I'm currently working on a JavaEE6 project and I want to setup a dynamically assigned set of permissions to a user or role. In seam2, this can be achieved by org.jboss.seam.security.persistentPermissionResolver, I'm wondering if there's an equivalent approach or technology with JavaEE6. So far in Oracles's JavaEE6's documentation all I can see were setting the directory access in web.xml.
What's the best approach (real world) in JavaEE6 to setup authentication and authorization? Possibly through database or LDAP.
Thanks,
czetsuya
After researching for sometime, one of the best security technology out there that I was able to test was Apache Shiro. I'm happy with its fine-grained permission level control. So I'm using it for my JavaEE6 project. As to how I integrate both here's the link: http://czetsuya-tech.blogspot.com/2012/10/how-to-integrate-apache-shiro-with.html
Related
We have ColdFusion and Active Directory running within the same domain. I'm trying to write a script that ColdFusion can run to get the sizes of client directories within the file system. However, each directory requires different windows authentication.
ColdFusion <cfdirectory> doesn't have a means to impersonate the user for each directory. Using the JavaIO is also apparently not useful as Java apparently doesn't know anything about the Windows authentication.
I found a suggestion for using APS.NET to write a COM or .NET component, but the article didn't go any further. I have since googled my heart out and not found anything more useful.
If anyone has any information or assistance to offer, you can't imagine my gratitude.
ColdFusion will, by default, run as the Local System account. This account will not have access to the network.
I would suggest running the ColdFusion service with a domain account that has read access to the client directories and you should then be able to use cfdirectory.
You may find this blogpost helpful.
It seems the problem is that each directory in question requires a different set of user permissions. So he's right I think. CF can't "impersonate" each user - though I'm not sure that I know of a system that can do that. would you have to store separate permissions for each directory? Ask for a password for each one?
I don't think you can "impersonate" an AD account without creating appropriate tokens using the key infrastructure right? So that means you have to store username and passwords to "authenticate" with. I think storing and using such "impersonate" information would certainly negates any security enhancements you hoped to gain from using a different user for each directory.
Architecturally you are better off running CF as an AD user with "read" permissions to the directories in question - then you can access the size information you are looking for but would still not be able to modify the files within the directory. That's my take.
We decided to build an ASP.net application which will access the individual client directories using in-built windows authentication to return file sizes and other data and dump them into a database. We will use windows scheduler to schedule the running of this application. ColdFUsion will be used merely to manipulate the data into reports.
I need to implement Role/Group based authentication in my ASP.Net web application using Active Directory Domain Services and LDAP. i want to use user’s windows logon identity credentials for authentication. I have no clue where to start.
If anybody have implemented the similar requirement, please reply with some pointers.
Also, please let me know, how i can test this in my organisation network and What should be the LDAP server credentials? Can i add our custom groups?
Please reply asap.
I'm just looking into this myself. In the past I've implemented Azman (authorization manager) on windows 2003 (it comes with windows 2003). This seems to work well; my app's been in production for 3 years with a fairly complex config and has held together ok.
Azman has been developed further with windows 2008, but I haven't implemented on this platform yet.
The thing that I liked about Azman was that it abstracts the authorization management away from the app code itself and can give very granular permissions. That said I'm still looking around for alternatives; the biz rule functionality always felt abit flaky for some reason and at least for my app became very important (biz rules let you set context around rights... so for example bob can edit some textbox, but only for specific records). Anyhow here's a few links that might help:
http://support.microsoft.com/kb/324470
http://msdn.microsoft.com/en-us/magazine/cc300469.aspx
I'm not sure if these articles answer all your questions.. or maybe you've found another solution? If after reading you have more questions just yell :)
Hai,
i am trying to store the user permissions for my web site.But I am little bit confused with xml and Database. For each user in site have different permissions. Have u ever faced this issue? for Example , if my site is a shopping site , for a local user , the report menu need not to display. A sales man need not to display the purchase page. and so on ..
I think you understood my problem .I have done this user management using a xml file . For each user a new node will create according to the menu and keep in the xml file . Next time the user login ,checks the permissions and and show only the allowed menus.
My boss tell me to do the same thing using the Database. by using XmlDataSource it is quite simple to bind data to the treeview (for setting permission) and binding to the menustrip also.
He is pointing the security problem . i don't think like so.
Which is better ? DB or XML
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
My advice would be to use asp.net membership and roles (written by Microsoft). It is a very good security solution - login security, roles (permissions) and is stored in a SQLServer database (not sure if it can be stored elsewhere).
I use it on my site and you can use membership controls straight out of the box (login forms, change password, etc.) or you can roll your own.
The only tricky bit I found was setting up the membership tables, views and stored procs in my dB (you download a dB script), but really it was fairly straightforward to implement.
Here's a link to asp.net membership and roles
ASP .NET Membership and Roles (part of the Provider Model introduced on ASP .NET 2) is (IMHO) nice only when you need some basic stuff. The issue is that you need to use the whole system using SQL Server, but if you are planning to move to a different DB provider (MySQL, SQLite, etc..) then you'd have to implement your own provider (which is at best painful), and learn how the whole pieces fit each other. Granted, finding a custom implementation it's quite easy, but is not a copy & paste thing.
Another bad thing of the default provider model is that you will get a ton of SQL stored procedures, also called maintainance nightmares. The issue is that if your site scales, then these SP's will make your life a living hell (been there) and if you even dare to change hostings then you're in for a treat, so my advice would be make your own permissions hierarchy and use it the way you wish. Also, look for advices and some pre-existing solutions to the permissions problem which is quite common.
Website security can be split up into to distinct parts.
Authentication: Logging in
Authroization: Roles/Permissions.
The ASP.NET Forms Authentication Provider is a great way to implement authentication. I recently created a custom provider that communicates with our companies X500 directory (LDAP). It was very straight forward.
For Authorization, we implemented the entlib security application block. It allows you to keep Roles/Permissions in a separate location that can be accessed by your UI as well as your service layers (assuming your developing a scale-able solution). You may also want to look at the Windows Itentity Foundation which is slated to supersede entlib security application block, however it is only available for .NET 4.0.
Setup:
Multiple web servers with synchronized
forms authentication.
Multiple asp.net Applications running on these severs.
What's working:
SSO across all servers
Authorization using asp.net roles
What's not so good:
All roles are "global" - I have "admin-app1" and "admin-app2" etc.
Question:
I know this can be solved by defining different "ApplicationNames" for each of the different applications but what is the most easy way to compile a list of all the different applications a logged on user has a role in?
I would like to do something similar to: CurrentUser.Applications()
to get a list of "all applications in which the current user has any role".
Up to now I have used Roles.GetRolesForUser() to compile the list not very elegant or scalable.
Using the SqlRoleProvider I can hack inte the DB to get the complete list of Applications and then compile an application list for the user by query the different application's role providers. My best shot so far but it doesn't feel like the best solution...
Any hints or comments?
BR, Jens
I have come to the conclusion that this cannot be done using the framework.
Anyone who tries to do something similar e.g. buiding a dashboard of all asp.net applications hosted has either to maintain the list of applications separately or hack into the sql tables if you are using the SqlRoleProvider .
Happy hacking!
/Jens
I think ApplicationName is for completely separating applications while using the same database. Are you sure you can link users in one application name to roles in another?
Your best bet is probably to keep the same application name and implement a custom role provider.
http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx
In my current project, we need to authenticate users of an ASP.NET application against Active Directory. I think it can be achieved using the membership provider without too much problems. but we need also to manage user roles that will be kept in the ASP roles management tool.
Did anyone implement this configuration? Does it look feasible?
Any tip for one or the other point?
Thanks.
David
Yes! The ASP.NET role provider is designed to work exactly in that case - the particulars of the authentication provider are irrelevant to the role provider, and it will store the bare essential information to make the two work together - basically the user's AD identity (domain\user) is tracked in the role database and matched up when necessary.
There is an ActiveDirectoryMembershipProvider that can be used to use Active Directory for authenticating users.
Alternatively, you could roll your own MembershipProvider by extending the abstract MembershipProvider class and then use System.DirectoryServices to check against Active Directory when validating a user (ValidateUser method of MembershipProvider). This is pretty straightforward to do and you need only implement the methods that you actually need in the custom provider.
You might consider implementing your own RoleProvider too, depending on whether the default fits your needs.
Use it all the time, intranet only of course.
You may be interested in the WindowsTokenCachingRoleProvider. In scenarios where performance is essential, this really shines:
http://lvildosola.blogspot.com/2007/02/improve-performance-when-using.html
Simple and elegant.
Please take a look at this question, seems like you're asking for pretty much the same thing, and my answer there should give you what you need.
ASP.NET Membership and Role providers that can be used from ASP.NET and WinForms/WPF clients as needed.