In our company, we have several rich Java applications that are used both by internal users and external users. We would like to begin migrating these systems to support a single sign on mechanism, and potentially allow our external clients to use their own authentication mechanisms to validate their users.
For instance, if we have a client who has a large number of users, and they would like to have their users only have to login using their company login information, we would like to support that behavior.
We have looked into using certificate based authentication systems (one of the common ones being Kerberos), and using that authentication mechanism to allow for external authentication services to be used in our system.
Is this doable? Are there specific implementation details we need to be aware of? I am not as concerned about specific technologies (although suggestions are certainly welcome), more about the core concepts and making sure we are doing the right thing wherever possible.
What about authorization – i.e. access to different services. Is there a standard or best practice to how this is handled when dealing with (potentially) disconnected authentication services?
As an additional note, our front end systems are made in Java, so specific information related to implementing this behavior in a Java framework is definitely appreciated (i.e. libraries that are useful, potential pitfalls specific to Java, etc).
Is it doable? Yes.
Are there specific implementation details we need to be aware of? Yes.
Each type of security implementation has its own implementation details that you’re just going to have to figure out. Each one is different and has its own nuances.
You should be able to implement whatever type of security you chose. Kerberos is a fine choice. You might also look into Openid and CAS. There are many others though.
To handle the actual security itself you might consider looking into Spring Security. Spring Security is able to handle authentication/authorization fairly well. However, most of spring security is really focused towards security on the web and not client systems so you most likely will have to implement much of the authentication mechanisms yourself (using libraries available library whenever possible of course).
When designing your system, especially if you’re going to have many different types of login types, try to build the login system as pluggable as you can. Which will take time and a lot of trial and error.
I would look into the Spring Security 3 book. It isn’t a great book, but it does explain a lot about how to properly implement security. Leveraging springs work is highly recommend because trying to implement security all by yourself will be quite a daunting task.
Best of Luck.