I try to add a "Login as a guest"-Button to my login page.
I would like that anonymous authentication is enabled after the user presses this button.
So if the user navigates to a site that is protected by the WebSecurityConfigurerAdapter the login page should be shown and the user has to click at the "Login as a guest"-Button to get access to the protected site as anonymous user.
But according to the spring documentation, there is not really a difference between an unauthenticated user an an anonymous user. Is there a way to archive such a behavior with the anonymous user concept?
You are overthinking here. Make it simple.
You can use the Authentication object to provide an AnonymousAuthenticationToken but be carefull your principal will be null even if you have passed the auth system, because the SecurityContextHolder is not able to provide an identity.
You can use #WithAnonymousUser in your JUnit5 tests to check if you have the expected results.
If it does not work (I doubt about it), you are free to create a new role, and update your Authentification logic to provide a User access with these new role, completely different than the other ones in your webapplication for your users and admins, and update resources accesses for public webpages only with these new role.
Related
On a JHipster application, I've added a custom authentication provider, to verify user and password of Active Directory users that have login inside. This custom component implements AuthenticationProvider, and inside "authenticate" method, istance an ActiveDirectoryLdapAuthenticationProvider object to get authentication and verify presense on specifical groups.
With a simple A.D. test environment I've no problem, but in production, my company ask me to bind a service account, and I cannot found any method to setup manager-ad and password. How can I get around this problem?
On Spring documentation I've read the phrase "There is no concept of a "manager" user."
My app use 5.1.8.RELEASE
Thanks!
Looking at the code, it validates the user's credentials by binding using the user's credentials. That's really the only way to validate credentials.
I assume, since it has already made a successful bind, it just continues on making whatever search it needs to.
There might be a way to use different credentials for reading the groups, but it all depends on what your current code looks like. But there really is little point in doing this. You have to bind using the user's credentials to validate their credentials. So you may as well continue using that same connection.
We are using Spring MVC with Spring Security.
These are the requirements for our login system:
The site should be useable for anonymous users including the settings of preferences (for example turning a filter on a page on or off).
These preferences should be remembered if an anonymous user returns on the next day (in a new session).
At any time an anonymous user can choose to register a profile (user/password combination) and all preferences set by the previously anonymous user should be stored in the new profile.
Alternatively an anonymous user can choose to sign in with an already registered profile and they should be presented with the option to store the preferences they set anonymously into their profile.
Registered users can login to the page and their login should be remembered.
I am able to persist signed in users across sessions by using Spring Security Remember Me, and I am able to persist a anonymous user across session by setting a cookie by hand.
What would be a more elegant solution for this scenario (preferably using Spring Security)? Is is possible to use the Spring Security Remember Me feature for anonymous user?
It doesn't really make sense to think about using remember-me authentication for anonymous users. Remember-me requires that the user actually exists and by definition, it authenticates them as an individual. It sounds like you just want to create a cookie containing the user's settings, which isn't really related to security. You should just do that yourself in your app. That seems like the most obvious solution to me.
Once a user has registered, then you can use remember-me with their account, but how you code the logic for creating a new user profile is up to you and using the settings from the current cookie would be part of that process.
I have a use case to make the user accepts terms and conditions after login. The user cannot access any URL after login unless he accepts the terms and conditions. Is it possible to implement the same using spring security? If yes, how?
It is possible to add user one privilege after successful login, and just allow him to access terms and conditions page (ex. TERMS_AND_CONDITIONS_PRIVILEGE). After success post with accepted terms you can get permissions for user from database and grant it to his security context. Here is nice post how to do it
http://forum.spring.io/forum/spring-projects/security/60663-change-user-logged-authorities-on-the-fly
First you have to get SecurityContextHolder by calling SecurityContextHolder.getContext() Next you have to get Authentication from it by callingcontext.getAuthentication(). From Authentication you can get Principal and cast it to User object.
Remember to check if SecurityContextHolder.getContext() does not return null value and also if Authentication a = context.getAuthentication() is not null.
I also recomend to check if a.getPrincipal() is instance of User class
I hope it helps
I'd suggest to add check box in the login page. This check box will be checked when user acceps terms & conditions. The login page will be a JSP, so upon submission, you can check if the check box is checked, meaning the user has accespted the terms and conditions.
It is simpler to implement (you do not need another redirect), and I think it is better UX (user experience).
HTH.
I was thinking about writing my own MembershipProvider for my web app. People won't normally register but will be supplied with login info. Will membership then not be the right thing?
I still will have some roles and such as well and I might wan't to be able for people to Authenticate using ClientCertificate instead of normal login. I still wan't them to be membership verified (there is a identifiable field in Certificate and Database I could use) and use roles and such.
Is MembershipProvider perhaps only used with original login Authentication and not authorization?
There doesn't seem to happen anything special when a user is validated so hwo does the authorization atrtibute know who is autorized?
The existing membership works just fine if you want to supply login info. There is no requirement that user registration be initiated by the user. Just take the standard code and let the site administrator run it.
Yes, membership is just for authentication. The out of the box feature for authorization is the roles feature.
We are using 2.x spring security right now. I am asked to build an admin tool so that the ROLE_ADMIN can change to any user in the site and view the site as that person (each person on the site may see different stuff depending on the role which is dynamically granted base on the database) and of course the admin should be able to switch back to admin without logging in.
Is there a build in function, if not how should I do this?
Thanks in advance!
Use the existing Spring SwitchUserFilter:
http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.html
I don't know any spring-security out-of-the-box solution that will answer your requirement, but I can suggest you a way for implementing it.
Declare a url for the "view the site as" action with a query param to get the user name, for example: /myApp/viewTheSiteAs?user=marley
Write your own custom filter that will do the following:
2.1 Validate that the authenticated user is "admin" user
2.2 Extract the user from the action ("marley" :-))
2.3 Validate that it exists (using the UserDetailsService).
2.4 Construct new Authentication object with the granted authorities that fits the user you have extracted, and replace the current Authentication object with your own object: SecurityContextHolder.getContext().setAuthentication(myNewAuthObject)
Add a filter chain in spring security config file for /ViewTheSiteAs that will act as regular filter chain (should authenticate the "real" user as regular), and locate your custom filter at the end of the chain.
Doing the following will cause spring security to think that the user from viewTheSiteAs action is the authenticated one, and by that check the permissions according this user.
p.s. - this is not a security break since it downgrades the authenticated user permissions, which means "less powerful" user.
Good luck.