Web application authentication against remote server.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Web application authentication against remote server.

Stephanie
Hello everyone,

I am new to Apache?s Shiro, find it quite comfortable to work with,  
though. After going through the documentation I have some basic  
questions left open. If these questions can be answered by a simple  
search which I might have missed, please kindly point me in the right  
direction.

We have developed a web-application using the vaadin framework.  
Currently we are using some basic authentication with users, groups  
and roles. Since the web-application has no access to already existing  
user information (stored on a LDAP-Server) all the necessary data has  
to be entered at least twice. So our goal would be a direct  
authentication against an already existing LDAP or Active-Directory  
Server. With this setup we have some problems, though. For  
persistently reasons we need to store a local copy of some data. For  
example we want to store the user name since it could be deleted on  
the LDAP-Server but we still want to be able to address the  
corresponding data. For security and consistency reasons we do not  
want to copy the password.  On the other hand the server, which is  
holding this kind of data, might not be accessible from the  
web-application. (Most of the times the LDAP-Server isn?t reachable  
from the internet)

Does anyone have any experience with such a setup? Is the approach  
wrong? Would it work with some sort of reversed proxy setup? I  
appreciate any help or ideas,

Thank you in advance,
Stephanie

Reply | Threaded
Open this post in threaded view
|

Re: Web application authentication against remote server.

Les Hazlewood
Administrator
Hi Stephanie,

I believe this to be a data reachability issue and not something that
Shiro was designed to handle.  However, I can offer my insights as I'm
working on commercial cloud service that will support the case you
describe for internet-accessible applications.

Our cloud service offers a local (on premise) agent that runs behind
the corporate firewall that synchronizes with LDAP or AD (directly) on
a regular basis.  It pushes out updates to our cloud service whenever
account data changes (outbound connections - no inbound connections
through the corporate firewall are needed).  Applications that
authenticate users against our cloud service hit our local cloud
'mirror' of the on-premise LDAP so there is no round-trip back to the
on-premise LDAP necessary (we keep very secure hashed-only versions of
the passwords in an ultra secure distributed 'vault' of sorts).

I'm hesitant to 'peddle my wares' on an open source mailing list, so I
won't say much about our service further - I just wanted to give you
an example of how we have solved this problem for customers, and it
might be an avenue you wish to take if you want to build something
similar yourself.  That being said, if you're interested in what we're
doing and don't want to build something similar yourself, feel free to
contact me directly if you'd like to try our solution.

HTH,

--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

HTH,On Sun, Nov 13, 2011 at 2:23 PM,  <[hidden email]> wrote:

> Hello everyone,
>
> I am new to Apache?s Shiro, find it quite comfortable to work with, though.
> After going through the documentation I have some basic questions left open.
> If these questions can be answered by a simple search which I might have
> missed, please kindly point me in the right direction.
>
> We have developed a web-application using the vaadin framework. Currently we
> are using some basic authentication with users, groups and roles. Since the
> web-application has no access to already existing user information (stored
> on a LDAP-Server) all the necessary data has to be entered at least twice.
> So our goal would be a direct authentication against an already existing
> LDAP or Active-Directory Server. With this setup we have some problems,
> though. For persistently reasons we need to store a local copy of some data.
> For example we want to store the user name since it could be deleted on the
> LDAP-Server but we still want to be able to address the corresponding data.
> For security and consistency reasons we do not want to copy the password.
>  On the other hand the server, which is holding this kind of data, might not
> be accessible from the web-application. (Most of the times the LDAP-Server
> isn?t reachable from the internet)
>
> Does anyone have any experience with such a setup? Is the approach wrong?
> Would it work with some sort of reversed proxy setup? I appreciate any help
> or ideas,
>
> Thank you in advance,
> Stephanie