We had an issue recently with our PKCS#12 keystore that had us stumped for days. When trying to access a SOAP web service over HTTPS (mutual authentication) from a stand-alone application we started getting "Unexpected error: java.security. InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty". I normally use KeyStore Explorer (KSE) tool when working with stores and certificates. In this case KSE was able to both open the keystore and list the private key and certificates stored within (note: as this store was used for testing it was used as a truststore as well as the keystore). Read more →
I was recently working on a project that required us to integrate our Spring MVC application with Microsoft’s Active Directory (AD). Most online tutorials discuss using a privileged system account for perfoming lookups of the user’s distinguished name (DN) based on the provided at login user name. Setting up a generic system account to enable authentication from our application became problametic due to organisational policies. Read more →
Recently, I was asked to assist with an integration of an existing suite of JEE web applications with an Oracle single sign-on solution being rolled out across a large organisation. The IBM WebSphere platform that was used for running existing web applications was somewhat outdated (WAS v6.1) and there was no possibility of an upgrade. To make things even more difficult, the applications in question used a home grown single sign-on solution with little documentation. The project brief was simple. Develop a proof of concept solution to demonstrate to management that their current assets can be migrated to the new single sign-on platform without major (or preferably any) changes to the above mentioned applications. Read more →
I remember when I first started using EJBs, there was a lot of talk about physical separation of the presentation and business tiers via remote interfaces and RMI. So, technically you could have your business logic sitting on a different server than you web application. It sounds great but I cannot remember actually doing that. My web and business tiers have always been packaged into a single EAR and deployed as a one, monolithic application. When I moved away from EJBs and started using the Struts/Spring/Hibernate combination I didn’t give much thought about this until recently when on my latest project someone (thanks Shine) reminded me how you can achieve the same separation of tiers using Spring remoting. After all, this is still a great enterprise design pattern and I’m surprised I haven’t encountered it more often. Allow me to share it. Read more →
I have recently rolled out a single sign-on solution using Atlassian Crowd. My client’s applications were running on Apache Tomcat and required FORM based authentication. After briefly Googling around, I have found the Crowd JAAS Login Module which fitted my requirements perflectly. Here is an example of how to integrate a Crowd JAAS login module into Tomcat so that all web applications can be authenticated against the Crowd server. The following instructions were tested against Crowd 2.0 and Tomcat 6.0.29. You will need at least Tomcat 6.0.20 to make some of the instructions that follow work. Read more →
Recently, while rolling out a single sign-on solution for a client, I have stumbled across an interesting problem. Here’s the situation. We had a bunch of web applications that needed to be deployed onto Apache Tomcat (v6.0.29) server. Each application needed to be secured using FORM based authentication. We were using Atlassian Crowd identity management application for managing our users and providing the authentication and authorisation services. The integration of the Tomcat server with Crowd was straight forward. Using Tomcat’s JAASRealm implementation and Crowd’s third party CrowdLoginModule JAAS module, we managed to successfully get our users authenticated using BASIC authentication method. Read more →