I'm studding Spring Boot and Spring security my question is possible get all users logged using spring security in stateless session.
I tried to use SessionRegistry but aways return empty list.
Related
I am using spring boot security and spring boot keycloak starter to secure rest APIs and authenticate users.
My first question is how to handle access token expiration if user's session is still valid.
The second question is getting the access token from keycloak into spring boot app is done by calling this line
AccessTokenResponse response = authzClient.obtainAccessToken(username, password);
in the same way how to call refresh token api
I have a scenario where I am trying to connect my Frontend system (SAP UI5) to an OData Source for fetching the results.
However, there is a middleware layer in Java - Spring boot, which captures all the requests from the UI and forwards it to the OData services. The reason is, the OData services are not pubicly available. They are behind a firewall whereas the Spring Boot application is publicly available. So, I am using a reverse proxy to make the connection between Spring Boot and OData services, which works.
But the problem here is the OData services (API) require user authentication to access data. This user authentication is already done once on the UI layer.
There is App2Appp SSO enabled from UI -> SPring Boot application. So I can make use of Spring security to access the Principal object. I want to know, besides knowing the username of the logged in user, how do I get the password ?
When you have an application secured with Spring Security, either Spring Boot or normal Spring, you have an object that accesses the security of a particular authentication.
You can call and get the Principal (object of java security):
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
This principal in spring is a UserDetails object, which is where we configure all user information in Spring.
Then to get the username and password and pass them to your OData services:
String username = ((UserDetails)principal).getUsername();
String password = ((UserDetails)principal).getPassword();
While doing some practice examples to learn spring security, I come up with some following use case. But I did not find best possible approach using spring security. Could some one please help me on this
I have angularJs application, Spring boot application running on different servers . In redis cache I have user info(role, and some other info) with gsid as key. In each rest call I am passing gsid as cookie. Now I want to validate each request in the Spring security Filter by fetching user info from the redis cache before sending to #Restcontroller.
what could be best approach to authenticate and authorize the request using spring boot security.
Use spring-session with redis, it also provides integration with spring-security.
I have a spring cloud based application that stores the spring session in redis. It is using Spring Boot with embedded tomcat.
When using spring actuator, the /metrics endpoint does not return any valuable information. httpsessions.active is set to 0, and httpsessions.max is set to -1.
I am guessing this is because spring replaces the httpsession implementation with its own spring session implementation.
Is there a way to access this information from some endpoint? preferably using JMX but not mandatory.
Thanks.
I eventually used the following solution, by using a generic username. The endpoint would return all sessions, a simple count would give the total.
http://docs.spring.io/spring-session/docs/current/reference/html5/guides/findbyusername.html
I am using Spring Boot with Spring Session for storing session data. Users log in to the application with Spring Social. As a result, the saved security context has a SocialAuthenticationToken. This means that other web apps sharing the session data need to use Spring Social and also have access to the social tokens.
What I'd like to do is save the sessionAttr:SPRING_SECURITY_CONTEXT with a token that is available through Spring Security only. Furthermore, I'd like to add a second Redis key for the social information.
Where are the extension points for adding this kind of customization to Spring Session? I would like it to be as unobtrusive as possible.