i am designing a database for web service authentication system, based on the KERBEROS working (using tokens instead of tickets). anybody help me to understand the data modeling for kerberos system. or where can i get some resources about the data schema for kerberos like authentication methods.
Do not reinvent the wheel. Use Kerberos as-is. Period.
Related
This is a very basic question. I want to do an SSO integration using ColdFusion but do not know where to start. I found the website ssoeasy.com through a google search, but am very confused about how to use it and where to find documentation.
I think it has something related with cfldap or cfhttp but not sure what and where:
<cfhttp method="get" url="http://testsso.com/login.cfm">
</cfhttp>
It really depends on what role you want to play in an SSO ecosystem. Are you an app in a larger federation (Service Provider), or are you trying to implement an SSO style login across multiple applications that you control, or are you looking to setup so that your users can log in with Google or Facebook or such other identity registers?
A few years back we did an implementation with Shibboleth (https://shibboleth.net/) and CF where our intended place in the system would be that of a Service Provider to other companies Identity Providers. It works pretty straight forward as we let Shibboleth handle all the SAML federation grunt work and then when it's completed we get an e-mail address (the unique identifier we decided on) back from Shibboleth saying that the user has been authenticated via the Identity Provider.
Other 'SSO' implementations are around for other types of integrations.
From CFCs to handle OAuth -- https://github.com/coldfumonkeh/oauth2
To integrated oauth support if you're running a new enough version of ColdFusion https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-m-o/cfoauth.html
Hope this is of assistance to you.
If I understand your SSO use case, the application will be a cloud service provider (SP). There are three things you need to determine to help in the selection of the appropriate technology, mainly (1) SSO protocol to integrate, mainly SAML, OAuth, OpenID Connect (OIDC), etc. (2) Hosting, mainly Cloud, On-Prem, or hybrid, and (3) whether or not IdP discovery is needed for your business partners.
Being ColdFusion based as well as working to be a cloud SP web application, my experience is that the application is to be hosted by your organization, such that an on premise SSO capability is desired, as well as IdP Discovery will be needed for your partners.
As noted in your question there are some options for integration. I have found the most popular approach to being a SP website is to utilize a vendor product that handles the SSO protocol (e.g. SAML, OIDC) where the integration with your ColdFusion application is based upon a simple REST API integration. With this design pattern, the vendor product manages all the security of the SSO protocol and then simplifies integration to your application as a secure REST API exchange of identity information. This will minimize the impact to your application and also give the most support for modern identity. One product that offers this capability is PingFederate via the Agentless integration (also referred to as Reference ID integration). I have had much success integrating ColdFusion applications following this type of approach.
SAML seemed to be the easiest to implement for our team. Phil Duba's 2013 Beyond Encrypt() presentation is a good starting place. His website is down right now, but I'm sure you can find the downloadable file somewhere. Learning about SAML in general would be a good idea. Also, you can use Java, so maybe look at SAML/OAUTH Java examples and try doing that for Coldfusion since it is based on Java.
I'm using Hortonworks and I want to set up a REST webservice. The data is stored in HBase and I want to secure it with KNOX and Ranger.
I'm not sure if it is possible to configure it with NiFi, so I can call the REST API and get data from the HBase (with Hive). It is important, that the connection is secured with KNOX and I can also use Ranger for the data security.
Can I use NiFi for it?
What is the best solution/architecture to fit the use case?
It would be also great, if you can also add some related advanced informations, so I can go deeper into this subject.
thank you in advanced and best regards
n3
From NiFi's perspective it would only be interacting with your REST service so it would come down to how you authenticate to your REST service. The InvokeHTTP processor can perform basic authentication with a username and password, or can provide certificate information through an SSL context.
Everything to do with Ranger, Knox, and HBase is all hidden behind your REST service.
Im developing a java web application which is deployed on a glassfish server. The web services are used to connect to user databases. Each user has a database. My question is, is there a way to keep track of the user? For example in servlets we use sessions in order to store some user specific data. Is there something similar to it in web services? It seems impractical to have to authenticate the username and password each time the user sends a request to a web service. Thanks.
Web services may also use sessions, however there are good reasons to keep them stateless:
it might be that the clients do not support sessions (cookies), e.g. if your clients are not browser based;
stateless services are easier to scale.
You do not have to use username+password for authentication. You may use JWT (or other kind of access tokens) to protect them.
Auth0 has got nice article on this topic:
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
I've been suggested to use token-based authentication, in order to secure my webservices, and to create another filter that verifies tokens, apart from auth. The idea is to use the auth filter for log-in, which I have already done in the backend, and to create a new filter for webservices. Could someone recommend a good tutorial on how to do this, or give me an example?
This is what i use, specifically for mobile app web services:
https://github.com/lucadegasperi/oauth2-server-laravel
Which is an OAuth2 server package for Laravel. It includes all you need to authenticate, generate / validate tokens, throttle, and protect your endpoints.
The OAuth2 spec has a bit of a learning curve, but is definitely worth it.
I have been working on a PHP project recently and I have created an API that will be consumed by mobile clients. I am using CodeIgniter as it provides a nice restful interface out of the box. I am unexperienced in PHP development and especially securing PHP web services. I was hoping to solicit some information about how I should go about implementing user authentication with my API. The information is not super sensitive but I do need clients to authenticate with the service.
Since my clients are mobile devices I'm uncertain how to go about implementing a membership provider model using CI since I won't have the luxury of a session (or do I?). Will my users merely send their credentials each time a request is made using SSL? Can someone provide me with some direction or documentation that might help?
Thanks!
Use Phil Sturgeon's Rest API. He's already built these things in.
http://philsturgeon.co.uk/blog/2009/06/REST-implementation-for-CodeIgniter