I am newbie with CAS Server, I found it is a single sign on server between different application in terms of technology like php, .net & java. I explore it but even though there are some questions yet not clear. Before ask my doubt, I tell what am I trying to achieve?
I am using a gwt based application, Now for some of the features, development is in a php technology. It should get some session data from existing java application. another approach to customize CAS like integrate a web service layer for authorization, instead of using its existing like query to db.
The doubts are:
1) Can I share a session data between Java & php application using CAS?
2) is there any security issue while passing a data using CAS server?
Thanks in Advance.
Sharing session data accross application can be addressed by mechanisms not linked to CAS. Though, when authentication occurs in CAS server, user data are retrieved from various data sources and these user data can be pushed to client CAS applications through SAML validation and the appropriate configuration.
Related
I'm about to implement a web application (back office for an existing app.) using the ASP.NET Core framework. At the moment I'm thinking about on how will I authenticate the user. The main database is using MySQL (not supported on this framework), so I will access the database troughout an existing PHP SOAP API.
Is there any way to implement a token based (OAuth) authentication knowing that the data access will be done trough a SOAP API ?
You can take a look IdentityServer3 in combination with the default OpenID middleware. You can completely separate the authentication logic from your application. Your application will trust the tokens generated by the identity server. The same as signin in with facebook/google/linkedin accounts etc.. using your own secure ticket provider. Identity Server supports customization so you can use the datastore of your choice. It is also possible to use your identity server for a various set of applications as long as they are "known" by your identity server. Definitely worth the investigation if you ask me.
https://github.com/IdentityServer/IdentityServer3
I'm creating a multi-platform app, mostly for web interface, mobile and a windows application. The app will manage user task lists and sync them to the server, but also store them locally for processing data faster.
My idea of architecture until now is:
Keeping most of the processing on client side, eventually syncing with the server.
Developing an API to provide and receive data that will be saved on the server (basically just a json wrapper web service)
The data flow:
user Authenticates -> Requests updated Json objects to the server -> populate client-side objects -> work with client-side objects -> send a json object back to the server -> server updates data.
Is this a good approach? I've never done this, can you guys give me some tips?
I think you are on the right track. The idea is to decouple the front-end from the back-end. The backend shall expose a set of CRUD (Create, Read, Update, Delete) functions as RESTful JSON web services. All your different flavours of UI (mobile, web, windows) can consume the same API.
I would recommend for the web front-end to take a look at AngularJS together with bootstrap.
Regarding the backend, you could implement it as a simple Java web application with Jersey/JAX-RS or alternatively, you could check Node.js + Express.
I have two applications one is a business process management (BPM) & the other is a document management system (DMS) , both systems exposes web services to enable integration with other systems. Both system provide a master login username and password to provide JSON API Authentication. for example to start a process ("process1") inside the BPM ; the DMS can send the following API call
/jw/web/json/workflow/process/start/process1?master_username=BPMadmin&master_password=982716171717&loginAS=currentusername
and same apply for calling DMS web services.
The limitation in this security approach is that i am unable to call any of the DMS or the BPM web services using JavaScript and consume the returned JSON using javaScript, since if i follow the javaScript approach i will be exposing the master_username & master_password to the end users and they can manually modify the LoginAs parameter to other usernames and perform actions they are not authorized to do.
so my questions are:-
Can i make the web service calls secure using JavaScript?
second question what other security approaches i can follow to make the web services calls secure using javaScript? baring in mind that i can modify the webs service security to other approaches rather than using master login username and password, but this might require more time and effort from my side?
Thanks in advance for any help
Best Regards
First of all JS is client side and does not include any special security/magic/irreversible functions, like browser aided crypto engine, high grate SPRNG for key generation and so forth. So long story short anything you do with js is not secure it can be obfuscated but it will be NOT SECURE. That is the point you already made. Another more approach is to use your server as 'proxy'. So lets say You are designing an JS aided gui and show some documents ro so, then you make an AJAX request to your app server (not BPM nor DMS) and it acts as proxy that will do the authentication against DMS and call WS and then return the result back to your JS :) So your setup would look like JS (session)-> App (ws auth)-> DMS -> App (sesion)-> JS (I assume you have authenticated user and we'll use users session as JS <-> server secure channel, if not you will have to incorporate some other js auth mechanism maybe one time pass or something but it will be easy because it is your system). And voila. Only security consideration is to not allow anyone to call your servers proxy site :)
I am investigating using HTML5 for a new suite of mobile applications that our company will be writing.
I found this demo here,
http://phonegap.com/start#android
Which shows how to use eclipse to generate and run an android application which is written using HTML.
Just wondering whether there is any information around about writing an online / offline application? This application would collect data based on the user input, and that data would be sent off to a central server and put into our central SQL server database.
What mechanisms could be used to connect and send the data to the server for instance?
Another requirement would be that some data would have to be sent and cached on the device, data related to the tasks that the logged in user has to perform.
You can interact with your server by applying traditional javascript techniques, like ajax, or other cross-domain methods like jsonp, iframes, etc.
The HTML5 localStorage will help you saving data on the local device, it's very useful when your data can be expressed as strings. But if your app requires more powerful tool for local data management, you can make a phonegap plugin with native code for anything you want.
In case of Offline-mode save the data in Local Storage which is feature of HTML 5. Whenever the user in Online Sync the data with the server. In case the data to be stored locally is quite large then use PhoneGap that allows to store some big stuffs
[Ref.: http://docs.phonegap.com/en/2.7.0/cordova_storage_storage.md.html#Storage].
I am developing an education app for Kids.
The application is going to contain pictures, stories and video as well.
Including all above contents in the app will surely bloat it and hence i would like store all data on a server that will be accessed by my app.
I haven't used any remote databases (like MySQL or Oracle) with any other iOS app. In fact i am a newbie in developing such kind of apps. Can any one point me to a sample
Connecting to a remote mysql is really not recommended.
The security here is critical.
You should create a webservice and my advice to you is to make sure that the access to the webservice is restricted
The webservice can be your own "protocol" or any other well known protocol like SOAP
By your own I mean, json, csv .... or whatever.
Edit 1
The technology of your webservice should be dependent on many things.
If the system is small, and the code needs to be update very often, I would suggest to do it with PHP and some small(!) MVC framework like CI.
But if its a large system with needs of ACL (access control list) I will probably choose java with spring...
I suggest that : Do not connect to / use database directly from user application. It may causes serious security problems and your app should have native SQL drivers to connect db.
So, create a web service that receive queries from the application and response in XML, JSON or some other strings that easy to parse. This will be much easier than embed native APIs into your apps.