I have a spring application (not boot) that is deployed on a jboss 7.2.4 as an .ear file.
For security reasons I have to protect all REST-API ports that are provided by the application. For this our AD provides users and user groups to use.
As I cannot migrate the application into spring boot I have to use the existing spring/jboss installation and have to use keycloak for security handling.
I found no information how to use keycloak inside an jboss installation. Can anybody help? Is it possible at all?
Just configure an authorities converter to map authorities from keycloak roles and configure your authentication converter to use this authorities converter.
You can refer to this article for #Beans definition (yes, it is boot app, but it configures the two beans I'm talking about).
Related
I have an architecture where my user application wants to use a basic authentication when accessing a spring service. This service has to use a Keycloak instance to verify the user/pass of the user application. I don't succeed to configure it (and don't know if its possible).
Yes, it is possible. Keycloak has Spring Security adapter that can be configured for Client and/or Resource Server.
https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_security_adapter
And also a working example here:
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-spring-security
If the ldap server allows anonymous access, how do I configure the following properties.
spring.ldap.username
spring.ldap.password
If I leave out these properties, I am getting null pointer exception as internally hashtable is used.
I run in the same problem with a transient dependency of Spring ldap security from another project and Spring boot 2.1 and Spring boot admin. My LDAP is not configured (with Spring boot) and a Spring boot admin console initiates a health check. Because of Spring boot auto-configuration a LDAP health check bean is enabled and then the check runs into a NullPointerException.
For this case I excluded the LdapHealthIndicatorAutoConfiguration.class via #SpringBootApplication.
For your problem your maybe need more excludes. Please refer https://docs.spring.io/spring-boot/docs/current/reference/html/auto-configuration-classes.html for existing auto configuration classes. Search for LDAP and try to exclude the found classes in your application.
I'm pretty sure this is a bug in Spring LDAP security, because an anonymous LDAP configuration (no user and password) was intended to work.
I think, this should able to use. Just don't provider membership detail.
I'm in the process of converting a Tomcat deployed web app to a Spring Boot packaged web UI. The original Tomcat WAR used Spring Security to secure URL's exposed by the web app. Within a short while I will be developing a second web app that will be deployed as a second discrete Spring Boot app.
Before using Spring Boot I would probably have encapsulated both web apps into a single WAR file using Spring Security to secure the URL's of both.
However, given that that there are now two distinct JAR's deployed onto two distinct servers, how do I apply a common Spring Security model? If a user is authenticated on web app #1 then I want that authenticated state to be recognized by web app #2, to avoid the user having to login again.
To reduce inter dependence should I configure each Spring Boot app to employ the same underlying Spring Security configuration? Or is there a different appraoch required?
An excellent article for your problem at https://spring.io/guides/tutorials/spring-security-and-angular-js/
You have to use #EnableRedisHttpSession and #EnableZuulProxy annotations.
I started working on JAAS with SSO,I have some doubt about JAAS. JAAS (Java Authentication and Authorization Service) framework to cater to multiple authentication mechanisms. The SSO server validates sign-on information against its own database or an external directory server and returns the session context and list of applications that the signed-on user can execute.Here i want to implement one more web application's.As per my knowledge the SSO JAAS will return Session context. In my client web applications already, i have acegi security for authentication, using my acegi security how can i get the session context from my SSO JAAS for Authorization.I am trying to find out any configuration sample , but still I did't get any work around example.
Take a look at this spring security configuration. It is not exactly what you want but it will show you the way
Key points
Check how authentication-manager is defined by using
PreAuthenticatedAuthenticationProvider. The preAuthenticatedUserDetailsService property defines a bean that will allow you to create your spring security UserDetails object from the JAAS Authentication object
The j2eePreAuthFilter filter is the one that will delegate security from JAAS to spring security.
The rest is standard spring security configuration
Hope it helps a bit
is there any way to enable java SecurityManager while using spring security ?
I have a Swing standalone application and using spring jdbcDaoImpl to authenticate and authorize using MySql Database (default spring security schema)
but I want to know how to force all tasks be secured, like what happens in setting System.setSecurityManager(...)