Call me old-skool, but I don't like pulling in huge frameworks like Acegi for some simple authentication and authorization stuff. This post will show you how I connected Wicket security to an LDAP through JAAS. This leverages the LDAP configuration and access on the appserver level and keeps the application clean. This was done on JBoss, so YMMV on another server, but this post should help you along when you need to tweak the solution.

Caveat: this solution does NOT get you logged in as far as the appserver is concerned, so you'll not be able to use container calls like isUserInRole(). If you find out how, let me know. For our purposes we didn't need it, but it's nice to know anyway.

(more...)

Filed under Java, Security | 3 Comments »

Last week Rik de Groot published the #9: Versioning. This week it's time for #8.

SOA security is like having a well-protected Middle Ages city, but at the same time asking citizens to permit many more people from inside and outside the city into their homes. They would really have hard time properly securing their belongings.
Introduction of SOA should be accompanied by at least SPRINT business impact assessment of security vulnerabilities (confidentiality, data integrity and availability) and definition of required measures. Introduction of SOA also requires rethinking your security architecture.
(more...)

Filed under SOA, Security | 2 Comments »

I wanted to write a blog on Security Protocols. This was the course I liked the most during my College days. Lets look at some protocols and some of the ways these protocols can be attacked. These are some protocols that i studied during my college days.

The two most common words in Security world is Confidentiality and Integrity. Understanding these two terms is very crucial. In simple words Confidentiality means that only authorized entities can read information. Integrity means reassuring the recipient of the message that the message has not been altered since it was generated by a legitimate source. (more...)

Filed under Security | No Comments »

Recently, on one of our projects we had a requirement to allow the ROLE_ADMIN to login as another user without knowing or changing the password of that user. For example 'Jack' has the ROLE_ADMIN and 'Suzy' has the ROLE_USER. Now 'Jack' wants to login as 'Suzy' without knowing her password and carry out some tasks on her behalf acting as her when 'Suzy' is unavailable and some work needs to be done, of course you should provide a mechanism to audit and log whenever 'Jack' wants to play a different role.

This is fairly easy to implement using Acegi

The SwitchUserProcessingFilter in Acegi helps to achieve this functionality. The steps below will show how to configure and use it

(more...)

Filed under Java, Security | No Comments »

In a previous blog I described the minimal basic configuration of the Acegi framework. In this blog I'll show you how easy it is to implement your own security provider. There can be many reasons why you would want to implement such a customized security provider. In my case I had to secure an application using user information that was being maintained by an external php-based application. The user information could only be retrieved using a web service. In this blog I will demonstrate several ways to implement your own security provider.

(more...)

Filed under Security | 2 Comments »

How to get started with the Acegi framework and implement your own Security provider?

In the old days folks used the J2EE securing capabilities of the app server. This is of course still an option, but there are superior alternatives like the Acegi framework. Acegi is far from new and with the latest releases it has become a very stable and easy-to-use framework, especially when combined with Spring. I had to implement a custom security provider for a customer and was very surprised how easy this was accomplished. This blog describes the steps I took to get started with Acegi.

(more...)

Filed under Security | 3 Comments »