first let me ask if this is the right forum to place such a request. If not please have the kindness to point me somewhere else.
I am looking for someone who is willing to help me with the following Project:
Our small department (around 50 people) uses various tools like RT: Request Tracker or XWiki as a wiki. Unfortunately we only use small parts of these programs and every now and then they don’t do exactly what we need. Therefore we are looking into implementing the features we like ourself.
Our plan was to start off with some sort of a single-sign-on solution (that way we hope to increase user acceptance and pave the way to get a higher budget) and that’s where we need help.
What we like to have is an application to handle user management and group- and role-management throughout further extensions. We need to be able to call other web-application like the ones mentioned above and provide them with the login credentials.
There are two types of users we need to handle, local ones (stored in a database) and LDAP-users.
The integration of AD FS (Active Directory Federation Services) or NTLM/Kerberos to use SSO for the application itself would be nice to have.
If you have additional questions or you are interested in increasing your “pocket money” please do not hesitate to drop me a line:
Just for your reference: Vaadin also sells expert services, have a look at
Vaadin Pro where you can find information on the new Pro Account and our other services.
And if you do want to develop this yourself or find someone else to do it, I would strongly recommend using some standard libraries for as much of it as possible.
Spring Security has quite nice features for talking with the back-end etc, but it would be a good idea to replace one or two of the layers of the default interceptor (servlet filter chain) - something I have considered doing but never found the time for. I know some use Spring Security without doing so, but that does imply some constraints and sub-optimal behavior. This of course assumes that you don’t mind Spring dependencies in the project.
If you are planning to release your solution as open source, I could perhaps provide some (limited) advice.
Note also that some frameworks on top of Vaadin do provide some authentication and authorization parts - see e.g.
the AppFoundation add-on .
FWIW, I’ve been using
Apache Shiro , and so far it has been exceptionally simple to implement and use. I’ve always found Spring Security overly complex - probably a largely mental block on my part - but Shiro is a clean fit for me, as it fits my “mental map” of security. It only took me a couple of hours to do an initial integration, and allow authentication against our internal Active Directory service; another 20 mins to do a rudimentary custom “realm” for in-app security authorisation.
No connection with the project, other than I think it deserves to be used a lot more than it is!
Hello,
I definitely want to use standard libraries. There is no need to re-invent the wheel. And I know that I wouldn’t be able to keep up with the security standards myself.
Spring always seemed to complex but is definitely worth taking a closer look.
Unfortunately my boss thinks that Open Source is a security-threat. I am sure I won’t be able to convince him otherwise. I know that this seems odd since we are planing in using an Open Source framework but it will be a long road to convince him that everybody can gain from an OS project. I’d like to thank you anyway and maybe he changes his mind…
If you use mature and commonly used libraries, I would imagine that it is actually more likely that security vulnerabilities in open source products have been found and fixed than in their proprietary counterparts. In open source projects you have multiple eyes looking at the code and discovering the vulnerabilities. In proprietary software you don’t have that many people reviewing the code and thus vulnerabilities may go unnoticed.
The fact that the code is proprietary and the code isn’t publicly available
does not mean that it would be more secure or that there would be less vulnerabilities. If one believes that the software is more secure because it’s closed sourced, it is basically believing in
security through obscurity , something that shouldn’t be considered as a security measure.
One thing that you should however keep in mind with open source software, is to consider who is standing behind the product. If there is mature company behind the product, a company that relies on the product, then you can be pretty sure that if any vulnerabilities are found, it is in the best interests of the company to fix the issues.