Is this correct?
Since you are interested in interacting with RESTful web-services programmatically (without human intervention), we are essentially talking about securing a REST API.
There is a plethora of resources on this matter throughout the internet but the gist of it is:
you should use SSL and sessions or OAuth to secure your endpoints.
Depending on how far you are in the current project, you could consider making use of Cloud Endpoints, there you'll have the option to use OAuth2 (and have DDoS protection), as well.
Hope this helps.
I managed to get this to work in the end by:
Switching off the web.xml security-constraint so that the API doesn't redirect to Google Login.
Modifying my API to take in a Oauth2 token in the Authorization header instead.
Validating the token based on the code sample here: https://github.com/googleplus/gplus-verifytoken-java
I didn't go with Cloud Endpoints, but Jersey + Dropwizard components instead. Dropwizard has built in Oauth2Provider which I simply implemented a Authenticator class and it works.
We need to implement an authentication/autorisation web service and I am not sure if we should use the Oauth protocol in our situration.
The background of the story:
We have some J2EE web applications in a jboss server. Authentication and authorisation of the applications are implemented by JAAS and deployed in this jboss server.We want to add some new web applications that are implemented in other languages and deployed in other servers. To re-use the authentication/autorisation mechanism in the jboss server, we need to implement authenication/authorisation web services for the new applications.
So here comes some thoughts:
Is it necessary to adapt the OAuth protocol for the authentication/autorisation web service ?
As I know, OAuth2 is use to grant access to functionality, user's data, etc.. without giving the password to the 3rd party app. This is not really our case as we actually own all the applications, although that the newly apps are not in the authentication server.
Another choix is to implement the login webservice et then return the new apps a ticket/token to use later.
In another way, with OAuth protocol, newly apps do not involve in user's login/passwords, which seems to be nice...
Do you have some ideas ?
OAuth works on the concept of "ResourceOwners (Which gets the user credentials and enables the client's access to the server's apis)", "Server (owner of the resources) and the "clients (who want access to the server resources but doesn't have access to the credentials).
OAuth is just one way of providing security to the resources which means it is not necessary to have it for all "authentication/autorisation".
In your case I dont think there is a need of full fledged 3-legged OAuth however you can still go ahead with 0-legged OAuth or some other approach. Also, I don't understand what did you mean by "newly apps do not involve in user's login/passwords" as this is completely composite to what OAuth is meant for. User generally provide the credentials when they login into the app and then that login call ensures that the clients have access to the server resources.
If you just want to "return the new apps a ticket/token to use later" then OAuth is not for you as it is more than just providing the token for later use. Also, token in OAuth is for server's api access.
I want to develop custom form based login portlet because I have to validate the user crendential (username/password) using calling some webservice provided by the customer as he is maintaining the user credential in his side not in the portal side, So that if the webservices returns true then I need to authenticate the user to the Portal and redirect to some specific portal page.
Note: based on the customer request, the user's password is not stored in default portal LDAP which means, I can not use the portal Login service.
How can ask the portal to authenticate some user without passing the password in my custom login portlet?
thanks in advance.
You'll want to look at the WebSphere Application Server Trust Association Interceptor mechanism for what (to the portal and appserver) is password-less authentication.
Here is a post that outlines the steps you'll take. You won't be using WPS mechanisms other than your custom portlet for gathering credentials. The rest uses a common technique in the underlying WebSphere App Server.
I have a web reporting tool lets say Business Objects, Cognos, OBIEE, Crystal Reports. I want to display some data into the report which is coming from a Web Service. So i copy paste the Web service URL inside the report cell and i can access the data.
However this leaves a big security issue as i cannot authenticate the requestor. One thing which i can think of is checking the Http header request: referer property which is set by the reporting tool in my Web Service. This atleast ensures that the request has originated from my Reporting Application. Besides this i cannot see how i can authenticate a specific user.
Appending Username in the Web Service URL is also not an option because one report is used by many users. I would somehow want to access this specific user session and associate the web service request with this user session. Lets say both my Web Reporting tool and web service are running on the same Web Application Server. Is it possible to merge the Web Service Provider and my Reporting Application so that the session user name is available in the WebService ?