Is it possible to integrate Kerberos authentication into Jetty 6? - jetty

We currently have an application that runs an embedded jetty 6.1.14 server to which we need to add authentication via Kerberos. I'm new to Kerberos, which makes the task about 100x harder that maybe it should be. I've scoured the internet and have found conflicting reports as to whether or not it is even possible but nothing much to provides guidance as to how to proceed.
I've managed to have the server basically be able to authenticate the users via kerberos but can't find away to have the client automatically send its kerberos ticket: I have to use the from auth-method, though there are hints that this may be using filters, which are very poorly documented.
My question - and I apologize for it being a bit vague, I've not been this exasperated in quite a long time - is to request some guidance for plugging in kerberos authentication without login forms in Jetty 6? Or am I just out of luck? Has anyone added this type of authentication to jetty 6?

If Jetty supports Servlet Filters (JSR-53), then this open source project http://spnego.sourceforge.net might be what you are looking for.

You have to prepare your domain environment first. Make sure that your server if part of your domain (joined it). Then you have to create an machine account and assign an SPN. If you have done that, create a keytab for that account. From now on a client will be able to search for the host in the domain and create a ticket for. Then comes Jetty into play.

Related

Authentication with apache2 php pages and tomcat REST calls

Hello smart people on stackoverflow,
I would be very happy if someone could point me to the right libraries/frameworks to do what I want.
We have the following web architecture set up.
1. We have a tomcat server that offers REST services.
2. We have an apache2 server that serves up php pages to users.
a. Some of these php pages make REST calls to tomcat for data.
b. Other php pages contain javascript that makes REST calls that are routed through apache2 via mod_proxy to tomcat. e.g. All request to http://myapache.com/PASSTOTOMCAT/rest/getSecureData would go to tomcat.
Now, I'm asked to add authentication to everything, both the user pages as well as the REST calls. It would obviously be ideal for the user to sign-in once for access to both.
What library can I use for this? I don't think I can use any php-based solution (ie. one that involves adding a ) because the pass-through url's won't have a chance to add this code and check for authentication. I think I need to use something built into apache2 itself.
One minor requirement is that I would like the user credentials stored in a mysql database as opposed to a file.
Am I over-thinking this?
Thanks in advance
Well it's been 5 days, so I guess I'll answer my own question...
I ended up using the new mod_auth_form for authentication because it lets you use a nice stylized webpage to log users in.
I also used mod_dbd to access user credentials in mysql.
I couldn't find a nice tutorial on this so I struggled through the installation and setup a bit, but if anyone cares, I created a set of instructions on my blog in case anyone else tries to do the same thing.
Installation
Setup

webservice authentication and user identity management

My team and me are currently working on quite a large project. We are working on an online game, which will be accessible (for the moment), in two ways:
-Via a web browser, an application full JavaScript(client-side), full Ajax (basically meaning that the UI will be managed in JS client side).
-Via an iPhone application (the UI will be managed by the application itself).
Between the two different applications, the core logic remains the same, so I believe (I could be wrong), that the best solution would be to create a web service (if possible using standards such as RESTful or Rest) capable of perming all necessary operations.
Following this logic, I have encountered a problem: the authentication and identity management of the user. This poses problem as the applications users need to be authenticated to preform certain operations.
I’ve looked into WS-security, but this obviously requires passwords to be stored, unencrypted on the server, which is not acceptable!
I then looked into Oauth, but at first glance this seemed like a lot of work to set up and not particularly suited to my needs (the way that applications have to be accepted does not please me since it will be my application and my application only using the web service, not any external application).
I’ve read and heard about a lot of other ways to do what I want, but to be honest, I’m a little confused and I don’t know what information is reliable and what isn’t.
I would like to note that I’m using symfony2 for the backend and jquery for the client side JavaScript.
Furthermore, I would like a detailed, step-by-step response, because I really am confused with all that I have read and heard.
Thank you for your time, and I hope someone can help me as it’s quite urgent.
Good evening
I'm not entirely sure if this answers your request, but since the UI will always be handled on the client side, I think you could use stateless HTTP authentication:
This is the firewall in security.yml:
security:
firewalls:
api:
pattern: ^/api/ # or whatever path you want
http_basic: ~
stateless: true
And then the idea basically is that on the server, you use your normal user providers, encoders and whatnot to achieve maximal security, and on the client, you send the HTTP authentication headers, for example, in jQuery:
$.ajax("...", {
username: "Foo",
password: "bar"
});
Please note that since the authentication is stateless (no cookie is ever created), the headers have to be sent with every request, but, I figure, since the application is almost entirely client-side, this isn't a problem.
You can also check the Symfony2 security manual for further information on how to setup HTTP authentication. Also be sure to force HTTPS access in your ACL, so the requests containing the credentials are secured (requires_channel: https in your ACL definitions).

Unable to call a secure webservice after making a secure call over MQ

I am working on a j2ee project, which is a public website. The application has a lot of security built in.
It makes a call over MQs to a mainframe DB, i believe its a secure conversation. Everything works fine till this place.
My job is to make a call to a third party secure webservice, the url for the webservice is a https url.
When i make the first call from the application to the webservice, everything works well but if i place this call after the mainframe call, I get the following error.
the trust store located at "mynode" cannot be loaded. DerInputstream.getlength length tag=127 too big
Please pardon me, I cannot paste the code or config here, as its a client project.
The environment used is: IBM WAS 6.1 with webservices feature pack 6.0.15 & Spring Webservices 1.5.4
Any help would be appreciated. Thanks in advance
By default, there's only one keystore per JVM. Once you load the WMQ one, the web service will fail and vice versa. You can write code to manage multiple keystores as described in this post. In that case I suspect WMQ will need to use the JVM keystore while your app can select the alternate keystore through code.

How to do SSO between two web services in intranet?

The two web service(rest) are running on separated JVM instances with its own authentication.
The services is used by external user's log in, the server2 is for customer service team. After external use log in, he can call server2 for query. Oppositely, after customer service guy log in server2, he also can call server1 to change external user profile.
In another word, these two services trust each other. It seems like a SSO between them. Since both of them run on internal environment, I am wondering if there is a simple solution to implement it.
Thanks
I've had a good experience with JOSSO:
The setup is relatively simple (gateway and partner applications)
Non intrusive (no big changes needed for your application to work with it)
Based on JAAS
Supports various stores (LDAP, XML, DB...)
Works with Java, PHP and ASP (we use Java and PHP at our company and it works flawlessly)
You've got a lot of different options:
You could roll your own authentication system. It'd be exactly what you need, but you get to debug it yourself.
You could deploy Kerberos. A little old-school, but it clearly differentiates login servers from trusting servers.
If you're already in an MS-heavy environment, Active Directory might be just the tool.
OpenID is the new kid on the block; as used by StackOverflow :) but implementations of servers and clients might be harder to find.
LDAP is an easy way to get site-wide directory services; actually doing authentication against it might be a bit more work. (Which is why Active Directory is as popular as it is -- combining LDAP with Kerberos into one mechanism for site-wide authentication and authorization. Neat.)

Building web services without a web server

OK, this is impossible, but I will try to explain the situation here.
Let's say we have cases, that we need a fast setup of a web server in order to have a simple soap web service running (querying a db and so on).
In VS though, upon debugging a web project, it creates a quick ASP.NET development server without relying on the actuall IIS that might be installed on the PC.
Is there any project that does something like that?
This would be ideal for small projects, where a simple executable would get a server ready to go and would allow web services to be executed right away.
I have looked at some stuff over the net like http://msdn.microsoft.com/en-us/magazine/cc163879.aspx and http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2004/05/24/4479.aspx but they seem to be quite outdated and i am not sure how well they work (havent tested them thoroughly)
EDIT: I have build an application like the one you suggest. However, how can i implement HTTP GET/POST requests to the service using this method? I tried using WebGet after my operationcontract but it didnt work. For example, my service is at http://localhost:8080/Service and i would like to use it such as http://localhost:8080/Service/getMethod?x=2.
I believe that the development server used by Visual Studio is based off of the Cassini code base (of which there is a fork here). I also found this article on hosting the asp.net runtime. It was also created a while back (2004), but has been updated since (2008). I think a lot of the core concepts are probably still the same.
Another approach would be a roll-your-own web server using the HttpListener class. This could take some work if you want to use it for hosting asmx type services, but if you were doing RESTful services, it isn't too bad of an option (this is actually how RavenDB works if you are not hosting it under IIS).
A WCF service can be hosted in almost any kind of application, including a Windows Service or a console application. There is no need for a web server at all.
Alright,
i've done it so im posting it here to help anyone who has issues with similar problems.
Create your WCF Service file as usual and then by using ServiceHost (or WebServiceHost) you can easily create a WCF service.
In order to use GET http requests to make it simple to communicate with mobile devices (such as iphone) you can use WebGet above your service methods and make sure you manually add a service endpoint using WebHttpBinding for WebServiceHost or WebHttpBinding with an WebHttpBehavior for ServiceHost.
Then you can call your service methods such as http://localhost:port/webhttpendpointaddress/mymethod?x=2.