Grails spring-security-ldap caching caching with Redis - grails

Newbie question so bear with me...
Currently I have a Grails 2.4.4 app that used spring-security-ldap 2.0.1 to authenticate + authorised users with an OpenLdap server.
The LDAP people are concerned that without caching this app when move to Production might impact the LDAP server's performance. They had recommend looking into using Redis as a app level caching for users, b4 hitting the LDAP server.
I would like to get some directions before I dive into the POC, make sure I start on the right path:
i) I briefly looked into the 'Grails 1 & 2 Plugins' from Grail org, there are a couple of plugins appeared when I searched for Redis... Which one(s) actually are relevant to what I am trying to achieve?
ii) Assume I had integrated Redis caching to my Grails, how/where do I tell spring-security-ldap to look into the Redis cache first, b4 hitting up the Ldap server?
Thanks in advance any info/guide..

Here are some advices, as you're not looking for ready-to-use solutions:
caching any type of authentication is big security failure as hackers will be able to take advantage of this to bypass some rules implemented into your LDAP solution, such as brute force protections (e.g. block account after N bad password)
in order to handle the load on LDAP server side, you could adjust the session token expiration (JSESSIONID or JWT, depending on how Spring security has been configured). For example, if token expiration is 1 hour, you will receive only 1 request per hour per user.
you could had refresh token mechanism to renew session token without querying LDAP. In this case you will have only 1 LDAP request per device per user, which might be acceptable. Here is how to do it using Grails JWT
In this doc you will see that REDDIS can be used to store token, which is quite related to what your initial solution

Related

Authenticate multiple Rails servers against Devise authentication

We have a monolithic Rails 3 (Ruby 1.9) server that does everything for us, including Devise session authentication.
We have recently decided to introduce a new Rails 5 server (built from scratch) which will serve as an API server and slowly replace existing capabilities in the old server.
Our problem is that session authentication happens against the old rails server and we want to include session authentication in the new Rails 5 server.
Does anyone have experience or suggestions on how to use new rails servers authenticate sessions against an existing rails server which has session information?
Needless to say, my main focus is on Front End development - server side authentication is not my forte.
You can have multiple Rails applications that share the same database and that use Device to authenticate users. But you need to ensure the same input / algorithm is used when encrypting passwords.
For Devise this has been BCrypt by default for quite some time, you also need to ensure that the config.stretches setting matches for both apps. The implementation has changed a bit over the years through and your milage may vary.
The key concept here is that you´re not authenticating against an application - you're authenticating that the result of encrypting the password provided by the user matches the digest in the database.
But you should also start by recognising that the apps might not have the same authentication requirements at all. Most API's (at least good ones) use token based authentication which is stateless.
One major issue with session based authentication is that cookies normally work on a single domain or subdomains and they are normally disabled by browser if they work cross-domain (3rd party cookies) which means that your will have issues if your api and the legacy app are not on the same subdomain. Cookies are also a feature only available in browsers while token based authentication works in any kind of client.
And while you could have your new application query the legacy application over HTTP tinkering with this might actually be a a waste of time since the new application will need its own authentication solution anyways.
There are multiple gems that provide token based authentication for Devise.

Can Authorization Server and Resource Server be merged in OAuth2?

I'm trying to implement an OAuth2 provider for my web service.
It seems easier to implement the Authentication Server together with the Resource Server. The specification doesn't say anything about the communication between them.
Does anybody see a reason not to do this?
I had a post yesterday regarding this issue. I hope we can mutual answer each other. First to directly answer your question, I think it depends very much on the load that your app has to handle. If you have to scale your app to many resource servers, keeping a separate auth server is the best because you can centrally manage user credentials and access_token in one place.
Here is my question. I believe if you have tried something similar to mine, you can give me some suggestions.
OAuth - Separating Auth Server and Resource server returns invalid token when accessing protected resource

Problems while implementing SSO with Spring Security CAS extension

I'm trying to use Spring Security CAS extension to authenticate users on my applications. Earlier there was only one application, so SSO was not needed. Now there is one more application and I want the user to log in once and use all the applications without having to go through authentication again (SSO, basically). I've a bunch of questions like these -
All the applications I have are part of a single tomcat container and will be served via same domain. I checked Tomcat SSO Valve, but it seems to need container based authentication, I'm not really sure if I would want to use that for authentication / authorization. I'm using spring security form-based login. Do I really need something like Jasig CAS or will it be an overkill?
Spring Security and CAS deployerContext Configuration - http://pastie.org/8408976 and http://pastie.org/8408967
I set up Spring Security CAS with Jasig server and SSO seems to work as logging in to any of the applications suffices to access the other application. I've modified the deployerConfigContext.xml to replace the inMemoryServiceRegistryDaoImpl with JPA / Hibernate one. But I always see the below line in my logs. Though the tables have been created (SERVICETICKET and so on) in my db. These tables are always empty when I try logging in and out.
2013-10-17 16:41:18,882 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 0 services.>
When I try to access URL https://localhost/cas/services, it returns an error "This website has a redirect loop". and I see the below piece repeating n number of times in the logs (with different ticket numbers)-
http://pastie.org/8408940
I don't have any REST or stateless services accessing authenticated resources, do I need proxy tickets at all?
Note: I'm using Spring Security 3.1.4.RELEASE and CAS server 3.5.2 version.
Any pointers will be helpful.
I set up Spring Security CAS with Jasig server and SSO seems to work
as logging in to any of the applications suffices to access the other
application. I've modified the deployerConfigContext.xml to replace
the inMemoryServiceRegistryDaoImpl with JPA / Hibernate one. But I
always see the below line in my logs. Though the tables have been
created (SERVICETICKET and so on) in my db. These tables are always
empty when I try logging in and out.
When I try to access URL `https://localhost/cas/services`, it returns an error "This website has a redirect loop". and I see the
below piece repeating n number of times in the logs (with different
ticket numbers)
I figured out the solution to this. This was happening as filterProcessesUrl in CAS server configuration had the string "acegi" (old name for Spring Security), which didn't match to "spring", hence the problem. Modifying that helped. Not sure why old name was hardcoded there. Also, it didn't pick up this string from cas.properties, so figuring it out was a little more difficult.
I hope to get answers for other questions.

Client-server user authentication

UPDATE: I failed to mention earlier that we want solution that will be flexible with authenticating users from within our databases or by asking other servers to tell us if the user is authenticated. It is also worth mentioning that these other servers are not under our control so we can't enforce a specific user model.
I had a long and hard read on OAuth and OpenID but they are both not a suitable solution for our situation and will make the process harder to the user. This is something that has been solved a thousand times, yet I cannot find the solution.
What we are looking for is a framework that can be used in a REST services server to authenticate users (no third-party clients involved) with their username and password.
The solution must not pass the username and password except the first time on login and use tokens for further authentication. Even though OAuth does use tokens, it is designed to allow third-party clients access to the service-providers resources. That is not the case here, the services are for our own application only, the only thing needed is user authentication.
What do you guys think is the most appropriate solution?
Configuration:
-Spring server that provides RESTful services with our thinking going towards using Spring Security with some user management and token management framework.
-iOS Device that will be making HTTPS calls to the server.
What we ultimately want is to have the device send a login request and receive a token if the login was successful, later on make requests using that token. Just like Facebook, excluding third-party involvement.
Is there something that is ready to be configured in our server? Or should we consider building our own token management, comparison and generation software?
Is using Spring-Security with an iOS application without involving storing cookies or redirecting to pages possible?
OpenStack offers as part of it's many projects related to open source cloud... the project Keystone. Which does this pretty much exactly what you want.
You might want to check it out here:
http://docs.openstack.org/developer/keystone/

A Faster / More Scalable Approach to Twitter OAuth Dance in Rails?

I'm running a Rails app on the Heroku Stack (complete with Memcached, DJ Asynchronous workers, MongoDB persistent storage).
Right now we use Twitter Oauth as the only authentication option on our site. (We plan to branch out to FB connect, OpenID, and/or Email/password eventually).
Ruby/Rails apps, as you probably know, don't support concurrency out of the box. On Heroku, you can spin up additional app instances (dynos), which increase your concurrency (concurrency capability = number of dynos), but each one costs $36/month.
In general, this hasn't been a problem, because the average request on the site takes <100 ms.
EXCEPT for Twitter OAuth. The OAuth-related requests to Twitter take, on average, around 3,500 ms.
So basically, when anyone logs in an entire app instance gets held up for 3-4 seconds.
Is there any decent way to mitigate this? Would it be weird to put these actions in asynchronous DJ workers? It could make logging in a little slower, but at least if a bunch of people are logging in at once and/or Twitter is being really slow, these processes do not affect the rest of the app / other web requests?
Any other ideas?
I would say that this advice is now superseded. I'd suggest you use OmniAuth instead, possibly with Devise if you need normal auth as well.
OmniAuth is a Rack app as suggested and you basically get all the "big" OAuth providers working in fell swoop.
There are 2 OmniAuth specific RailsCasts that walk you through exactly what's needed: OmniAuth Part 1 and OmniAuth Part 2
You could push the oAuth into a rack middleware app - then at least only a rack app gets spooled up instead of the whole rails stack. That should make it a little quicker (though it will still take up an instance).
That being said, there is no reason why you can't put authentication into it's own app, especially if it's all in the same domain (so any authentication cookies are still local to the domain). Though you'll have to be really careful of security issues - eg man-in-the-middle attacks etc. Better if somebody's already done the work/bugfixing for you :)
You can even have an authentication app on an independent app domain if you use rubyCAS: http://rubyglasses.blogspot.com/2009/12/rails-single-sign-on-with-rubycas.html

Resources