The project has a situation which can be described as: a portal application has to be built. This is expected to be home for many existing non portlet applications (some are Java EE based and some not).
Obviously, portal will provide SSO. Options of rendering a non portlet application to portal seem to be using either an iFrame or a URL redirect. In either case, it looks like the request has to pass through the portal server (??).
What are the challenges that this solution face? Best practices to get this implemented?
This is what a Portal solution has been meant to provide: central point of access to applications, services, people, processes...
There is also the third option for integrating legacy web applications (I assume you are asking about WebSphere Portal Server) and that would be "Web Application Integrator". You can find some info on it here
Challenges with this solution would be related to:
1. SSO - there could be some complications with this, depending on infrastructure.
2. Look and feel uniformity - Portal themes should be appropriate for web applications to be integrated.
3. In some cases Web applications will need to be changed in order for integration to be possible.
Yes, each request will need to pass through Portal Server.
Hope this helps..
Related
The latest version of ASP.NET includes the new authentication framework ASP.NET Identity, which should be the core building block for user management in all new and near future ASP.NET projects and websites.
I have seen that it can integrate with the WebAPI quite nicely, but haven't seen any example of integration as authentication for mobile client devices. For example - suppose I have a ASP.NET website with Identity implemented in use. Now I want to build client applications for Windows 8.1 and Windows Phone 8. I see two main issues that are limiting this.
Firstly - ASP.NET Identity apparently issues only short-lived auth. tokens, which is quite a bad user experience for mobile applications. I have seen some attempts to create a refresh token mechanism - http://leastprivilege.com/2013/11/15/adding-refresh-tokens-to-a-web-api-v2-authorization-server/ . This is quite a nice approach, but it would still be more interesting to see a really built in solution.
Second - and maybe more important - external authentication provider support. On the ASP.NET Identity website it is quite clear and easy to see a way to authenticate via WebAPI, but I haven't seen this in use with external authentication. How is it possible to get the authentication URLs for Facebook, Microsoft and Twitter and how can the authentication flow be completed from within the app?
Has anyone some experience with this? It would be great to find a complete walkthrough, I will gladly reward the correct solution with some bounty points :-) .
The problem is that security is complicated and that Microsoft's solutions only address the simple scenarios.
Also, you're consing terminology (which increases everyone's confusion, including your own). ASP.NET Identity manages users' credentials stored in a database. It's unrelated to the type of application that needs to validate credentials (mobile, api, browser, desktop, etc).
Katana middleware is what allows an application to authenticate the caller. There's cookie middleware for browser applications, external middleware for google, facebook, WS-Fed, etc, and then there's OAuth2 for API applications. Each work differently based upon the nature of the application. Some of them interact as well, depending on the requirements of the application.
I don't mean to pick on you -- this is more of a complaint about Microsoft's lack of education/documentation in the frameworks they provide. And I suppose this is an answer to your question -- Microsoft doesn't have what you're asking for. They have bits and pieces, but you're left to connect the dots.
Some links that might help:
http://www.asp.net/identity
http://www.asp.net/web-api/overview/security
http://www.asp.net/vnext/overview/authentication
http://brockallen.com/category/owin-katana/
http://leastprivilege.com/category/katana/
http://leastprivilege.com/category/webapi/
HTH
We have some portlets which are JSR 286 complaint. We sell those portlets with a liferay-server to our customers. One customer asked if it's possible to use those with Drupal instead of Liferay.
I can not find any information that Drupal supports jsr-286-portlets. So its not possible to use the liferay-portlets with Drupal, correct?
I think you may have the following options:
Web Service for Remote Portlets 2.0 (WSRP)
Quoting from WSRP specification:
The Web Services for Remote Portlets specification defines a web
service interface for accessing and interacting with interactive
presentation-oriented web services.
Basically you need a running instance of Liferay exposing your portlets as presentation-oriented web service to Drupal that will consume them and send back to the client.
The good news is that Drupal seems to support it. You need to enable Drupal as a consumer of WSRP, see that Drupal page, and Liferay as a producer, see here.
Using IFrame
Similar to first solution but with less integration and more work to do about security because the client will contact directly the Liferay server, so you'll need to expose it as a public server (if not in a Intranet scenario) and you'll probably need a Single Sign On solution for authentication.
I suggest to take a look at that document about Liferay Application Integration Strategies because recap very well several integration strategies with pros and cons (including the two I cited).
Currently, we have many web applications (external & internal) developed using Classic ASP through .NET 2.0 technologies. Each of those web applications have their own login screen authenticating against their own custom database or using Windows authentication. Users have access to one or more of these applications, meaning they have to log out and log back into applications that they would like to access. All applications share some part of the back-end data sources. Also, the business logic is embedded in the UI in addition to being duplicated across applications because there is no code/business logic sharing. Screenshot #1 gives a brief idea of the existing architecture.
Screenshot #2 shows the suggested architecture, which I hope will help in faster development, code/business re-usability and may be simpler maintenance. Users will access either external or internal url. In external, users will provide credentials and will be authenticated against custom database. In internal site, users will be automatically logged in using Windows authentication. After creating some samples, I have begun to like ASP.NET MVC 3. It keeps business logic separate from UI and I also like the unit testing capabilities.
Here are my questions:
Based on what I have found on the web so far, multiple authentications are not feasible within a single website. My understanding is that I have to host one website for each type of authentication (Forms and Windows). How do I redirect users to common landing page after they are authenticated so they can see the modules (links/menus) that they are authorized to access? Should I have to publish the same code set (dlls and content) to both the websites?
Has anyone faced a similar architecture problem? If yes, could you please share the challenges that you faced and how you tackled them? What are the industry standards in designing applications of this sort?
Does the suggested architecture make any sense or is it a really bad design? Are there any drawbacks in doing this in ASP.NET MVC 3?
I would really appreciate your inputs.
Thanks in advance.
I would set up a seperate web site which only handles the windows authentication. I would then rely on something like OpenID and/or OAuth to ask for credentials/token to make sure to user has proper access.
The user that want to sign in using windows credentials go through that process because you are right in that a IIS server running windows authentication is hard to mix with other stuff.
You can set up some kind of claim based network of thrust in which you applications get thier credentials from trusted sources and through that process you can negotiate and control access privileges cross many web sites. As long as your not doing custom hosting or white label branding you can have everything in one place (or even if you did you could design it so that you have a central solution of handing out authentication tokens).
Keep in mind the difference between Authentication and Authorization. You presumably want a single authentication mechanism (or maybe two, one for internal and one for external users). There is a similar post here that lays out some pretty good guidelines: How to allow multiple authentication methods in ASP.NET?
On one project we built a common controller class used in every page of the site. It handled authentication and access control. When a user tried to access any page it checked to see if they had a session identification cookie. If they did not they were required to authenticate(login). A challenge was doing a good implementation of the security. Current browsers have many flaws that make this difficult.
Help!
I am absolutely clueless on this. I've been told that the web application I'm building (.net 4 / mvc3 / c# / sql server) will be "sitting behind UAG so we can silently authenticate". I've no idea now how to approach the authentication part of the build in my dev environment.
Should I just use "windows authentication"? Will that be the required setting when the application goes live? How do I test the authentication?
The people asking me to do this are currently just getting started with UAG too do so any help, pointers, explanations or suggestions will be very much appreciated.
To put the situation in context, this application will be accessible via the company network internally, and also via the web externally (via UAG portal, of course). The company is on Active Directory, and all I actually need to "pull through" to the application to get further people entity data is the AD username.
Thanks in advance..
:)
Which authentication method you use depends completely on your application. I wouldn't worry too much about the UAG, as the idea should be that an existing web application can sit behind this product, rather than we have to customise our web application to sit behind this product. UAG should do the authentication/credential creation heavy lifting.
So in that regard, what is your user model? Do you want people to have to log on, or should their Windows credential be sufficient? Do we want Forms Authentication or Windows?
As an aside, we used the product when it was IAG, and it wasn't the greatest. If there was one thing it definitely did NOT enable was silent authentication. We had more problems with it than the problems it was trying to solve!
I have a custom web "portal" that is essentially a webapp built primarily using JSP/Tiles, Spring/MVC, and Hibernate. It runs on an Apache/Tomcat, MySQL stack. I have the portal within quotes because this is not truly a portal in the same sense as a Liferay, Glassfish or whatever portal server. But essentially what looks like a portal to a business user and one that pulls in data from several 3rd party systems through custom system integration.
I am now looking to add a community module to this "portal". A key piece of this requirement is to federate identity between this "portal" and the community server. Further, to facilitate a seamless single sign-on from the "portal" to the community. My preference is to keep the choice of community software to java-based and open source. Liferay is one example of it. JForum is another though it is limited to just discussion forums and not other modalities such as blogs and wikis.
Presently, the custom "portal' provides its own authentication/authorization mechanism based on user information in the MySQL database. It appears that for a scalable and flexible account provisioning across multiple systems, I am better of refactoring this to be based on a CAS-based authentication supported by a directory server such as OpenLDAP. It seems like with this approach I might be able to integrate with a community server such as Liferay.
If I extend my choice of community server to a PHP-based solution such as Drupal, can I accomplish the same result through a CAS-based approach? Any recommendations on how to federate identity (and enable SSO) between a custom Java webapp and Drupal? Entry point (login) for a user to the community will only be through the custom "portal".
CAS is a very popular method. Here is a Drupal module to support SSO into a Drupal installation.