I am working on a project which is already using spring-security Jwt for authentication of every incoming request. I need to add another REST controller in the same module with different path like /api/v1/statement. All api's inside this controller should be accesible to the user only for 30 mins(same user) with some temporary toekn. Post 30 mins that token should expire and API should be no longer accesible to the user. Can anybody here please suggest how can i achieve this using spring security?
I checked few blogs related to the spring security but couldn't find what i am looking for.
Related
I want to use auth from google firebase, and integrate it with spring boot.
I am not sure that I have good idea how to implement roles/authorities.
I have in mind this scenario:
On success authentication with firebase, frontend send request to secured spring backend endpoint, and data on this endpoint contains which roles should user have, so frontend use this data to set claims for user. Backend use claims to authorize user when accessing endpoints.
Is this okey, or is there faster/better solution?
That sounds like a good approach. Have a look at the Firebase documentation on verifying ID tokens as that'll be your starting point once your backend receives the token from the client.
The only addition I can make at this point is that many of Firebase's own backend services cache recently decoded tokens (with the undecoded token as the key) to allow subsequent requests to more quickly look up the information for that token. While this is not required, it's an easy speed up once you're ready for that.
I am a Spring Developer trying to figure out how to connect a WordPress WooCommerce Website to my REST Spring boot Service. I haven't worked with WordPress, so there are a lot of unknown unknowns for me there. I am in collaboration with another developer on the WordPress side of things, trying to solve this issue, but we are a little lost.
Are there Best Practices for a WordPress website to access the Spring boot Oauth2 API (including JWT Token delivery Service) ?
CONCRETE DESCRIPTION OF MY SITUATION:
State right now (working):
Someone orders a Product on the WooCommerce website and the order status is set to processing.
The goal:
WordPress WooCommerce Backend calls the Spring boot API to send how many Products were ordered.
WHAT WE FOUND OUT AND WHAT WE TRIED:
Spring boot:
We found out that Spring boot outh2 is the way to go for the REST API ENDPOINT
The only resource I found about this are this once, which are very good and sufficient:
https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot
https://www.youtube.com/watch?v=X80nJ5T7YpE
WordPress:
The Problem is, that we find a lot on WordPress Webhooks but not a lot on how to call an API Endpoint with a Token system.
Here are some resources we worked through, which are not sufficient:
https://developer.wordpress.org/plugins/http-api/
https://woocommerce.github.io/woocommerce-rest-api-docs/v3.html?shell#webhooks
https://duckduckgo.com/?q=wordpress+oauth2+rest+call&t=bravened&ia=web
WHAT WE THINK TO KNOW ABOUT THE SERVER TO SERVER COMMUNICATION IN THIS CASE** (Handshake):
In WordPress, I manually safely store a Username and a Password which
Spring Security knows about, on WordPress.
WordPress, an order has been finished.
WordPress calls Spring boot Https Request to /api with Payload:
OrderInformation, Password and Username.
Spring sees that there is no Token or the Token is outdated
Spring searches the Request Payload for Username and Password
Spring generates a signed JWT Token based on Username and Password.
WordPress receives that Token and stores is safely
WordPress HTTPS Request /api with Payload: OrderInformation, Token.
Spring validates the Token, accepts the OrderInformation
Spring does what ever it needs to do with the information and when
everything works out
Spring Oauth2 somehow has to tell Woocomerce that the information
was successfully delivered. Otherwise Woocomerce has to resend the
information. And start form point
WHAT WE HOPE THIS POST SHOULD ACCOMPLISH FOR PEOPLE WITH THE SAME QUESTION:
If someone knows any resource or best practices how to configure WordPress WooCommerce, please let us, who have a lot of unknown unknowns, know what to do next.
We hope this post and its answers can be a gateway and vertex for other people to find the information they need.
Thank you very much in advance
I am not sure about Spring Boot API specifically, but I have done this type of integration with other REST API's.
I would recommend using wordpress action hook. The hook that I would recommend you to use is woocommerce_order_status_changed.
// define the woocommerce_order_status_changed callback
function action_woocommerce_order_status_changed( $this_get_id, $this_status_transition_from, $this_status_transition_to, $instance ) {
// make action magic happen here...
};
// add the action
add_action( 'woocommerce_order_status_changed', 'action_woocommerce_order_status_changed', 10, 4 );
At the place of // make action magic happen here... write the logic where you contact with your API. Run your code when $this_status_transition_to is processing. The $instance should have woocommerce order instance which you can use to push to API.
Some pointers that I would like to give are.
Save the API Token/Credentials in an Enviroment Variable for security.
Would recommend using Guzzle package to make http request. Use composer to install the package.
Iam new to spring security and i was going through spring boot jwt and the process but i dont know how to use logout feature through jwt .
For example when a user click logout at after that time using that token we can not access the secured Rest end points.
Now i want is implementation of logout functionality using JWT(Spring Boot Rest Api)that is used in real time projects and the code for it.
Please if any one can provide me the github link to the solution
or can send me the code at
ag.rajat113#gmail.com
and anything related to latest spring security projects real time (Backend)
and also of oAuth2 material please send me i need this
Thanks.
On logout, you can perform the following actions
Remove the token from the client
You can remove the token from Client (Local storage, Session/Cookie). Note that it will not prevent the client access as you removing from only client side and for server, it is still valid Token
Maintain Token blacklist
When a client performs logout action. Add that token to blacklist and for next request check token is in a blacklist. If yes then prevent the access. As you have to check for every request it will be costly for large applications
Short expiry time
If you keep the token expiry times at short enough intervals and have the running client keep track and request updates when necessary, It will be working as a complete logout system. The problem with this method is that it makes it impossible to keep the user logged in between closes of the client code (depending on how long you make the expiry interval).
You can also refer this for Details
I'm building a Angular 6 front-end and Spring boot based REST api. Angular app is going to be hosted separately behind a nginx. I want to implement spring security in order to secure REST apis. As per my understanding I need to two following things.
Spring security to authenticate API calls for valid tokens and respond 403 if not
Angular library in order to redirect user to google login and maintain access/refresh tokens, pass access token for api calls in headers and refresh access token if backend respond with 403.
I'm not quite sure whether the authenticate request go via spring backend or directly to google.
I have been searching for a good tutorial for sometime but didn't find one matching my requirement( most are html pages hosted within spring ). So please correct if my understanding on how to do this is wrong and share if there are tutorials.
Check this article. This might be the article which help to you.
Moreover let me know if it worked.
I've a question about how to design a security problem.
Actually, we have an API secured by Spring Security.
It's based on the simple UserDetails security pattern.
Now, we are developing another API, deployed on(in a near future) another domain, against another database but the authentication information will be the same as the first API.
So, I would like to know how to design the authentication in the model. Actually I was thinking of something like:
Can I have your advice on that design?
Another question is how to implement that in Spring Security, especially the store & validate token on 2nd API?
I'd extract the authentifaction part into an own api, which handles only the login and token generation. The token would be stored in TokenStore (i.e. ad atabase) and with it along i'd store the userdetails and whcih api he can use.
The browser sends the token with each request to your api 1 and api 2. They can the check the token against the TokenStore and then validate if the user has the right to access this api.
You could use spring-security-oauth2 for this, but had to tweak the tokengeneration workflow a bit. In this case your UI app will be the authorizaion server and generate the tokens transparently for a logged in user and give it to the part running in the browser. Your App in the browser would ne to send this token on each call to api 1 or 2. Api 1 and 2 would be different resourceserver, but check against the same tokenstore.