Setup
JBoss using LdapExtLoginModule to auth to Microsoft ADAM (Lightweight Directory Server)
Drupal using ldap_integration module to auth to the same Microsoft ADAM above
Url within JBoss realm that requires user to auth (again) using HTTP Basic Auth
Use Case
User logs in to Drupal , auth'ed by ADAM. At this point Drupal only knows the username (password is stored in Microsoft ADAM/LDAP)
User accesses secured URL within JBoss realm, and browser prompts for username and password. At this point we'd avoid the login prompt but how ?
Is there a way to link JBoss and Drupal session?
Hacky solution:
Remember the password that user entered into the password textbox while logging in to Drupal and use this to authenticate later.
Is there any better solution, maybe by introducing another security layer or something else?
Your hacky solution certainly seems to be the easiest. Have you looked into CAS?
http://drupal.org/project/cas
http://www.jasig.org/cas
Related
As part of a project we have integrated keycloak with our .net core application, but we have a legacy system which is a asp.net web application, It have its own login screen whenever a user logs in it should fetch the username and password and validate against Keycloak.
The approach we are trying to do is.
1.Fetch all users from Keycloak on a specific realm
2.Parse the json and find whether the specifc username and password exist in that json array.
Is this way of giving authentication is correct?
Need some suggestion!!!
Take a look at their basic authentication example...
https://github.com/keycloak/keycloak/tree/master/examples/basic-auth
As stated in the comments. Returning JSON with all of the username and passwords is NOT secure, hashed/salted/or not, it doesn't matter.
So I am working with drupal and all the users are also connected to ldap. I want to know whats the best way to implement a password expiration for users who have had a password for X amount of time. Is there a way to achieve this solely through ldap or must we have a module accomplish this task through drupal side?
Password expiration is easily enforced by the LDAP server. With OpenLDAP look at the ppolicy overlay. With OpenDJ just start up dsconfig and let the menus guide you. Apache Directory Server has it as well as Fedora/389. What's your LDAP server again?
You'll need drupal to analyze LDAP response messages when a password policy kicks in. I'm no drupal user myself, so I don't know how well this is supported.
I am working on a new project for a client where we are going to be storing some important data online. I've been given an old access database which I converted to MS SQL and now I am wondering what kind of login & security I should use.
I'm going to run the site off SSL but I'm not 100% sure if I should go with Form Authentication or something different.
Any advice would be greatly appreciated.
Forms Authentication is fine to work with SSL. Microsoft posted an article about the advantages of using SSL and Forms Authentication.
Help Secure Forms Authentication by using Secure Socket Layers (SSL)
If you are going to work on an internal only application, using Windows Authentication. This will work out-of-the-box and requires only that you use:
<authentication mode="Windows"/>
If you want to use Forms Authentication, you can either build your own storage and encryption mechanism, which takes some work. Or add some tables to the database that allows ASP.NET to easily provide username, password and forgotten password functionality. This is achieved by running a command prompt tool that will add the necessary tables for you:
aspnet_regsql.exe
This will start a wizard that allows you to configure the features that you want to add to SQL Server.
To just add membership tables, by logging onto SQL as your logged in account use:
aspnet_reqsql.exe -S <server> -D <database> -A m -E
Or if you want to connect as a specific user, use:
aspnet_reqsql.exe -S <server> -D <database> -A m -U <username> -P <password>
Here is a link to a tutorial on how to use Forms Authentication with SQL Server in ASP.NET 2.0. Being ASP.NET 2.0, it looks out of date but it is the same in any version of ASP.NET V2 and upwards.
If you're running this on the public internet then definitely use SSL to encrypt membership-related transactions. The "cost" of using SSL is low - the risk from Packet-sniffing and Firesheep-like tools can be very high.
Basic auth is OK, but I'd be tempted to go with Forms Auth just because you can control the signup and login experience - guidance for users, CAPTCHA etc...
Yes go with the Form Authentication as the first part of the security. Why ? because all this kind of logins are base on a cookie, and the basic idea is implemented very good by form authentication.
Now, you need to add extra measure to protect your data, like.
Be sure that you setup correct the form Authentication - ref: Can some hacker steal the cookie from a user and login with that name on a web site?
Keep all logins from the user together with IPs and other information and make a pattern to recognize that something is going wrong. ref: https://stackoverflow.com/a/9645770/159270
Add extra security password for some critical actions.
Add and use different level of security.
Except the Authentication form, for the administrators add extra security test for login, a test that you can find and must been known only inside from the high permission persons.
Form authentication is best for this scenario.
Please refer to the following link for using form authentication with ssl.
Protect Forms Authentication in ASP.NET
More Secure Sites with ASP.NET
This will probably turn out to be a doozie.
I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.
First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1
Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2
Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.
Thanks,
Jason
You're looking for Windows Authentication and Authorization in ASP.NET
How To Use Windows Auth in ASP.NET
Authentication/Authorization Explained
How To Implement Windows Auth in ASP.NET
Part 2...you're right, that's tough. You'll need to roll your own custom security provider.
You'll have a login page, then check that against Active Directory yourself. From MSDN
ASP.NET also supports custom solutions
for using Windows authentication,
which bypasses IIS authentication. For
example, you can write a custom ISAPI
filter that checks the user's
credentials against Active Directory.
With this approach you must manually
create a WindowsPrincipal object.
You've got requirements around authentication and authorization here.
Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)
Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.
The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.
You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.
Also found this -- a pretty good resource for anybody out there who's in the same boat:
Mixing Forms and Windows Security in ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx
I want to be able to authenticate an NT username/password combination through an ASP.NET site, completely separate from the username that's recognized through Request.ServerVariables("LOGON_USER") and the like. There are accounts that will have the rights to completely override others, but the users will still have to enter the correct password to do so.
I tried using the LoginUser function from advapi32.dll, but that only tries the login for the local machine (which would be the application server). Is there something that will work for checking the network in general?
You could authenticate against Active Directory.
An ASP.NET application can use Forms
authentication to permit users to
authenticate against Active Directory
using the Lightweight Directory Access
Protocol (LDAP). After the user is
authenticated and redirected, you can
use the
Application_AuthenticateRequest method
of the Global.asax file to store a
GenericPrincipal object in the
HttpContext.User property that flows
throughout the request.
http://msdn.microsoft.com/en-us/library/ms180890
Have you thought of using LDAP and ADAM (Active Directory in Application Mode)?
That would allow you to authenticate users in the manner you're seeking. I found a few articles for you:
http://www.c-sharpcorner.com/UploadFile/wojtekpiaseczny/AdamAuthentication10262006124310PM/AdamAuthentication.aspx
http://www.15seconds.com/Issue/060525.htm\
http://msdn.microsoft.com/en-us/library/aa302397.aspx